Date:  Wed, 28 Nov 2007 23:15:28 -0800
From:  Diana Saunders <toodi4 (at mark) hotmail.com>
Subject:  [coba-e:11298] Re: sudden authentication problem
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <BAY135-W19CF2A77750E412A1101D082700 (at mark) phx.gbl>
In-Reply-To:  <200711290556.lAT5uUkq020508 (at mark) huda.muntadanet.com>
References:  <BAY135-W319EAA4A584DE254227F3682700 (at mark) phx.gbl> <20071129104409.2d6eab4f (at mark) patricko>  <BAY135-W417806F0BF27BDEB9A951E82700 (at mark) phx.gbl>  <200711290556.lAT5uUkq020508 (at mark) huda.muntadanet.com>
X-Mail-Count: 11298




Nope.  That was one of the first things I checked. :

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda2             6.0G  865M  4.8G  16% /
/dev/sda1              99M   17M   78M  18% /boot
none                  506M     0  506M   0% /dev/shm
/dev/sda7              62G   26G   34G  44% /home
/dev/sda5            1012M   34M  927M   4% /tmp
/dev/sda3             4.0G  590M  3.2G  16% /var



> Sounds like a file system is getting full.
> 
> Try doing a df -h.
> 
> -Rashid
> 
> At 10:31 PM 11/28/2007, you wrote:
> 
> >e a Centos BQ server which has been functioning fine for a while. 
> >Now suddenly today all authentication failed (email, admin, ftp).  I 
> >was able to log in through SSH and run dbrecover.  That fixed the 
> >problem briefly, but then it failed again.  I tried rebooting the 
> >server but same problem. It also seemed that many of the times I ran 
> >dbrecover it did not solve the problem, even temporarily.
> > > >
> > > > Now it is the evening and the problem seems to have gone away for now.
> > > >
> > > > My initial thought is that it was a dictionary attack causing 
> > this problem as I've run into this before.  However, while I could 
> > see obvious hacking attempts using email login attempts in the 
> > secure log, they did not seem to be very numerous. (I could be 
> > wrong as I don't know exactly how to determine the number).  In any 
> > case, during the several hours when this problem occurred, there 
> > didn't seem to be a heavy load on the server as I had experienced 
> > in the past with such attacks.
> > > >
> > > > I know that other people have experienced a similar problem.  I 
> > have read Brian's instructions for converting the passwords to a 
> > flat file.  I'm not sure if that will resolve the problem I'm 
> > experiencing, or there is something else going on. Just curious if 
> > there is anything else I should be looking for.
> > >
> > > Please dont speculate. Dig ur logs and return the facts.
> > >
> > >
> > > For Other Blues, I am using .db authentication for 2 year straight
> > >  w/o any problem. The no. of site per server is > 1 thousand
> > >
> > >
> > > ### I always recommend removing POP3 loggin to .db, eg below ####
> > > ### Why? This will make DBRecover run faster (in /var/db) 
> > ...  when you have been strike by dick-sionary attack ####
> > >
> > >
> >
> >Well the problem has resurfaced, and there is no attack going on 
> >now.   And dbrecover doesn't seem to be solving the problem 
> >either.  The problem did go away after about 15 minutes. I monitored 
> >it and did noy see any attacks.I'm about to transfer sites to 
> >another server, but am reluctant to do that unless I know what the problem is.
> >
> >_________________________________________________________________
> >Connect and share in new ways with Windows Live.
> >http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007
> 
> *****************************************************************
> MuntadaNet Web Hosting and Web Design Services
> http://www.muntada.com
> 
> Sales - sales (at mark) muntada.com
> Support - support (at mark) muntada.com
> Billing - billing (at mark) muntada.com
> 
> Main Office - 808-689-6092
> Fax - (808) 356-0279
> ***************************************************************** 
> 
> 

_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007