Re: Re: What is the root-n in my root??

[Marco Bagni <m.bagni@marcobagni.com>]

Hi Kev,

I am somehow embarrased for what I found in the investigation phase:

I DELETED the file, rebooted the laptop and... the file did not appare
anymore!

I went to my other laptop and the phenomenon continued as described. I
noticed that it seems related to the PPP daemon.

Another particular that I noted is the timestamp. I noticed that at boot
time I find the following directories with a different timestamp but the
time seems subsequent to the begin of the startup:

/etc
/dev
/root
/var
/tmp

while root-n  seems to have been touched/created just BEFORE THE END OF
THE SHUTDOWN PROCESS.

Few days ago I downloaded the kernel 2.4.22 and applied the patch ac4.
Since this laptop has a winmodem, today I recompiled (not without some
problems) the lt_modem. Magically, after having recompiled the lt_modem
and installed in the /etc/modules.conf, the file root-n stopped to
appear and the booting process did not show up the message regarding
CSLIP and PPP modules loading that seemed to be related with the file.

I have dumped the /proc/kcore and started to scan it looking for the
string root-n and, although the file root-n had not been created I found
the string "root-n.dat"

I was not able to find who belongs this tile to, but I can see that it
appears between some libraries and after samba

this is part of the dump of the content of the core (produced with
midnight commander)


03A84D40 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 40 49 CE D2 x 70 52 
F1 D3 x 70 52 F1 D3             ............@IÎÒpRñÓpRñÓ
03A84D58 D8 D1 1E D1 x 58 14 49 D2 x 60 D7 1E D1 x 68 49 CE D2 x 68 DD 
1E D1 x 68 DD 1E D1             ØÑ.ÑX.IÒ`×.ÑhIÎÒhÝ.ÑhÝ.Ñ
03A84D70 70 DD 1E D1 x 70 DD 1E D1 x 00 00 00 00 x 9C DD 1E D1 x 07 00 
00 00 x 31 13 9F A8             pÝ.ÑpÝ.Ñ.....Ý.Ñ....1..¨
03A84D88 00 00 00 00 x 00 00 00 00 x 00 30 D7 D3 x 00 00 00 00 x 00 00 
00 00 x 6C 6D 68 6F             .........0×Ó........lmho
03A84DA0 73 74 73 00 x 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 00 00 
00 00 x 00 00 00 00             sts.....................
03A84DB8 00 00 00 00 x 00 00 00 00 x 05 00 00 00 x 00 00 00 00 x 40 D3 
FA D0 x A0 0A E4 D2             ................@ÓúÐ .äÒ
03A84DD0 B0 91 F6 D3 x B0 91 F6 D3 x D8 DD 1E D1 x D8 DD 1E D1 x C0 E2 
99 D1 x E0 AB 24 D1             °.öÓ°.öÓØÝ.ÑØÝ.ÑÀâ.Ñà«$Ñ
03A84DE8 C0 4D 21 CF x 00 76 14 D1 x 50 D3 FA D0 x 50 D3 FA D0 x 00 00 
00 00 x 1C DE 1E D1             ÀM!Ï.v.ÑPÓúÐPÓúÐ.....Þ.Ñ
03A84E00 05 00 00 00 x 8D AB 3D 13 x 00 00 00 00 x 00 00 00 00 x 00 D0 
A4 D3 x 08 00 00 00             .....«=..........ФÓ....
03A84E18 00 00 00 00 x 73 61 6D 62 x 61 00 00 00 x 00 00 00 00 x 00 00 
00 00 x 00 00 00 00             ....samba...............

here you can see samba and previously lmhosts

03A84E30 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 00 00 
00 00 x 00 00 00 00             ........................

03A84E48 40 D9 FA D0 x E0 AB FC CE x 80 23 F1 D3 x 80 23 F1 D3 x B8 E8
A5 D3 x 38 F8 C8 CE             @ÙúÐà«üÎ.#ñÓ.#ñÓ¸è¥Ó8øÈÎ
03A84E60 08 AC FC CE x 40 F8 C8 CE x 68 DE 1E D1 x 68 DE 1E D1 x 50 D9
FA D0 x 50 D9 FA D0             .¬üÎ@øÈÎhÞ.ÑhÞ.ÑPÙúÐPÙúÐ
03A84E78 00 00 00 00 x 9C DE 1E D1 x 06 00 00 00 x 90 19 28 D4 x 00 00
00 00 x 00 00 00 00             .....Þ.Ñ......(Ô........
03A84E90 00 30 D7 D3 x 08 00 00 00 x 00 00 00 00 x 72 6F 6F 74 x 2D 6E
00 64 x 61 74 00 00             .0×Ó........root-n.dat..

here you can see the suspicious name ^^^^^^^^^^^^^^^^^^

03A84EA8 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 00 00
00 00 x 00 00 00 00             ........................
03A84EC0 00 00 00 00 x 00 00 00 00 x 20 81 00 D1 x A0 88 37 C1 x 80 E4
F3 D3 x 80 E4 F3 D3             ........ ..Ñ .7Á.äóÓ.äóÓ
03A84ED8 38 19 D4 D0 x B8 1A D4 D0 x E0 D9 1E D1 x 00 73 14 D1 x E8 DE
1E D1 x E8 DE 1E D1             8.Ôи.ÔÐàÙ.Ñ.s.ÑèÞ.ÑèÞ.Ñ
03A84EF0 30 81 00 D1 x 30 81 00 D1 x 00 00 00 00 x 1C DF 1E D1 x 03 00
00 00 x 5D BE 28 00             0..Ñ0..Ñ.....ß.Ñ....]¾(.
03A84F08 00 00 00 00 x 00 00 00 00 x 00 30 D7 D3 x 08 00 00 00 x 00 00
00 00 x 73 64 63 00             .........0×Ó........sdc.
03A84F20 5D 00 00 00 x 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 00 00
00 00 x 00 00 00 00             ].......................
03A84F38 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 00 00 00 00 x 40 D5
FA D0 x A0 8A 37 C1             ................@ÕúÐ .7Á
03A84F50 C0 51 F7 D3 x C0 51 F7 D3 x 58 43 9D D3 x 38 2F 2D D1 x E0 D0
1E D1 x 00 71 14 D1             ÀQ÷ÓÀQ÷ÓXC.Ó8/-ÑàÐ.Ñ.q.Ñ
03A84F68 68 DF 1E D1 x 68 DF 1E D1 x 50 D5 FA D0 x 50 D5 FA D0 x 00 00
00 00 x 9C DF 1E D1             hß.Ñhß.ÑPÕúÐPÕúÐ.....ß.Ñ
03A84F80 0B 00 00 00 x EA 42 FE 0E x 00 00 00 00 x 00 00 00 00 x 00 30
D7 D3 x 00 00 00 00             ....êBþ..........0×Ó....
03A84F98 00 00 00 00 x 6C 69 62 61 x 63 6C 2E 73 x 6F 2E 31 00 x 00 00
00 00 x 00 00 00 00             ....libacl.so.1.........

and here there is a library name ^^^^^^^^^^^^^^^^^^^

My investigation ends here. Marginally I have found only another guy, a
German user, that reported the same problem
(http://article.gmane.org/gmane.linux.debian.user.german/61562) but no
solution were provided.

The kernel source appears clean (obviously if the string has been built,
I cannot find it with a simple grep).

Thank you