roy@phri.UUCP (Roy Smith) (11/08/88)
Over the past few days, we've started seeing some very strange
things going on with sendmail. Every once in a while (on one particular
Sun-3/50 running SunOS-3.5.2) we get runaway sendmails. Perhaps once or
twice a day. Doing ps shows:
root 15539 27.0 3.9 216 120 a D 12:20 send-mail -i drlica
root 15542 25.0 3.7 216 112 a D 12:02 send-mail -i roy
and if I look in the directory of the person getting the mail (not always
that person's $HOME), I see something like the following (not from the same
instance as shown in the ps above):
---------- 2 gennaro 0 Nov 4 16:27 Mi~Uod
---------- 2 gennaro 0 Nov 4 16:27 lf~TCopyr 1985 Sun Mni~Tod
---------- 2 gennaro 0 Nov 4 16:27 Mi~Tod
---------- 2 gennaro 0 Nov 4 16:26 lf~SCopyr 1985 Sun Mni~Sod
---------- 2 gennaro 0 Nov 4 16:26 Mi~Sod
---------- 2 gennaro 0 Nov 4 16:26 lf~RCopyr 1985 Sun Mni~Rod
---------- 2 gennaro 0 Nov 4 16:26 Mi~Rod
---------- 2 gennaro 0 Nov 4 16:26 lf~QCopyr 1985 Sun Mni~Qod
---------- 2 gennaro 0 Nov 4 16:26 Mi~Qod
---------- 2 gennaro 0 Nov 4 16:26 lf~PCopyr 1985 Sun Mni~Pod
---------- 2 gennaro 0 Nov 4 16:26 Mi~Pod
---------- 2 gennaro 0 Nov 4 16:26 lf~OCopyr 1985 Sun Mni~Ood
---------- 2 gennaro 0 Nov 4 16:26 Mi~Ood
---------- 2 gennaro 0 Nov 4 16:26 lf~NCopyr 1985 Sun Mni~Nod
It seems pretty obvious that there is a bug in sendmail. The
fragments of copyright notices, with the incrementing file names. The
files come in linked pairs; each pair consists of one "short name" and one
"long name" file. These are created at the rate of 10-20 pairs per second
(which sure drives the load on the NFS file server sky high). The fact
that they are all mode 0 makes it look like random calls to creat(2). A
given directory may have hundreds of pairs of these.
Has anybody ever seen anything like this? The timing of the first
reported instance of this pretty much coincides with The Internet Virus,
but since we're not on the internet, I'll just chalk that up to a spookey
coincidence.
--
Roy Smith, System Administrator
Public Health Research Institute
{allegra,philabs,cmcl2,rutgers}!phri!roy -or- phri!roy@uunet.uu.net
"The connector is the network"