RE: Strange disk problems - file dates out of wack
On 26-Oct-97 Colin R. Telmer wrote:
> A server in my department has suddenly created (or altered) some files
> and
> I cannot figure out how to remove them. Below is the a part of the
> original note sent to me and I have tried various attempts to remove the
> files as weel with no avail. I even went to the point of creating a user
> with uid 28757 but that did not help either. One thing that isn't
> mentioned below is that when the I tried to remove the files the kernel
> stated "operation not permitted" rather than the usual permissions stuff.
> Any ideas how I can get rid of these files?
I think it's almost certain that the data on your hard disk has got
corrupted (see below). A possible cause is RAM corruption at a time when
data was being written back to disk during an update.
> ---------- Forwarded message ----------
> Date: Fri, 24 Oct 1997 11:29:40 -0400 (EDT)
> From: "James G. MacKinnon" <jgm@qed.econ.queensu.ca>
> To: "Colin R. Telmer" <telmerco@qed.econ.queensu.ca>
> Cc: "James G. Mackinnon" <jgm@doug.econ.queensu.ca>,
> polasek@qed.econ.queensu.ca
> Subject: Re: frisch
>
> On Fri, 24 Oct 1997, Colin R. Telmer wrote:
>
>> Unmounted /home without any problems and ran e2fsck with the "check for
>> bad blocks" and "force" options. However, the disk seems to be fine.
>> Strange.
>
> Here are the key parts of the original note:
>
> There are several directories that are claimed (by du) to be absurdly
> big:
>
> 501597058 ./reevesj/.netscape/cache/13
> 634965987 .
> 1017117464 ./reevesj/.netscape/cache
> 1017117572 ./reevesj/.netscape
> 1017168521 ./reevesj
>
> Of course, those numbers are not correct!
>
> Looking more closely at /reevesj/.netscape/cache, one finds:
>
> br--r-srwx 1 28787 29728 73, 60 May 21 2025 07
>
> Notice the date and the permissions! Whatever this is, I cannot remove
> it, even using "rm -f", as root! I also cannot change the permissions.
>
> Then, within the directory /reevesj/.netscape/cache/13, one finds:
>
>c---rwxr-t 1 24942 28192 60, 62 Jan 25 2026
cache340259B30115B9F
>pr-s-wxr-- 1 31558 11396 0 Jan 13 1983
cache340259B30125B9F.gif
>p-ws-wx-wx 1 6019 23682 0 Jan 31 1940
cache343150330010C49.gif
>
> Notice the dates! Again, it seems to be impossible to remove these or
> change the permissions.
Note also that /reevesj/.netscape/cache (which should be an ordinary
directory, first char in directory listing should be "d", not "b") now
appear as a "block device" ("b") with major number "73" and minor "60",
which are not maj/min numbers known to me. Likewise, cache340259B30115B9F
appears not a file but as a character device with major,minor = 60,62 which
again is an unknown type; the two .gifs appear as named pipes ("p").
Given that the very nature of the file types has changed, taken with the
zany dates and sizes etc, it is almost certain that parts of the hard disk
have been written with false data. At the same time, other less obvious
corruptions may have occurred which may make files inaccessible or only
partially accessible, or point to spurious data.
This is the sort of thing that fsck should notice; James MacK says that
fsck /was/ run, apparently normally, which is puzzling; but apparently only
options "-c -f" were used which may not reveal serious trouble.
Try (non-destructively) e2fsck -fnV on the device with these files
and stand back ... (at any rate pipe it through "less"). I predict
several thousand lines of possibly alarming information. Depending on what
you see, you may judge that it's worth taking the chance to give fsck a free
reign to try to make the filesystem clean (though it may zap some stuff in
so doing); or else raw-backup (dd to another device) the bytes on the device
and then either do fsck, or reformat the filesystem, or replace the hard
drive.
In any case it looks pretty dire from here. Sorry.
Best wishes,
Ted.
--------------------------------------------------------------------
E-Mail: Ted Harding <Ted.Harding@nessie.mcc.ac.uk>
Date: 26-Oct-97 Time: 17:00:08
--------------------------------------------------------------------
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: