From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT) Description of problem: Initiated Cybercop scan. Came back after scan had completed, and found PC was hung. Version-Release number of selected component (if applicable): How reproducible: Didn't try Steps to Reproduce: 1. Sign up for free scan from http://www.mcafeeasap.com/ 2. 3. Actual Results: Rebooted PC. (I'm choked that I had to reboot after 6 days of uptime...my NT box manages to stay up continuously for weeks.) Expected Results: Trapped or logged the source of the "vulnerability" Additional info: If you have suggestions for enabling more logging, I'd appreciate it, but don't re-assign this just yet. I just wanted to log this before I forgot because I won't be able to investigate this in-depth for the next little while. Since, I didn't receive the Cybercop scan results (but did receive some junk email from McAfee), I'm going to try and reproduce it, and narrow down the root component (i.e., it probably isn't openssh, but sshd and sftpd are the few services available externally, i.e., telnet, smtp, ftp, ... are disabled). At the time the PC was being scanned, the processes running should be similar to this list: [root@olympus /root]# ps -aef UID PID PPID C STIME TTY TIME CMD root 1 0 0 06:32 ? 00:00:04 init [5] root 2 1 0 06:32 ? 00:00:00 [keventd] root 3 1 0 06:32 ? 00:00:00 [kapm-idled] root 4 1 0 06:32 ? 00:00:00 [kswapd] root 5 1 0 06:32 ? 00:00:00 [kreclaimd] root 6 1 0 06:32 ? 00:00:00 [bdflush] root 7 1 0 06:32 ? 00:00:00 [kupdated] root 8 1 0 06:32 ? 00:00:00 [mdrecoveryd] root 73 1 0 06:32 ? 00:00:00 [khubd] root 655 1 0 06:35 ? 00:00:00 syslogd -m 0 root 660 1 0 06:35 ? 00:00:00 klogd -2 rpc 674 1 0 06:35 ? 00:00:00 portmap rpcuser 689 1 0 06:35 ? 00:00:00 rpc.statd root 789 1 0 06:35 ? 00:00:00 /usr/sbin/apmd -p 10 -w 5 - W -P root 838 1 0 06:35 ? 00:00:00 /usr/sbin/automount -- timeout 60 daemon 850 1 0 06:35 ? 00:00:00 /usr/sbin/atd root 865 1 0 06:35 ? 00:00:00 /usr/sbin/sshd root 885 1 0 06:35 ? 00:00:00 xinetd -stayalive -reuse - pidfil root 943 1 0 06:37 ? 00:00:00 sendmail: accepting connections root 956 1 0 06:37 ? 00:00:00 gpm -t ps/2 -m /dev/mouse root 968 1 0 06:37 ? 00:00:00 crond xfs 1040 1 0 06:37 ? 00:00:00 xfs -droppriv -daemon root 1075 1 0 06:37 tty1 00:00:00 /sbin/mingetty tty1 root 1076 1 0 06:37 tty2 00:00:00 /sbin/mingetty tty2 root 1077 1 0 06:37 tty3 00:00:00 /sbin/mingetty tty3 root 1078 1 0 06:37 tty4 00:00:00 /sbin/mingetty tty4 root 1079 1 0 06:37 tty5 00:00:00 /sbin/mingetty tty5 root 1081 1 0 06:37 ? 00:00:00 /usr/bin/gdm -nodaemon root 1089 1081 0 06:37 ? 00:00:00 /etc/X11/X -auth /var/gdm/:0.Xau root 1090 1081 0 06:37 ? 00:00:00 /usr/bin/gdm -nodaemon gdm 1098 1090 0 06:37 ? 00:00:00 /usr/bin/gdmlogin -- disable-soun root 1511 1 0 06:55 tty6 00:00:00 /sbin/mingetty tty6 root 1557 968 0 07:01 ? 00:00:00 CROND root 1558 1557 0 07:01 ? 00:00:00 /bin/bash /usr/bin/run- parts /et root 1568 1558 0 07:01 ? 00:00:00 awk -v progname=/etc/cron.hourly root 1569 1 0 07:01 ? 00:00:00 /bin/sh /usr/lib/sa/sa1 600 6 root 1571 1569 0 07:01 ? 00:00:00 /usr/lib/sa/sadc 600 6 /var/log/ root 1574 865 0 07:18 ? 00:00:00 /usr/sbin/sshd root 1575 1574 0 07:18 pts/0 00:00:00 -bash root 1623 1575 0 07:24 pts/0 00:00:00 ps -aef
Blah, I just checked the firewall and it was [dumbass] configured to allow ports 1-1024 through, so contrary to what I initially believed, any number of services could have been the source of the crash. And since Cybercop costs $$$, I'm not going to try and reproduce this at this time, but I suspect it was a buffer overflow attack. I have, however, re-configured the firewall.
Suspect Cybercop somehow exploited the 4M page Athlon problem. Having since added mem=nopentium, crashes have not recurred.