On Wed, May 7, 2008 at 11:52 AM, Paul Pruett <[EMAIL PROTECTED]> wrote:
>  What things should I check to fix mknod, short of format hard drive?

You should back up user data, scrub, and reinstall.  At this point,
you don't really know what was done to break your system and have no
reason to be confident that there aren't other things broken that you
just don't know about yet.  If you actually want to have any
confidence that this machine won't spontaneously fail or that it
hasn't been compromised in some way, then reinstall.

(I mention "compromised" only because mknod will fail with the
"Invalid argument" error if run inside a chroot.  If some malicious
party or practical joker has taken over your machine, hacking the rc
scripts to run most stuff inside a chroot would be one way to try to
hide the traces.  Done properly, tools will be hacked to return lies
consistent with that, so there's no guaranteed way to be able to
detect the condition, but you could try by checking things like
 a) does "ls -li /" show the root directory has having inode #2?
 b) does "fstat | grep ' root'" show _only_ the priv-sep daemons?
 c) does "fsdb -f /dev/rwd0a" let you browse a directory tree that
matches what you
     see with ls, all the way down to inode numbers and most timestamps?
If any of those answer "no", then you've been hacked.  If not,
however, you still don't know.)


Philip Guenther

Reply via email to