Weird turnoff

Mario Lobo lobo at bsd.com.br
Mon Oct 2 13:04:43 UTC 2017 

On Sun, 1 Oct 2017 18:25:06 -0600
The Doctor <doctor at doctor.nl2k.ab.ca> wrote:

> On Mon, Oct 02, 2017 at 02:11:40AM +0200, Polytropon wrote:
> > On Sun, 1 Oct 2017 17:25:31 -0600, The Doctor wrote:  
> > > Could be an attack.
> > > 
> > > All right.
> > > 
> > > As of this morning (3 p.m. UTC) my seconday FreeBSD 11.1 server
> > > has been going intreface down then up and then unable to route.
> > > 
> > > Rebooted this system 2 times today.
> > > 
> > > 
> > > What should I bee looking for?  
> > 
> > Primarily the system's log files in /var/log: messages, auth.log,
> > security. Also check the output of the periodic scripts (mailed
> > to root or another user), do they contain hints to something that
> > looks suspicious (SUID changes, system file modifications, etc.)?
> >  
> 
> exactly what I am looking for
> 
> I am going to have to do a transcribe as I am opreating from the
> potential victim and ssh'ing to this terminal
> 
> or ftp the information over
> 
> 
> Oct  1 16:56:46 gallifrey kernel: igb0: link state changed to DOWN
> Oct  1 17:00:10 gallifrey kernel: igb0: link state changed to UP
> Oct  1 17:17:32 gallifrey kernel: igb0: <Intel(R) PRO/1000 Network
> Connection, Version - 2.5.3-k> port 0x6020-0x603f mem
> 0xc7120000-0xc713ffff,0xc7144000-0xc7147fff irq 26 at device 0.0
> numa-domain 0 on pci3 Oct  1 17:17:32 gallifrey kernel: igb0: Using
> MSIX interrupts with 9 vectors Oct  1 17:17:32 gallifrey kernel:
> igb0: Ethernet address: 0c:c4:7a:ac:51:20 Oct  1 17:17:32 gallifrey
> kernel: igb0: Bound queue 0 to cpu 0 Oct  1 17:17:32 gallifrey
> kernel: igb0: Bound queue 1 to cpu 1 Oct  1 17:17:32 gallifrey
> kernel: igb0: Bound queue 2 to cpu 2 Oct  1 17:17:32 gallifrey
> kernel: igb0: Bound queue 3 to cpu 3 Oct  1 17:17:32 gallifrey
> kernel: igb0: Bound queue 4 to cpu 4 Oct  1 17:17:32 gallifrey
> kernel: igb0: Bound queue 5 to cpu 5 Oct  1 17:17:32 gallifrey
> kernel: igb0: Bound queue 6 to cpu 6 Oct  1 17:17:32 gallifrey
> kernel: igb0: Bound queue 7 to cpu 7 Oct  1 17:17:32 gallifrey
> kernel: igb0: netmap queues/slots: TX 8/1024, RX 8/1024 Oct  1
> 17:17:32 gallifrey kernel: igb1: <Intel(R) PRO/1000 Network
> Connection, Version - 2.5.3-k> port 0x6000-0x601f mem
> 0xc7100000-0xc711ffff,0xc7140000-0xc7143fff irq 28 at device 0.1
> numa-domain 0 on pci3 Oct  1 17:17:32 gallifrey kernel: igb1: Using
> MSIX interrupts with 9 vectors Oct  1 17:17:32 gallifrey kernel:
> igb1: Ethernet address: 0c:c4:7a:ac:51:21 Oct  1 17:17:32 gallifrey
> kernel: igb1: Bound queue 0 to cpu 8 Oct  1 17:17:32 gallifrey
> kernel: igb1: Bound queue 1 to cpu 9 Oct  1 17:17:32 gallifrey
> kernel: igb1: Bound queue 2 to cpu 10 Oct  1 17:17:32 gallifrey
> kernel: igb1: Bound queue 3 to cpu 11 Oct  1 17:17:32 gallifrey
> kernel: igb1: Bound queue 4 to cpu 0 Oct  1 17:17:32 gallifrey
> kernel: igb1: Bound queue 5 to cpu 1 Oct  1 17:17:32 gallifrey
> kernel: igb1: Bound queue 6 to cpu 2 Oct  1 17:17:32 gallifrey
> kernel: igb1: Bound queue 7 to cpu 3 Oct  1 17:17:32 gallifrey
> kernel: igb1: netmap queues/slots: TX 8/1024, RX 8/1024 Oct  1
> 17:17:32 gallifrey kernel: igb0: link state changed to UP Oct  1
> 17:17:32 gallifrey kernel: igb1: link state changed to UP Oct  1
> 17:17:46 gallifrey kernel: igb1: link state changed to DOWN Oct  1
> 17:17:53 gallifrey kernel: igb1: link state changed to UP Oct  1
> 17:19:06 gallifrey kernel: igb0: promiscuous mode enabled Oct  1
> 17:40:09 gallifrey kernel: igb0: <Intel(R) PRO/1000 Network
> Connection, Version - 2.5.3-k> port 0x6020-0x603f mem
> 0xc7120000-0xc713ffff,0xc7144000-0xc7147fff irq 26 at device 0.0
> numa-domain 0 on pci3 Oct  1 17:40:09 gallifrey kernel: igb0: Using
> MSIX interrupts with 9 vectors Oct  1 17:40:09 gallifrey kernel:
> igb0: Ethernet address: 0c:c4:7a:ac:51:20 Oct  1 17:40:09 gallifrey
> kernel: igb0: Bound queue 0 to cpu 0 Oct  1 17:40:09 gallifrey
> kernel: igb0: Bound queue 1 to cpu 1 Oct  1 17:40:09 gallifrey
> kernel: igb0: Bound queue 2 to cpu 2 Oct  1 17:40:09 gallifrey
> kernel: igb0: Bound queue 3 to cpu 3 Oct  1 17:40:09 gallifrey
> kernel: igb0: Bound queue 4 to cpu 4 Oct  1 17:40:09 gallifrey
> kernel: igb0: Bound queue 5 to cpu 5 Oct  1 17:40:09 gallifrey
> kernel: igb0: Bound queue 6 to cpu 6 Oct  1 17:40:09 gallifrey
> kernel: igb0: Bound queue 7 to cpu 7 Oct  1 17:40:09 gallifrey
> kernel: igb0: netmap queues/slots: TX 8/1024, RX 8/1024 Oct  1
> 17:40:09 gallifrey kernel: igb1: <Intel(R) PRO/1000 Network
> Connection, Version - 2.5.3-k> port 0x6000-0x601f mem
> 0xc7100000-0xc711ffff,0xc7140000-0xc7143fff irq 28 at device 0.1
> numa-domain 0 on pci3 Oct  1 17:40:09 gallifrey kernel: igb1: Using
> MSIX interrupts with 9 vectors Oct  1 17:40:09 gallifrey kernel:
> igb1: Ethernet address: 0c:c4:7a:ac:51:21 Oct  1 17:40:09 gallifrey
> kernel: igb1: Bound queue 0 to cpu 8 Oct  1 17:40:09 gallifrey
> kernel: igb1: Bound queue 1 to cpu 9 Oct  1 17:40:09 gallifrey
> kernel: igb1: Bound queue 2 to cpu 10 Oct  1 17:40:09 gallifrey
> kernel: igb1: Bound queue 3 to cpu 11 Oct  1 17:40:09 gallifrey
> kernel: igb1: Bound queue 4 to cpu 0 Oct  1 17:40:09 gallifrey
> kernel: igb1: Bound queue 5 to cpu 1 Oct  1 17:40:09 gallifrey
> kernel: igb1: Bound queue 6 to cpu 2 Oct  1 17:40:09 gallifrey
> kernel: igb1: Bound queue 7 to cpu 3 Oct  1 17:40:09 gallifrey
> kernel: igb1: netmap queues/slots: TX 8/1024, RX 8/1024 Oct  1
> 17:40:09 gallifrey kernel: igb0: link state changed to UP Oct  1
> 17:40:09 gallifrey kernel: igb1: link state changed to UP Oct  1
> 17:41:25 gallifrey kernel: igb0: promiscuous mode enabled Oct  1
> 09:02:49 gallifrey kernel: igb0: link state changed to DOWN Oct  1
> 09:06:13 gallifrey kernel: igb0: link state changed to UP Oct  1
> 12:04:48 gallifrey kernel: igb0: <Intel(R) PRO/1000 Network
> Connection, Version - 2.5.3-k> port 0x6020-0x603f mem
> 0xc7120000-0xc713ffff,0xc7144000-0xc7147fff irq 26 at device 0.0
> numa-domain 0 on pci3 Oct  1 12:04:48 gallifrey kernel: igb0: Using
> MSIX interrupts with 9 vectors Oct  1 12:04:48 gallifrey kernel:
> igb0: Ethernet address: 0c:c4:7a:ac:51:20 Oct  1 12:04:48 gallifrey
> kernel: igb0: Bound queue 0 to cpu 0 Oct  1 12:04:48 gallifrey
> kernel: igb0: Bound queue 1 to cpu 1 Oct  1 12:04:48 gallifrey
> kernel: igb0: Bound queue 2 to cpu 2 Oct  1 12:04:48 gallifrey
> kernel: igb0: Bound queue 3 to cpu 3 Oct  1 12:04:48 gallifrey
> kernel: igb0: Bound queue 4 to cpu 4 Oct  1 12:04:48 gallifrey
> kernel: igb0: Bound queue 5 to cpu 5 Oct  1 12:04:48 gallifrey
> kernel: igb0: Bound queue 6 to cpu 6 Oct  1 12:04:48 gallifrey
> kernel: igb0: Bound queue 7 to cpu 7 Oct  1 12:04:48 gallifrey
> kernel: igb0: netmap queues/slots: TX 8/1024, RX 8/1024 Oct  1
> 12:04:48 gallifrey kernel: igb1: <Intel(R) PRO/1000 Network
> Connection, Version - 2.5.3-k> port 0x6000-0x601f mem
> 0xc7100000-0xc711ffff,0xc7140000-0xc7143fff irq 28 at device 0.1
> numa-domain 0 on pci3 Oct  1 12:04:48 gallifrey kernel: igb1: Using
> MSIX interrupts with 9 vectors Oct  1 12:04:48 gallifrey kernel:
> igb1: Ethernet address: 0c:c4:7a:ac:51:21 Oct  1 12:04:48 gallifrey
> kernel: igb1: Bound queue 0 to cpu 8 Oct  1 12:04:48 gallifrey
> kernel: igb1: Bound queue 1 to cpu 9 Oct  1 12:04:48 gallifrey
> kernel: igb1: Bound queue 2 to cpu 10 Oct  1 12:04:48 gallifrey
> kernel: igb1: Bound queue 3 to cpu 11 Oct  1 12:04:48 gallifrey
> kernel: igb1: Bound queue 4 to cpu 0 Oct  1 12:04:48 gallifrey
> kernel: igb1: Bound queue 5 to cpu 1 Oct  1 12:04:48 gallifrey
> kernel: igb1: Bound queue 6 to cpu 2 Oct  1 12:04:48 gallifrey
> kernel: igb1: Bound queue 7 to cpu 3 Oct  1 12:04:48 gallifrey
> kernel: igb1: netmap queues/slots: TX 8/1024, RX 8/1024 Oct  1
> 12:04:48 gallifrey kernel: igb0: link state changed to UP Oct  1
> 12:16:01 gallifrey kernel: igb0: link state changed to DOWN Oct  1
> 12:19:26 gallifrey kernel: igb0: link state changed to UP
> 
> Nothing in the auth.log that I can see as an issue.
> 
> Also, how do I turn routing / ifconfig back on?
> 
> Rebooting is not that fun
> 
> > 
> > 
> > -- 
> > Polytropon
> > Magdeburg, Germany
> > Happy FreeBSD user since 4.0
> > Andra moi ennepe, Mousa, ...
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"  
> 

I once had this problem on a server. It wasn't an Intel nic but it was
constantly going up and down by itself, and the system lost its
connectivity.

I replaced the nic and the problem went away.

-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!]
 
"UNIX was not designed to stop you from doing stupid things, 
because that would also stop you from doing clever things."

More information about the freebsd-questions mailing list