Hi all,

3-node NW6/SP5 cluster with GW6/SP4, GWIA in a separate address space,
all is well for a couple of years. In the last few months, the
following abends are happening at an average rate of about two a week.
Sometimes it runs fine for a few days, then I'd have 3 crashes in an
hour. The only thing that would have changed is a huge increase in the
amount of mail (99%spam) that is being received. The cluster is
literarly bombarded with mail.

Could this be the result of some sort of exploit?

any help is appreciated

tx,
MG

=============================
Address space GWIA removed Tuesday, January 24, 2006 4:51:28.012 pm
Abend 0 on P00: Server-5.60.05: Free received an invalid memory pointer
0x74656E2E

Registers:
CS = 0060 DS = 007B ES = 007B FS = 007B GS = 007B SS = 0068
EAX = D10F90FA EBX = D10F90C8 ECX = FFFFFFCC EDX = 00000000
ESI = 00000005 EDI = 00000001 EBP = A7637110 ESP = A76370EC
EIP = A2998CC0 FLAGS = 00000286
A2998CC0 83C40C ADD ESP,0000000C
EIP in UNKNOWN memory area

The violation occurred while processing the following instruction:
A2998CC0 83C40C ADD ESP,0000000C
A2998CC3 5B POP EBX
A2998CC4 C3 RET
SYSCALLS.NLM|MARSHAL_AccountCharge:
A2998CC5 53 PUSH EBX
A2998CC6 56 PUSH ESI
A2998CC7 0FB7742424 MOVZX ESI,word ptr [ESP+24]
A2998CCC 89F3 MOV EBX,ESI
A2998CCE 8B442428 MOV EAX,[ESP+28]
A2998CD2 83FB00 CMP EBX,00000000
A2998CD5 7505 JNZ A2998CDC



Running process: Server 00:11 Process
Thread Owned by NLM: SERVER.NLM
Stack pointer: A76370EC
User Space Stack limit: 0
Scheduling priority: 67371008
Wait state: 50500F0 Waiting for work
Stack: A2998CC0 (SYSCALLS.NLM|MARSHAL_Abend+31)
--00000191 ?
--00000000 ?
--D10F90C8 ?
--D10F98D0 ?
00338A39 (SERVER.NLM|NewSystemCall+C9)
--D10F90C8 ?
--80000001 ?
--A2A415A0 ?
--D10F9170 ?
--D0061740 ?
00338B3B (SERVER.NLM|NewSystemCall+1CB)
--00000073 ?
--D10F90C0 ?
--0000007B ?
--00000000 ?
--D05513C0 ?
--D10FAFF4 ?
--A282C8C0 ?
00018000 (LOADER.EXE|sprintf+1A38)
0023221C (SERVER.NLM|BumpCurrentAddressSpaceWTD+304)
--A76371AC ?
--D05513C0 ?
--D10FAFF4 ?
--A348F3C0 ?
--D10E2000 ?
--D10FAFF4 ?
--00000000 ?
--00000000 ?
-0001A000 (LOADER.EXE|startPublicList+208)
--D10E3000 ?
--A348F3C0 ?
--D05513C0 ?
--A348F3C0 ?
--A76371AC ?
--D05513C0 ?
00232402 (SERVER.NLM|CallUser+9A)
--A76371AC ?
--D05513C0 ?
--A76371A0 ?
--A348F3C0 ?
--00000000 ?
00228EA1 (SERVER.NLM|TcoNewUserThreadEntryPoint+4D)
--A76371AC ?
--D05513C0 ?
--00000002 ?
--A348F3C0 ?
--00000000 ?
--A76371EC ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000000 ?
--00000002 ?
--00000000 ?
--01AC8A14 ?
--00000000 ?
--000100B2 ?
--A762F000 ?
--00000000 ?
--005CDC36 ?
--00000000 ?
--00000000 ?
--00000006 ?
--A9B98CCC ?
--A7630010 ?
--A7637398 ?
--CBE99B88 ?
--A9B98C00 ?
--A7637254 ?
CA03F2B2 (NWSA.NSS|NWSA_FillDirEntryInfo+A2)
--A76373C0 ?
--A76372C0 ?
0022C09F (SERVER.NLM|kGetLibraryTCO+1B)
--A348F3C0 ?
--C90ABDC0 ?
C8141DBD (SAL.NLM|SAL_ThreadSetDescPtr+91)
-C81452BC (SAL.NLM|sal_ctype+51C)
--00000046 ?
0020F2FB (SERVER.NLM|kCVBroadcast+6F)
--00000046 ?
--00000046 ?
--C803AB80 ?
--A348F580 ?
--0000007E ?
--0000007E ?
0029CB12 (SERVER.NLM|EventReport+3D6)
--C803AB80 ?
--A348F3C0 ?
--A7637284 ?
--00000000 ?
--00000000 ?
--00000000 ?
--A7637398 ?
--CBCC7040 ?
--00000001 ?
--00000001 ?
--A76373B8 ?
--9F2F4E20 ?

Additional Information:
The NetWare OS detected a problem with the system while executing a
process owned by SYSCALLS.NLM. It may be the source of the problem or
there may have been a memory corruption.

Loaded Modules:
GWIA.NLM GroupWise Internet Agent
Version 6.00.04 November 4, 2003
Code Address: FA0FC000h Length: 0011F793h
Data Address: FA0BE000h Length: 0003C8F6h
SCCDA.NLM HTML Export Data Access Module
Version 7.70 June 6, 2003
Code Address: FA21F000h Length: 000061A0h
Data Address: FA21D000h Length: 00000140h
SCCFA.NLM HTML Export Filter Access Module
Version 7.70 June 6, 2003
Code Address: FA229000h Length: 00002BE0h
Data Address: FA227000h Length: 00000300h
SCCCH.NLM HTML Export Chunker Module
Version 7.70 June 6, 2003
Code Address: FA22F000h Length: 0000A300h
Data Address: FA22D000h Length: 00000660h
SCCFI.NLM HTML Export File Identification Module
Version 7.70 June 6, 2003
Code Address: FA240000h Length: 0000E2A0h
Data Address: FA23B000h Length: 00003040h
SCCUT.NLM HTML Export Utility Module
Version 7.70 June 6, 2003
Code Address: FA262000h Length: 00024E20h
Data Address: FA250000h Length: 00010240h
NWSNUT.NLM NetWare NLM Utility User Interface
Version 7.00 June 22, 2004
Code Address: FA28C000h Length: 00013417h
Data Address: FA28A000h Length: 000006F8h
CALNLM32.NLM NetWare NWCalls Runtime Library
Version 6.00 June 3, 2004
Code Address: FA2A3000h Length: 0001B649h
Data Address: FA2A1000h Length: 00000510h
NETNLM32.NLM NetWare NWNet Runtime Library
Version 5.05.09 October 28, 2003
Code Address: FA2C6000h Length: 00034F97h
Data Address: FA2C0000h Length: 00004D45h
NCPNLM32.NLM NetWare NWNCP Runtime Library
Version 6.00 June 3, 2004
Code Address: FA2FC000h Length: 0001E1C3h
Data Address: 00000000h Length: 00000000h
GWENN3.NLM GroupWise Engine
Version 6.00.04 January 16, 2004
Code Address: FA404000h Length: 00476CB1h
Data Address: FA31C000h Length: 000E68AEh
XIS10.NLM Xis10
Version 1.00 November 14, 2001
Code Address: FA8DA000h Length: 000D26B0h
Data Address: FA87C000h Length: 0005CD51h
CLIB.NLM (Legacy) Standard C Runtime Library for NLMs
Version 5.90.10 February 24, 2004
Code Address: FA9B2000h Length: 0001898Eh
Data Address: FA9AE000h Length: 00002FB0h
NIT.NLM NetWare Interface Tools Library for NLMs
Version 5.90.10 February 24, 2004
Code Address: FA9CF000h Length: 0001C694h
Data Address: FA9CD000h Length: 00000690h
CLXNLM32.NLM NetWare NWCLX Runtime Library
Version 6.00 June 3, 2004
Code Address: FA9EF000h Length: 00001213h
Data Address: FA9ED000h Length: 000001B0h
LOCNLM32.NLM NetWare NWLocale Runtime Library
Version 6.00 June 3, 2004
Code Address: FA9F4000h Length: 0000458Bh
Data Address: FA9F2000h Length: 00000B80h
UNICODE.NLM NetWare Unicode Runtime Library (UniLib-based)
[optimized]
Version 7.00 June 3, 2004
Code Address: FA9FC000h Length: 000016D5h
Data Address: FA9FA000h Length: 00000504h
CLNNLM32.NLM NetWare NWClient Runtime Library
Version 6.00 June 3, 2004
Code Address: FAA01000h Length: 00001C72h
Data Address: FA9FF000h Length: 00000130h
NLMLIB.NLM Novell NLM Runtime Library
Version 5.90.10 February 24, 2004
Code Address: FAA09000h Length: 0002630Dh
Data Address: FAA04000h Length: 000038C0h
REQUESTR.NLM Novell NCP Requestor for NLMs
Version 5.90.10 February 24, 2004
Code Address: FAA34000h Length: 00020BF3h
Data Address: FAA31000h Length: 000010B0h
THREADS.NLM Novell Threads Package for NLMs
Version 5.90.10 February 24, 2004
Code Address: FAA69000h Length: 00018BD8h
Data Address: FAA56000h Length: 00011660h
LIBC.NLM Standard C Runtime Library for NLMs [optimized, 5]
Version 7.05 June 23, 2004
Code Address: FAAC4000h Length: 000B35B6h
Data Address: FAA85000h Length: 0003D816h
USERLIB.NLM NetWare Operating System Function Library
Version 5.60 May 28, 2004
Code Address: FAB7C000h Length: 00004252h
Data Address: FAB79000h Length: 00001160h
************************************************** *******