[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: root's directory corrupted

Hash: SHA1

On Tue, 6 Dec 2005, Jon Dowland wrote:

On Mon, Dec 05, 2005 at 04:03:58PM -0800, k l u r t wrote:
when i log into my desktop as root, i get the following message: No
directory, logging in with HOME=/

when i view the contents of / i see that root's directory is not
present with the exception of a file "root":
--r-s-w--wt  57413 17916 2380551563 1970-01-01 04:41 root*

Peculiar. Broken datestamp suggests some corruption; truly bizarre
permissions sets alarm-bells ringing: have you been rooted? It appears
to be a very big file. What does ls -ls think (the size on the left,
compared to the size in column 7-8)?

very peculiar indeed.
i don't believe that i've been rooted. i think the problem occurred when i experienced a brief power outage. i ran fsck on that partition; everything seemed fine.

the file size reports to be only 12k.

i can not chmod, chgrp, or chown this "root" file; i get the
"Operation not permitted" message when trying to do so (i'm logged in
as root).

The UID and GID fields appear to be invalid too, at least locally. Do
you use NIS or anything similar?

nope, no NIS, NFS or anything to the likes - just a basic desktop setup connected to a cable modem (no soho or nat; all services are off and iptables filtering the connect).

does anyone know what the problem is?  has anyone experienced this
problem?  what can i do to fix this?

You could create another dir, e.g. /root2 and change the /root entry in
/etc/passwd to /root2 (always be careful when editing this file);
although that isn't much of an improvement on the current situation: the
warning will go but the file will remain.

yknow, i was think of doing that, but that doesn't really solve the mystery here. having a rouge root file with no access to it is kinda disturbing to me.
i went as far as booting SuperRescue (and other rescue discs) and mounting
the partition with the hopes of fscking the partition and deleting the file; still get the "Operation not permitted" and fsck came back as clean.

I've never seen anything like this but I think it looks fairly serious.

it is a strange one.
well, i guess it's time to put to use those backups and restoring to pre-mysterious state.

thanks for the input; every bit helps.

k l u r t
- -dazed and confused

Version: GnuPG v1.4.1 (GNU/Linux)


Reply to: