Hide Forgot
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt) Description of problem: Cught this error in my syslog file. System did not crash. Not clear how this problem happened. Syslog reported: Apr 14 06:05:05 mibcentral rpc.statd[673]: gethostbyname error for ^XC7C?B?^XC7C?B?^YC7C?B?^YC7C?B?^ZC7C?B?^ZC7C?B?^[C7C?B?^[C7C?B?%8x%8x%8x%8x%8x% 8x%8x%8x% Apr 14 06:35:00 mibcentral kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000020 Apr 14 06:35:00 mibcentral kernel: printing eip: Apr 14 06:35:00 mibcentral kernel: c01379c7 Apr 14 06:35:00 mibcentral kernel: *pde = 00000000 Apr 14 06:35:00 mibcentral kernel: Oops: 0002 Apr 14 06:35:00 mibcentral kernel: CPU: 0 Apr 14 06:35:00 mibcentral kernel: EIP: 0010: [__remove_from_lru_list+23/112] Not tainted Apr 14 06:35:00 mibcentral kernel: EIP: 0010:[<c01379c7>] Not tainted Apr 14 06:35:00 mibcentral kernel: EFLAGS: 00010202 Apr 14 06:35:00 mibcentral kernel: EIP is at __remove_from_lru_list [kernel] 0x17 Apr 14 06:35:00 mibcentral kernel: eax: 00000004 ebx: d09dbf20 ecx: d09dbf80 edx: 00000000 Apr 14 06:35:00 mibcentral kernel: esi: d09dbf80 edi: cfb3d0c0 ebp: 00000000 esp: dfeddf5c Apr 14 06:35:00 mibcentral kernel: ds: 0018 es: 0018 ss: 0018 Apr 14 06:35:00 mibcentral kernel: Process kswapd (pid: 5, stackpage=dfedd000) Apr 14 06:35:00 mibcentral kernel: Stack: c0137aad d09dbf80 00000000 c013a620 d09dbf80 00000001 c1c0e800 c1467f6c Apr 14 06:35:00 mibcentral kernel: 00000080 c0138b3a 00000000 c1467f6c 00000000 00000007 c012eba4 c1467f6c Apr 14 06:35:00 mibcentral kernel: 00000080 00000000 00000000 00002bc5 00007227 00000000 00000000 000000c0 Apr 14 06:35:00 mibcentral kernel: Call Trace: [__remove_from_queues+45/48] __remove_from_queues [kernel] 0x2d Apr 14 06:35:00 mibcentral kernel: Call Trace: [<c0137aad>] __remove_from_queues [kernel] 0x2d Apr 14 06:35:00 mibcentral kernel: [try_to_free_buffers+112/272] try_to_free_buffers [kernel] 0x70 Apr 14 06:35:00 mibcentral kernel: [<c013a620>] try_to_free_buffers [kernel] 0x70 Apr 14 06:35:00 mibcentral kernel: [try_to_release_page+58/96] try_to_release_page [kernel] 0x3a Apr 14 06:35:00 mibcentral kernel: [<c0138b3a>] try_to_release_page [kernel] 0x3a Apr 14 06:35:00 mibcentral kernel: [page_launder+1108/2368] page_launder [kernel] 0x454 Apr 14 06:35:00 mibcentral kernel: [<c012eba4>] page_launder [kernel] 0x454 Apr 14 06:35:00 mibcentral kernel: [do_try_to_free_pages+17/80] do_try_to_free_pages [kernel] 0x11 Apr 14 06:35:00 mibcentral kernel: [<c012f411>] do_try_to_free_pages [kernel] 0x11 Apr 14 06:35:00 mibcentral kernel: [kswapd+85/240] kswapd [kernel] 0x55 Apr 14 06:35:00 mibcentral kernel: [<c012f4a5>] kswapd [kernel] 0x55 Apr 14 06:35:00 mibcentral kernel: [rest_init+0/48] stext [kernel] 0x0 Apr 14 06:35:00 mibcentral kernel: [<c0105000>] stext [kernel] 0x0 Apr 14 06:35:00 mibcentral kernel: [kernel_thread+38/48] kernel_thread [kernel] 0x26 Apr 14 06:35:00 mibcentral kernel: [<c0105726>] kernel_thread [kernel] 0x26 Apr 14 06:35:00 mibcentral kernel: [kswapd+0/240] kswapd [kernel] 0x0 Apr 14 06:35:00 mibcentral kernel: [<c012f450>] kswapd [kernel] 0x0 Apr 14 06:35:00 mibcentral kernel: Apr 14 06:35:00 mibcentral kernel: Apr 14 06:35:00 mibcentral kernel: Code: 89 42 20 8b 41 20 8b 51 24 89 50 24 8b 44 24 08 8d 14 85 00 Version-Release number of selected component (if applicable): How reproducible: Didn't try Additional info:
Apr 14 06:05:05 mibcentral rpc.statd[673]: gethostbyname error for ^XC7C?B?^XC7C?B?^YC7C?B?^YC7C?B?^ZC7C?B?^ZC7C?B?^[C7C?B?^[C7C?B?%8x%8x%8x%8x%8x% 8x%8x%8x% is someone trying to hack your system. Which exact kernel version is this ?
Yes, it looks like it might be a hack attack. Regardless, it looks like the kernel gets hit since it logs this error, and I am not sure what the side- effects might be. The kernel version is 2.4.9-21.
Is there a fix to avoid the kernel NULL pointer from happening?
Not sure what causes this; you could try upgrading to 2.4.9-31 (there's some cornercase bugs fixed); however if some hack attack succeeded it could be that the attackers installed a kernel module; some automated attacks do this ;(
Idle for over a year, many errata released closing..