disaster analysis and recovery
Around the time of Sunday morning's cron runs, my Debian
ipmasq-firewall became very unhappy. Apparently, /usr is no longer a
directory but a binary file of 492 bytes. (All partitions are on the
same IDE drive: /, /data, swap.)
Any suggestions on how to determine whether this resulted from an
intrusion or system error? I've been looking though the xconsole (X
Windows is still running). So far, the only strange entries I've
noticed are the timestamps (EDT):
07:10 tcplogd (smtp attempt)
07:20 (modules "test")
07:20 (cron.daily starts)
...
07:23 syslogd 1.3-3#31: restart.
11:32 tcplogd (www attempt)
11:32 tcplogd (repeats)
07:40 (modules "test")
That is, tcplogd has switched to GMT. Reading on:
07:43 /USR/SBIN/CRON [7527]: (mail) CMD (runq)
07:43 /USR/SBIN/CRON [7526]: (mail) MAIL (mailed 33 bytes of output
but got status 0x0001)
07:45 (cron.weekly; syslogd restart)
11:55 tcplogd (www attempts)
07:56 (named cleans cache and reports)
12:02 tcplogd (smtp attempt)
12:02 inetd: execv /usr/sbin/tcpd: Not a directory
I found the file /tmp/twza07509 with a 11:28 timestamp. If it's
really 07:28, then the file probably belongs to tripwire, which runs
for about 10 minutes daily (7:20 - 07:30). Perhaps tripwire clobbered
/usr? But this still leaves me wondering -- intrusion or system
error?
Any suggestions?
Also, how can I replace /usr? (I don't have a backup, but the only
thing non-Debian in there was my RealServer, which is readily
available. I do have a w98 box and a cable modem.)
I haven't done anything except take the server offline. It's still
running, as were Apache and RealServer.
Thanks for any help!
Tod
prie@gw.total-web.net
Reply to: