[lug] Strange lines in log file

Jason Vallery jason at vallery.net
Mon Sep 18 08:47:22 MDT 2006


Hey All,

I've been getting some odd lines in my logfile that I can't explain. The box
is CentOS 4.4   Anyone have any idea what these mean?  There are literally
hundreds of similar lines every day, this is just a sample:

Argument "43616NDOW" isn't numeric in numeric comparison (<=>) at
/etc/log.d/scripts/services/kernel line 77, <STDIN> line 5747.
Argument "43616OW" isn't numeric in numeric comparison (<=>) at
/etc/log.d/scripts/services/kernel line 77, <STDIN> line 5747.
Argument "4361OW" isn't numeric in numeric comparison (<=>) at
/etc/log.d/scripts/services/kernel line 77, <STDIN> line 5747.
Argument "436NDOWACK" isn't numeric in numeric comparison (<=>) at
/etc/log.d/scripts/services/kernel line 77, <STDIN> line 5747.
Argument "ES" isn't numeric in numeric comparison (<=>) at
/etc/log.d/scripts/services/kernel line 77, <STDIN> line 5747.
Argument "43616DOW" isn't numeric in getservbyport at
/etc/log.d/scripts/services/kernel line 34, <STDIN> line 5747.
Argument "TCP43616" isn't numeric in getprotobynumber at
/etc/log.d/scripts/services/kernel line 44, <STDIN> line 5747.
Argument "33K" isn't numeric in numeric comparison (<=>) at
/etc/log.d/scripts/services/kernel line 77, <STDIN> line 5747.
Argument "330RES" isn't numeric in numeric comparison (<=>) at
/etc/log.d/scripts/services/kernel line 77, <STDIN> line


Then similarly, I'm getting weird packets logged to non-existing interface
devices.


Logged 15 packets on interface 0
  From 209.97.225.211 - 15 packets to 13 tcp portstcpt(3306)

Logged 1 packet on interface 00
  From 209.97.225.211 - 1 packet to tcp(43616)

Logged 1 packet on interface 171URGANDWIIN
  From 209.97.225.211 - 1 packet to tcp(43616)

Logged 1 packet on interface 171URGP
  From 209.97.225.211 - 1 packet to tcp(0)

Logged 1 packet on interface 171URGPANDWIN
  From 209.97.225.211 - 1 packet to tcp(3306)


The other thing I have just noticed is that BIND is running at slightly
higher than normal memory and CPU utilization.  Could this mean the box was
compromised with a bing exploit?  I'm running the latest version that is
provided as part of CentOS 4.4 (9.2.4-16.EL4).

Thoughts?

-Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20060918/9fca4e3f/attachment.html>


More information about the LUG mailing list