linux security - Feb 2000 - IPMASQ and lock-up of all terminals

[mod: This is the second time in a week that someone asks this
question: is it a new attack? It sure looks to me like "userland" has
completely locked up, but that the kernel is still working. As an
isolated case, my diagnosis is: You probably have a bad block in your
/bin/login program or something like that. When two people report this
in a week, it's starting to become unlikely that two people have a
hole in their /bin/login program at the same time.... -- REW]

I have a strange situation here that I don't know how to follow up on.  I
have a box setup that is pretty much only to do ipchains for a couple of
computers behind it.  This has occurred for me for both RH6.0 and now RH6.2
beta on an x86.. 

Symptoms:
All attempts to connect remotely receive a connection, but a login prompt
never comes up.
When I went to the console and turned on the monitor, I had the login
prompt, but written on to the screen was the message 
IPMASQ: Reverse ICMP: Checksum error from xxx.xxx.xxx.xxx
where the x's represent and IP address.. message was repeated four times, (I
think).  

I can type in a username and hit return, and then nothing happens and it
does not ask for password or anything.

When I pull up other TTY's  (hitting alt-F1), the messages are not there,
but when I type in a username, again, nothing happens and it never asks for
a password.

ipchains and forwarding continues to function (i.e. they are still connected
through that box), but everything else I can check appears to be locked up.
CTRL-ALT-DEL does nothing, and I have to do a hard reboot.

Is this an error in my IPCHAINS rules, or something else?  What other
information can I provide to help?

Thanks for any help you can give..
James Meriwether

On Mon, 28 Feb 2000 MeriwetherDJ@nswccd.navy.mil wrote:
> Symptoms:
> All attempts to connect remotely receive a connection, but a login prompt
> never comes up.
[...] 
> I can type in a username and hit return, and then nothing happens and it
> does not ask for password or anything.
[mod: Redundant quoting trimmed --REW]

I have seen very similiar behavior before on one of my RH6.0 boxes. It
occured when syslog froze, causing any programs that try to use the
logging facilities to block. If you have an active shell connection to the
box when it happens you can kill syslogd and it will unlock. Otherwise the
hard reboot is the only way out.

-- 
Senior Systems Engineer      | "...and next door is a virtual reality
BigNet, Inc.                 |  restaurant, CGI Friday's..."
Phone: 248-771-1261          |      - The Upright Citizens Brigade
  Fax: 248-771-1269          |  **** My opinions are mine, period. ****

Hi
> On Mon, 28 Feb 2000 MeriwetherDJ@nswccd.navy.mil wrote:
> 
> > Symptoms:
> > All attempts to connect remotely receive a connection, but a login
prompt
> > never comes up.
i also had this problem upgrading to the syslog in RH6.1
seemed to fix this

cya
	James

[mod: Redundant quoting trimmed, remark about redundant quoting
reinstated... --REW]

---------------------------------------------
Check Out: http://www.users.zetnet.co.uk/james/
E-Mail: mistral@stevenson.zetnet.co.uk
  1:00am  up 4 days,  9:30,  5 users,  load average: 1.53, 1.45, 1.31