Additional information: - cat /proc/mounts returns an input/output error after a long wait.
- ps gives the following message before returning its output: nujoma:~# ps Warning: /boot/System.map-2.2.19pre17 not parseable as a System.map ---------------------------------------------------------------------- Andrew J Perrin - [EMAIL PROTECTED] - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA On Wed, 15 Aug 2001, Karsten M. Self wrote: > on Wed, Aug 15, 2001 at 11:49:12AM -0400, Andrew Perrin ([EMAIL PROTECTED]) > wrote: > > Folks- > > > > I just logged in (from work) to my home machine to copy a file I > > needed. It's behaving very weirdly, and I'd love some advice as to whether > > you think I've been cracked or it's likely just a hardware issue. I'd > > strongly prefer not to shutdown remotely, but will do so rather than > > waiting until I get home tonight if y'all think that's what's appropriate. > > Looks suspicious based on what you post, though I wouldn't put it past > bad memory. The log is IIRC an old portmapper crack attempt. Things to > do: > > - If you've got the sash shell (preferably a copy from known good > media), use it and its builtins to test your system. > > - As soon as possible, get the system offline. > > - Boot known good media (I like the LinuxCare BBC or a similar > linux-on-CD live system), and see what it takes to try to get > debsums running. Make sure the debsums database is up-to date. Or > check for other obvious discrepencies. > > - If you find you have been cracked, a restore of all system > directories is strongly advised. > > > The machine is a (rather old) Pentium 200, 92MB RAM, with lots of stuff > > plugged in(nVidia graphics, Adaptec SCSI running a CD-ROM and a Zip drive, > > and four IDE hard drives of various sizes). It's running deiban 2.2r3, > > kernel 2.2.19pre17 with all current patches. > > > 1.) There's nobody doing anything on the machine, and yet I get the > > following load averages: > > 11:43am up 6 days, 22:06, 6 users, load average: 1.42, 1.50, 1.31 > > Highish. Could be, say, disk problems hitting the kernel. > > > 2.) top segfaults: > > nujoma:~> top > > Segmentation fault > > Bad. > > > 3.) man doesn't work: > > nujoma:~> man ps > > /usr/bin/man: Input/output error. > > This points to HW issues IMO. > > > 5.) Can't write my / filesystem (/home): > > nujoma:~> touch foo > > touch: foo: Read-only file system > > > However, mount shows it as rw: > > How about /proc/mounts? /etc/mtab is often out-of-date when other > issues exist with a system. Particularly if / is mounted ro. > > Note that most fstabs will remount / readonly if there are disk errors, > as the line below shows. > > > nujoma:~> mount > > /dev/hdb3 on / type ext2 (rw,errors=remount-ro,errors=remount-ro) > > > 6.) shutdown -r also segfaulted, so I can't reboot remotely. > > umount all partitions but root. Then try halt -n. > > It's not friendly, but it may kill the system. > > > I don't see anything suspicious in the logs, with the exception of the > > following that I seem to get at least once a day: > > > > Aug 14 17:38:43 nujoma /sbin/rpc.statd[257]: gethostbyname error for > > ^X<F7><FF> > > portmapper thing. Drop the packets with a firewall. > > -- > Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ > What part of "Gestalt" don't you understand? There is no K5 cabal > http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org > Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org > Geek for Hire http://kmself.home.netcom.com/resume.html >
