Re: Suspicious behavior: cracked or just a dying machine?
Thanks to all who answered - I believe what actually happened was
heat-related more than anything else. The air conditioning in our house
died while we were at work, making the computer area beastly hot. I came
home, tried to reboot, and the BIOS didn't see two of the four IDE drives
(including the one that contains /). Opened the machine, let it cool for
a while, and it booted fine. Thanks again!
Andy
----------------------------------------------------------------------
Andrew J Perrin - andrew_perrin@unc.edu - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA
On Wed, 15 Aug 2001, Karsten M. Self wrote:
> on Wed, Aug 15, 2001 at 11:49:12AM -0400, Andrew Perrin (aperrin@email.unc.edu) wrote:
> > Folks-
> >
> > I just logged in (from work) to my home machine to copy a file I
> > needed. It's behaving very weirdly, and I'd love some advice as to whether
> > you think I've been cracked or it's likely just a hardware issue. I'd
> > strongly prefer not to shutdown remotely, but will do so rather than
> > waiting until I get home tonight if y'all think that's what's appropriate.
>
> Looks suspicious based on what you post, though I wouldn't put it past
> bad memory. The log is IIRC an old portmapper crack attempt. Things to
> do:
>
> - If you've got the sash shell (preferably a copy from known good
> media), use it and its builtins to test your system.
>
> - As soon as possible, get the system offline.
>
> - Boot known good media (I like the LinuxCare BBC or a similar
> linux-on-CD live system), and see what it takes to try to get
> debsums running. Make sure the debsums database is up-to date. Or
> check for other obvious discrepencies.
>
> - If you find you have been cracked, a restore of all system
> directories is strongly advised.
>
> > The machine is a (rather old) Pentium 200, 92MB RAM, with lots of stuff
> > plugged in(nVidia graphics, Adaptec SCSI running a CD-ROM and a Zip drive,
> > and four IDE hard drives of various sizes). It's running deiban 2.2r3,
> > kernel 2.2.19pre17 with all current patches.
>
> > 1.) There's nobody doing anything on the machine, and yet I get the
> > following load averages:
> > 11:43am up 6 days, 22:06, 6 users, load average: 1.42, 1.50, 1.31
>
> Highish. Could be, say, disk problems hitting the kernel.
>
> > 2.) top segfaults:
> > nujoma:~> top
> > Segmentation fault
>
> Bad.
>
> > 3.) man doesn't work:
> > nujoma:~> man ps
> > /usr/bin/man: Input/output error.
>
> This points to HW issues IMO.
>
> > 5.) Can't write my / filesystem (/home):
> > nujoma:~> touch foo
> > touch: foo: Read-only file system
>
> > However, mount shows it as rw:
>
> How about /proc/mounts? /etc/mtab is often out-of-date when other
> issues exist with a system. Particularly if / is mounted ro.
>
> Note that most fstabs will remount / readonly if there are disk errors,
> as the line below shows.
>
> > nujoma:~> mount
> > /dev/hdb3 on / type ext2 (rw,errors=remount-ro,errors=remount-ro)
>
> > 6.) shutdown -r also segfaulted, so I can't reboot remotely.
>
> umount all partitions but root. Then try halt -n.
>
> It's not friendly, but it may kill the system.
>
> > I don't see anything suspicious in the logs, with the exception of the
> > following that I seem to get at least once a day:
> >
> > Aug 14 17:38:43 nujoma /sbin/rpc.statd[257]: gethostbyname error for
> > ^X<F7><FF>
>
> portmapper thing. Drop the packets with a firewall.
>
> --
> Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
> What part of "Gestalt" don't you understand? There is no K5 cabal
> http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
> Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
> Geek for Hire http://kmself.home.netcom.com/resume.html
>
Reply to: