AFP548

HACKED??? Massive Failure on 10.4.8 intel Auth Related not sure

dragonmac
First the setup info. Hardware Overview: Machine Name: Mac Pro Machine Model: MacPro1,1 Processor Name: Dual-Core Intel Xeon Processor Speed: 2.66 GHz Number Of Processors: 2 Total Number Of Cores: 4 L2 Cache (per processor): 4 MB Memory: 3 GB Bus Speed: 1.33 GHz Boot ROM Version: MP11.005C.B01 SMC Version: 1.7f8 System Software Overview: System Version: Mac OS X Server 10.4.8 (8L2127) Kernel Version: Darwin 8.8.1 Boot Volume: Macintosh HD Computer Name: OSXServer User Name: System Administrator (root) Ok Last night around 4am (i'll post parts of log) a massive system problem occurred. Not sure where to even begin to fix this but the primary problem is that the Mail is not working. I think there is a lot more going on as you will see. Got a phone call mail is down all other services seemed unaffected at about 9:30. I VNC'd in an was logged in as root. The root directory seemed fine at this time. I launch server Admin ok the first time and services "looked" ok so I just restarted the Mail service. Ok that didn't work and something else seemed wrong. I looked in the Activity Monitor and noticed smbd & syslogd where hogging the CPU. So in SA i stopped the windows/SAMBA. Back in the Activity Monitor smbd stopped but syslogd was still going nuts. OK lets Reboot. After reboot VNC was down and they said no one could even log in now let alone get mail. OK to SSH we go and it appeared all services except OD did not start?? hmm. So I "serveradmin start afp" "serveradmin start mail" "serveradmin start web" "serveradmin start windows" i then kickstart'ed VNC/ARD. I got back on VNC to look around and logged in as root. OMG the Whole Root user appeared to be Messed up. No open windows popped up keychain was bad, Nothing was right with the root user directory. Mail service was started but IMAP & POP3 where not started? Ok i reset the the settings in SA and restarted Mail no dice and the SA would require me to enter password since keychain was bad. Also the "Print" in SA can't even get to it. It's Grayed out. Just everything seemed bad and there was only 2GB available on the server Hard Drive. I found later the "/private/var/log/samba/log.smbd.0.gz" file was 85GB in size. I just trashed it. There are more problems but some massive failure has happened and I will post logs to show the weird stuff i saw in the logs. WAS I HACKED!!!!! File links you should see DAM SPAM filter won't let me post the links the right way please look at these logs they are scary!!! use "members" dot "aol" dot "com" as the FQDN http://FQDN/dragonmacpc/systemlog0gz.txt http://FQDN/dragonmacpc/systemlog.txt There are TWO log files overlapping in time entries. the new Log started around 4:30am contain HIGHLY sensitive data!!!! I cut out things i felt where bad to post publicly and tried to shorten the Post But you have to see this!!!! Shortly after midnight: "osxserver kernel[0]: file: table is full" errors thousands of them: Nov 13 00:07:06 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 00:07:15 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 00:18:25 osxserver ctl_cyrusdb[22546]: checkpointing cyrus databases Nov 13 00:18:55 osxserver ctl_cyrusdb[22546]: done checkpointing cyrus databases Nov 13 00:23:46 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 00:37:15 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 00:40:26 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 00:48:25 osxserver ctl_cyrusdb[22795]: checkpointing cyrus databases Nov 13 00:48:25 osxserver ctl_cyrusdb[22795]: done checkpointing cyrus databases Nov 13 00:57:06 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 01:00:17 osxserver sshd[22816]: fatal: Timeout before authentication for 62.249.240.14 Nov 13 01:07:15 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 01:13:46 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 01:18:25 osxserver ctl_cyrusdb[22855]: checkpointing cyrus databases Nov 13 01:18:55 osxserver ctl_cyrusdb[22855]: done checkpointing cyrus databases Nov 13 01:30:26 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 01:30:29 osxserver kernel[0]: file: table is full Nov 13 01:30:29 osxserver kernel[0]: file: table is full ... ... Nov 13 01:36:26 osxserver kernel[0]: file: table is full Nov 13 01:37:15 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 01:37:37 osxserver kernel[0]: file: table is full ... ... Nov 13 04:01:06 osxserver kernel[0]: file: table is full Nov 13 04:01:12 osxserver tls_prune[24491]: DBERROR db4: /var/imap/db/log.0000000005: log file open failed: Too many open files in system Nov 13 04:01:12 osxserver tls_prune[24491]: DBERROR db4: PANIC: Too many open files in system Nov 13 04:01:12 osxserver tls_prune[24491]: DBERROR: critical database situation Nov 13 04:07:28 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 04:17:06 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 04:18:25 osxserver ctl_cyrusdb[24506]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 04:18:25 osxserver ctl_cyrusdb[24506]: DBERROR: critical database situation Nov 13 04:25:02 osxserver postfix/trivial-rewrite[22189]: warning: write resolver reply: Broken pipe Nov 13 04:33:46 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 09:36:19 osxserver postfix/postqueue[24159]: warning: close: Operation timed out This is end of log file system.log.0.gz "osxserver kernel[0]: file: table is full" appeared Thousands of times. system.log begins here Nov 13 04:37:07 osxserver cp: error processing extended attributes: Operation not permitted Nov 13 04:37:08 osxserver cp: error processing extended attributes: Operation not permitted Nov 13 04:37:08 osxserver cp: error processing extended attributes: Operation not permitted Nov 13 04:37:28 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 04:39:48 osxserver postfix/smtpd[22514]: warning: 202.10.85.170: hostname 202_10_85_170.g-node.com.au verification failed: Host not found Nov 13 04:39:49 osxserver postfix/smtpd[22514]: warning: 216.129.243.156: hostname 216-129-243-156.dsl.williston.nemontel.net verification failed: Host not found Nov 13 04:39:49 osxserver postfix/smtpd[22514]: warning: 216.129.243.156: hostname 216-129-243-156.dsl.williston.nemontel.net verification failed: Host not found Nov 13 04:39:55 osxserver postfix/smtpd[22514]: warning: 201.160.164.114: hostname 201.160.164.114.cableonline.com.mx verification failed: Host not found Nov 13 04:40:02 osxserver postfix/smtpd[22514]: warning: 201.160.164.114: hostname 201.160.164.114.cableonline.com.mx verification failed: Host not found Nov 13 04:40:35 osxserver postfix/smtpd[22514]: warning: 218.85.28.202: hostname pc202.broad.dynamic.fz.fj.cn.cndata.com verification failed: Host not found Nov 13 04:46:41 osxserver postfix/qmgr[22234]: fatal: watchdog timeout Nov 13 04:46:42 osxserver postfix/master[58]: warning: process /usr/libexec/postfix/qmgr pid 22234 exit status 1 Nov 13 04:46:42 osxserver postfix/master[58]: warning: /usr/libexec/postfix/qmgr: bad command startup -- throttling Nov 13 04:48:26 osxserver ctl_cyrusdb[24593]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 04:48:56 osxserver ctl_cyrusdb[24593]: DBERROR: critical database situation Nov 13 04:50:26 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 05:07:06 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 05:07:28 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 05:18:25 osxserver ctl_cyrusdb[24627]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 05:18:25 osxserver ctl_cyrusdb[24627]: DBERROR: critical database situation Nov 13 05:23:46 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 05:37:28 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 05:40:26 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 05:48:25 osxserver ctl_cyrusdb[24636]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 05:48:55 osxserver ctl_cyrusdb[24636]: DBERROR: critical database situation Nov 13 05:57:06 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 06:07:28 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 06:13:46 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 06:18:26 osxserver ctl_cyrusdb[24666]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 06:18:56 osxserver ctl_cyrusdb[24666]: DBERROR: critical database situation Nov 13 06:30:26 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 06:35:44 osxserver sshd[24670]: fatal: Timeout before authentication for 62.149.229.143 Nov 13 06:37:29 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 06:47:06 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 06:48:25 osxserver ctl_cyrusdb[24677]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 06:48:25 osxserver ctl_cyrusdb[24677]: DBERROR: critical database situation Nov 13 07:03:46 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 07:07:28 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 07:13:04 osxserver postfix/trivial-rewrite[24522]: warning: write resolver reply: Broken pipe Nov 13 07:18:25 osxserver ctl_cyrusdb[24689]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 07:18:55 osxserver ctl_cyrusdb[24689]: DBERROR: critical database situation Nov 13 07:20:26 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 07:37:06 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 07:37:29 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 07:48:26 osxserver ctl_cyrusdb[24695]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 07:48:26 osxserver ctl_cyrusdb[24695]: DBERROR: critical database situation Nov 13 07:53:46 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 08:07:29 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 08:10:26 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 08:18:25 osxserver ctl_cyrusdb[24701]: DBERROR db4: PANIC: fatal region error detected; run recovery Nov 13 08:18:55 osxserver ctl_cyrusdb[24701]: DBERROR: critical database situation Nov 13 08:27:06 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 08:37:29 osxserver kernel[0]: (126: coreservicesd)tfp: failed on 0: Nov 13 08:43:46 osxserver postfix/master[58]: warning: unix_trigger_event: read timeout for service public/flush Nov 13 08:44:50 osxserver imap[20853]: login: localhost [::1] coling plaintext User logged in Nov 13 08:44:50 osxserver imap[20860]: login: localhost [::1] coling plaintext User logged in Nov 13 08:44:50 osxserver imap[20867]: login: localhost [::1] coling plaintext User logged in Nov 13 08:44:50 osxserver imap[20869]: login: localhost [::1] coling plaintext User logged in Nov 13 08:44:50 osxserver imap[20876]: login: localhost [::1] coling plaintext User logged in Nov 13 08:44:50 osxserver imap[20881]: login: localhost [::1] coling plaintext User logged in Nov 13 08:44:51 osxserver lmtpunix[20406]: warning: unable to post message for user: kimb, mail is not enabled for this user Nov 13 08:44:52 osxserver master[53]: process 20860 exited, signaled to death by 10 Nov 13 08:44:53 osxserver master[53]: process 20867 exited, signaled to death by 10 Nov 13 08:44:53 osxserver postfix/smtpd[24572]: warning: 216.60.1.241: hostname 216-60-1-241.ded.swbell.net verification failed: Host not found Nov 13 08:44:53 osxserver master[53]: process 20881 exited, signaled to death by 10 Nov 13 08:44:53 osxserver master[53]: process 20876 exited, signaled to death by 10 Nov 13 08:44:54 osxserver master[53]: process 20853 exited, signaled to death by 10 Nov 13 08:44:56 osxserver lmtpunix[20412]: warning: unable to post message for user: kimb, mail is not enabled for this user Nov 13 08:44:56 osxserver master[53]: process 20418 exited, signaled to death by 10 ... ... ...
Exit mobile version