Re: disaster analysis and recovery

To: Paul Tod Rieger <prie@gw.total-web.net>, debian-firewall@lists.debian.org
Subject: Re: disaster analysis and recovery
From: Seth Vidal <skvidal@skyrunner.net>
Date: Sun, 05 Sep 1999 20:25:42 -0400
Message-id: <[🔎] 37D30A06.65679752@skyrunner.net>
References: <[🔎] 001201bef7e9$655baca0$4197bad1@electra.gw.total-web.net>

Paul Tod Rieger wrote:
> 
> Around the time of Sunday morning's cron runs, my Debian
> ipmasq-firewall became very unhappy.  Apparently, /usr is no longer a
> directory but a binary file of 492 bytes.  (All partitions are on the
> same IDE drive: /, /data, swap.)
> 
> Any suggestions on how to determine whether this resulted from an
> intrusion or system error?  I've been looking though the xconsole (X
> Windows is still running).  So far, the only strange entries I've
> noticed are the timestamps (EDT):
> 
> 07:10 tcplogd (smtp attempt)
> 07:20 (modules "test")
> 07:20 (cron.daily starts)
> ...
> 07:23 syslogd 1.3-3#31: restart.
> 11:32 tcplogd (www attempt)
> 11:32 tcplogd (repeats)
> 07:40 (modules "test")
> 
> That is, tcplogd has switched to GMT.  Reading on:
> 
> 07:43 /USR/SBIN/CRON [7527]: (mail) CMD (runq)
> 07:43 /USR/SBIN/CRON [7526]: (mail) MAIL (mailed 33 bytes of output
> but got status 0x0001)
> 07:45 (cron.weekly; syslogd restart)
> 11:55 tcplogd (www attempts)
> 07:56 (named cleans cache and reports)
> 12:02 tcplogd (smtp attempt)
> 12:02 inetd: execv /usr/sbin/tcpd: Not a directory
> 
> I found the file /tmp/twza07509 with a 11:28 timestamp.  If it's
> really 07:28, then the file probably belongs to tripwire, which runs
> for about 10 minutes daily (7:20 - 07:30).  Perhaps tripwire clobbered
> /usr?  But this still leaves me wondering -- intrusion or system
> error?
> 
> Any suggestions?
> 
> Also, how can I replace /usr?  (I don't have a backup, but the only
> thing non-Debian in there was my RealServer, which is readily
> available.  I do have a w98 box and a cable modem.)
> 
> I haven't done anything except take the server offline.  It's still
> running, as were Apache and RealServer.
> 
> Thanks for any help!

What was your partitioning scheme on this computer?

Did you have everything on one partition or were there multiple
partitions?
If their were multiple partitions try to  make a backup of the partition
whole and of course try a proper remount.

if its all one big partition I'm going to ask a few dumb questions: 
Did you fsck the drive?
Did you get A LOT of errors?
Did you get a lot of files in lost+found.


good luck.
-sv

Reply to:

References:
- disaster analysis and recovery
  - From: "Paul Tod Rieger" <prie@gw.total-web.net>

Prev by Date: Re: disaster analysis and recovery
Next by Date: Re: disaster analysis and recovery
Previous by thread: disaster analysis and recovery
Next by thread: Re: disaster analysis and recovery
Index(es):
- Date
- Thread