on Wed, Aug 15, 2001 at 11:49:12AM -0400, Andrew Perrin ([EMAIL PROTECTED]) wrote: > Folks- > > I just logged in (from work) to my home machine to copy a file I > needed. It's behaving very weirdly, and I'd love some advice as to whether > you think I've been cracked or it's likely just a hardware issue. I'd > strongly prefer not to shutdown remotely, but will do so rather than > waiting until I get home tonight if y'all think that's what's appropriate.
Looks suspicious based on what you post, though I wouldn't put it past
bad memory. The log is IIRC an old portmapper crack attempt. Things to
do:
- If you've got the sash shell (preferably a copy from known good
media), use it and its builtins to test your system.
- As soon as possible, get the system offline.
- Boot known good media (I like the LinuxCare BBC or a similar
linux-on-CD live system), and see what it takes to try to get
debsums running. Make sure the debsums database is up-to date. Or
check for other obvious discrepencies.
- If you find you have been cracked, a restore of all system
directories is strongly advised.
> The machine is a (rather old) Pentium 200, 92MB RAM, with lots of stuff
> plugged in(nVidia graphics, Adaptec SCSI running a CD-ROM and a Zip drive,
> and four IDE hard drives of various sizes). It's running deiban 2.2r3,
> kernel 2.2.19pre17 with all current patches.
> 1.) There's nobody doing anything on the machine, and yet I get the
> following load averages:
> 11:43am up 6 days, 22:06, 6 users, load average: 1.42, 1.50, 1.31
Highish. Could be, say, disk problems hitting the kernel.
> 2.) top segfaults:
> nujoma:~> top
> Segmentation fault
Bad.
> 3.) man doesn't work:
> nujoma:~> man ps
> /usr/bin/man: Input/output error.
This points to HW issues IMO.
> 5.) Can't write my / filesystem (/home):
> nujoma:~> touch foo
> touch: foo: Read-only file system
> However, mount shows it as rw:
How about /proc/mounts? /etc/mtab is often out-of-date when other
issues exist with a system. Particularly if / is mounted ro.
Note that most fstabs will remount / readonly if there are disk errors,
as the line below shows.
> nujoma:~> mount
> /dev/hdb3 on / type ext2 (rw,errors=remount-ro,errors=remount-ro)
> 6.) shutdown -r also segfaulted, so I can't reboot remotely.
umount all partitions but root. Then try halt -n.
It's not friendly, but it may kill the system.
> I don't see anything suspicious in the logs, with the exception of the
> following that I seem to get at least once a day:
>
> Aug 14 17:38:43 nujoma /sbin/rpc.statd[257]: gethostbyname error for
> ^X<F7><FF>
portmapper thing. Drop the packets with a firewall.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What part of "Gestalt" don't you understand? There is no K5 cabal
http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire http://kmself.home.netcom.com/resume.html
pgp0s2vczcLNe.pgp
Description: PGP signature
