Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > Developer Center > What's this error_log entry?

What's this error_log entry?
Thread Tools
xylon
Mac Enthusiast
Join Date: Mar 2003
Location: Pittsburgh
Status: Offline
Reply With Quote
Feb 23, 2004, 10:37 PM
 
I was just checking my error_log and found:

[Wed Jul 5 07:45:09 2006] [notice] child pid 464 exit signal Bus error (10)
[Wed Jul 5 07:45:11 2006] [notice] child pid 462 exit signal Bus error (10)
[Wed Jul 5 07:46:07 2006] [notice] child pid 396 exit signal Bus error (10)

I have no idea what this is saying and am a bit concerned because I see it's a bus error. I'm no expert in this area, but after hearing all the MicroSoft server errors that are a result of an overloaded bus, I got a bit concerned. Anyone know what this is? More importantly, am I getting hacked? My site's tiny and not many people know about it, but there's always the possibility...

Thanks in advance.

^Thanks to sealobo
Viva le ScrollWheel!
     
Simon Mundy
Grizzled Veteran
Join Date: Jun 2001
Location: Melbourne, Australia
Status: Offline
Reply With Quote
Feb 24, 2004, 12:47 AM
 
Originally posted by xylon:
I was just checking my error_log and found:

[Wed Jul 5 07:45:09 2006] [notice] child pid 464 exit signal Bus error (10)
[Wed Jul 5 07:45:11 2006] [notice] child pid 462 exit signal Bus error (10)
[Wed Jul 5 07:46:07 2006] [notice] child pid 396 exit signal Bus error (10)

I have no idea what this is saying and am a bit concerned because I see it's a bus error. I'm no expert in this area, but after hearing all the MicroSoft server errors that are a result of an overloaded bus, I got a bit concerned. Anyone know what this is? More importantly, am I getting hacked? My site's tiny and not many people know about it, but there's always the possibility...

Thanks in advance.
A 'notice' usually means it's not a critical problem. It may be that you have a script that is causing your server to crash, or perhaps even a slight misconfiguration. When did you start getting these errors? Just today? Installed anything new?
Computer thez nohhh...
     
xylon  (op)
Mac Enthusiast
Join Date: Mar 2003
Location: Pittsburgh
Status: Offline
Reply With Quote
Feb 24, 2004, 10:25 PM
 
Originally posted by Simon Mundy:
A 'notice' usually means it's not a critical problem. It may be that you have a script that is causing your server to crash, or perhaps even a slight misconfiguration. When did you start getting these errors? Just today? Installed anything new?
Just started seeing those yesterday, haven't seen anything else like it since. Haven't installed any new software...I ran software update not too long ago though. Can't figure out what it is.

Also, got another weird one today in my access_log:

Code:
213.123.247.87 - - [24/Feb/2004:19:53:44 -0500] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 305
This one is confusing me a bit. Not sure how someone else would connect to another computer through mine. Maybe this guy hacked my access_log? I mean, the 1337s are kind of unsettling.


And, I just found that I got another one in my access_log:

Code:
"SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x -snip extreme number of lines- 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 345
This one is kind of scary. Looks like it's trying to overload my buffer (if that even applies), so I restarted my computer. All of this stuff is starting to freak me out.

Thanks in advance for any help.

edit: put logs in code brackets to clarify
( Last edited by xylon; Feb 25, 2004 at 09:15 PM. )

^Thanks to sealobo
Viva le ScrollWheel!
     
Jaey
Mac Elite
Join Date: Dec 2003
Status: Offline
Reply With Quote
Feb 24, 2004, 10:37 PM
 
Unfortunately, the 213.123.247.87 - - [24/Feb/2004:19:53:44 -0500] "CONNECT 1.3.3.7:1337 HTTP/1.0" looks very hacker-ish. I hear hackers like to use port 1337 a lot as a joke. (and 1.3.3.7 for an address... ). I don't know anything about security, but I'd be... cautious... if I were you
     
xylon  (op)
Mac Enthusiast
Join Date: Mar 2003
Location: Pittsburgh
Status: Offline
Reply With Quote
Feb 25, 2004, 09:12 PM
 
Originally posted by Jaey:
Unfortunately, the 213.123.247.87 - - [24/Feb/2004:19:53:44 -0500] "CONNECT 1.3.3.7:1337 HTTP/1.0" looks very hacker-ish. I hear hackers like to use port 1337 a lot as a joke. (and 1.3.3.7 for an address... ). I don't know anything about security, but I'd be... cautious... if I were you
Yeah, that was my impression. I restarted the machine pretty much right after I saw that in my log (just happened to be browsing it a minute or two after that entry was made) and threw up the firewall (which I should just run anyway since that computer is only webhosting). After a while, I decided to pull the ethernet cable and let the computer have a few days off.

I'm interested to hear what people think of that long "SEARCH" string. I'm no internet security guru, but I figured that it was an attempt to overload my buffer (if that's possible). I also remember reading some time ago about Unix security and remember it went over something like this. Any input would be appreciated.

^Thanks to sealobo
Viva le ScrollWheel!
     
fat mac moron
Grizzled Veteran
Join Date: Sep 2002
Status: Offline
Reply With Quote
Feb 26, 2004, 06:43 PM
 
Originally posted by xylon:
I'm interested to hear what people think of that long "SEARCH" string. I'm no internet security guru, but I figured that it was an attempt to overload my buffer (if that's possible). I also remember reading some time ago about Unix security and remember it went over something like this. Any input would be appreciated.
It looks to be a buffer overflow string, looking for an insecure IIS web server. I honestly can't remember the last time there was an Apache buffer overflow (it's also been a while since I've kept up with apache security though), so I assume it's someone looking for an easily compromised IIS web server (could be a zombie net just randomly spamming IP addresses, looking for information).
     
xylon  (op)
Mac Enthusiast
Join Date: Mar 2003
Location: Pittsburgh
Status: Offline
Reply With Quote
Feb 27, 2004, 11:21 PM
 
Originally posted by fat mac moron:
It looks to be a buffer overflow string, looking for an insecure IIS web server. I honestly can't remember the last time there was an Apache buffer overflow (it's also been a while since I've kept up with apache security though), so I assume it's someone looking for an easily compromised IIS web server (could be a zombie net just randomly spamming IP addresses, looking for information).
Ahh, that's what I like to hear. I hadn't ever heard of an Apache buffer overflow, but I figured I'd ask those who knew more than I.

Thanks for all the replies.

^Thanks to sealobo
Viva le ScrollWheel!
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 12:42 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,