[juneau-lug] For a good laugh

• From: James Zuelow <e5z8652@xxxxxxxxxx>
• To: <juneau-lug@xxxxxxxxxxxxx>
• Date: Sat, 18 May 2002 10:33:53 -0800 (AKDT)

My firewall is an elderly Compaq Prolinea 4/33s, with the original 340MB
hard drive. Therefore I don't have a lot of extra disk space, although a
base Debian install leaves me with enough room to play with. Over time
this little machine has been going strong - until a few weeks ago, when
all of a sudden I was running out of disk space. Running du showed me that
/var/log was massive, specifically wtmp.

Running last only showed logins that I knew about, and lastb didn't show
any results at all (in fact /var/log/lastb consistently stayed at 0
bytes).  I scanned through kern.log, messages, and syslog to no avail - no
attack signatures that I could see, although I was convinced that
someone/something was attacking my firewall.

I even set up a cronjob to mail me the file size of wtmp - every half hour
I got a report, showing the file growing constantly.  I started a new
wtmp, and within 24 hours it was at 1.2MB!  At this point I was getting
worried, and started an inspection of every other machine on my LAN,
looking for signs of intrusion.  But nothing ever showed up.

Finally, I was about ready to start from scratch on the firewall with a
completely new installation to ensure that nothing was amiss.  Taking a
final look at /var/log I noticed what I had been missing the entire time
(Insert slap on forehead here):  auth.log.  The whole file was filled up
with these entries:

May 12 07:03:01 FW getty[4167]: tty1: input overrun
May 12 07:04:18 FW getty[4168]: tty1: input overrun
May 12 07:05:34 FW getty[4169]: tty1: input overrun

Sure enough, climbing up to the top of the gorilla rack that the firewall
lives on, the power cord from a test monitor was pushing down on the
keyboard.  Sigh...

Cheers,

James


------------------------------------
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the 
word unsubscribe in the subject header.

• Follow-Ups:
  • [juneau-lug] Re: For a good laugh
    • From: JBarber

Other related posts:

• » [juneau-lug] For a good laugh
• » [juneau-lug] Re: For a good laugh

1. Home
2. juneau-lug
3. Archive
4. 05-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---