Can't view recovered file

Can't view recovered file

Post by Daniel Rud » Thu, 11 Oct 2001 01:37:10



Hello,

        Recently, my FreeBSD box suffered a power outage.  It wasn't really
doing anything so I wasn't expecting a problem with this.  When the
power came back on, I booted the machine into single user mode and ran
fsck manually.  It found that an inode was disconnected and it asked me
if I wanted to salvage it.  I said yes, and fsck put the resulting file
into the /usr/lost+found directory.  The file name is #0158774.  When I
try and view the file, it is some kind of binary information.  Although
I have not noticed any problems with the system since, it does make me a
little nervous to know that a file tht may or may not be required may be
missing on my /usr partition.  Is there a way to find out what file that
this used to be associated with?

Thanks.

--
Daniel Rudy
Reply to dcrudy at aol dot com.

*!*!* DO NOT HIT REPLY *!*!*
ALL EMAIL SENT TO REPLY ADDRESS WILL BE DELETED!

 
 
 

Can't view recovered file

Post by Jason Dento » Thu, 11 Oct 2001 02:49:32



> Hello,

>    Recently, my FreeBSD box suffered a power outage.  It wasn't really
> doing anything so I wasn't expecting a problem with this.  When the
> power came back on, I booted the machine into single user mode and ran
> fsck manually.  It found that an inode was disconnected and it asked me
> if I wanted to salvage it.  I said yes, and fsck put the resulting file
> into the /usr/lost+found directory.  The file name is #0158774.  When I
> try and view the file, it is some kind of binary information.  Although
> I have not noticed any problems with the system since, it does make me a
> little nervous to know that a file tht may or may not be required may be
> missing on my /usr partition.  Is there a way to find out what file that
> this used to be associated with?

> Thanks.

You could perhaps use the 'file' command to determine the original file
type. If its a program executable you could perhaps log in as some null
user and try to run it, it probably won't do much without parameters,
but it might give an error message that is helpful. Or it might trash
the box.

Jason

 
 
 

Can't view recovered file

Post by pe.. » Thu, 11 Oct 2001 03:30:44



> Hello,
>    Recently, my FreeBSD box suffered a power outage.  It wasn't really
> doing anything so I wasn't expecting a problem with this.  When the
> power came back on, I booted the machine into single user mode and ran
> fsck manually.  It found that an inode was disconnected and it asked me
> if I wanted to salvage it.  I said yes, and fsck put the resulting file
> into the /usr/lost+found directory.  The file name is #0158774.  When I
> try and view the file, it is some kind of binary information.  Although
> I have not noticed any problems with the system since, it does make me a
> little nervous to know that a file tht may or may not be required may be
> missing on my /usr partition.  Is there a way to find out what file that
> this used to be associated with?

Try the 'file' command for an estimate of contents.

Then if it's contets seem to be of value, 'strings' might give a clue
of what is is.

But most likley it's something that was written at the time of crash, and most
of the written stuff is tempfiles that noone cares about ( output of cron while
executing some periodic task as example)

If you had a recent tripwire you could see if any executable is missing
from your system.

Quote:> Thanks.
> --
> Daniel Rudy
> Reply to dcrudy at aol dot com.
> *!*!* DO NOT HIT REPLY *!*!*
> ALL EMAIL SENT TO REPLY ADDRESS WILL BE DELETED!

--
Peter H?kanson        
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
           Remove "icke-reklam"and "invalid"  and it works.
 
 
 

Can't view recovered file

Post by Steve O'Hara-Smit » Thu, 11 Oct 2001 03:13:24


On Tue, 09 Oct 2001 16:37:10 GMT

DR> Hello,
DR>
DR>  Recently, my FreeBSD box suffered a power outage.  It wasn't really
DR> doing anything so I wasn't expecting a problem with this.  When the
DR> power came back on, I booted the machine into single user mode and ran
DR> fsck manually.  It found that an inode was disconnected and it asked me
DR> if I wanted to salvage it.  I said yes, and fsck put the resulting file
DR> into the /usr/lost+found directory.  The file name is #0158774.  When I
DR> try and view the file, it is some kind of binary information.  Although
DR> I have not noticed any problems with the system since, it does make me a
DR> little nervous to know that a file tht may or may not be required may be
DR> missing on my /usr partition.  Is there a way to find out what file that
DR> this used to be associated with?

file
        will tell you what type of file it is.

strings
        will pull any ASCII strings in it (if it is anything like C code).

what
        will show SCCS version control info.

ident
        will show RCS version control info.

        With a bit of luck the output of one or more of these may give
enough clues assuming you can't just compare what is on the system now
with the last backup, look for things that have gone missing and compare
sizes.

--
    Directable Mirrors - A Better Way To Focus The Sun

                        http://www.best.com/~sohara

 
 
 

Can't view recovered file

Post by Drew Laws » Thu, 11 Oct 2001 08:47:42




Quote:>try and view the file, it is some kind of binary information.  Although
>I have not noticed any problems with the system since, it does make me a
>little nervous to know that a file tht may or may not be required may be
>missing on my /usr partition.  Is there a way to find out what file that
>this used to be associated with?

Other suggestions are good.
Of course, if you don't figure it out, doing a buildworld/installworld
can help restore your confidence.

--
|Drew Lawson            | Mrs. Tweedy!                       |

|http://www.furrfu.com/ |                                    |

 
 
 

Can't view recovered file

Post by Daniel Rud » Thu, 11 Oct 2001 21:20:30



> On Tue, 09 Oct 2001 16:37:10 GMT

> DR> Hello,
> DR>
> DR>     Recently, my FreeBSD box suffered a power outage.  It wasn't really
> DR> doing anything so I wasn't expecting a problem with this.  When the
> DR> power came back on, I booted the machine into single user mode and ran
> DR> fsck manually.  It found that an inode was disconnected and it asked me
> DR> if I wanted to salvage it.  I said yes, and fsck put the resulting file
> DR> into the /usr/lost+found directory.  The file name is #0158774.  When I
> DR> try and view the file, it is some kind of binary information.  Although
> DR> I have not noticed any problems with the system since, it does make me a
> DR> little nervous to know that a file tht may or may not be required may be
> DR> missing on my /usr partition.  Is there a way to find out what file that
> DR> this used to be associated with?

> file
>         will tell you what type of file it is.

> strings
>         will pull any ASCII strings in it (if it is anything like C code).

> what
>         will show SCCS version control info.

> ident
>         will show RCS version control info.

>         With a bit of luck the output of one or more of these may give
> enough clues assuming you can't just compare what is on the system now
> with the last backup, look for things that have gone missing and compare
> sizes.

> --
>     Directable Mirrors - A Better Way To Focus The Sun

>                         http://www.best.com/~sohara

I figured it out.  The reason I couldn't do anything with it (including
more, cat, and file) is because the filename starts with a #.  When I
did file "#0158774" it said that the file was a gzip compressed file.  I
copied it to unknown.gz and ran gunzip on it.  As it turns out, the file
is a man page for (8)route.  I checked it out and found that the real
man page still exists so I dumped the file.  I DID view this particular
man page about 10 minutes before the power outage hit, and someone here
mentioned it was probably some temp file that no one cares about.
--
Daniel Rudy
Reply to dcrudy at aol dot com.

*!*!* DO NOT HIT REPLY *!*!*
ALL EMAIL SENT TO REPLY ADDRESS WILL BE DELETED!

 
 
 

Can't view recovered file

Post by Steve O'Hara-Smit » Fri, 12 Oct 2001 02:19:19


On Wed, 10 Oct 2001 12:20:30 GMT

DR> I figured it out.  The reason I couldn't do anything with it (including
DR> more, cat, and file) is because the filename starts with a #.  When I

        Hmm, sorry I completely forgot to warn about that, I use tab
completion a lot which fills in quotes and \s as needed.

--
    Directable Mirrors - A Better Way To Focus The Sun

                        http://www.best.com/~sohara

 
 
 

1. samba: 'net view \\server' works, 'net view' fails

From my WinXP client (using cygwin), I can browse the shares on a samba
server whose name I know.  But when I try to browse the whole network, I
get a logon failure and the smbd logs show that it's not seeing my
username.

Browsing shares on \\server, from a different machine \\client (using
cygwin) while logged in as testuser:

$ net view '\\server'
Shared resources at \\server

Share name              Type   Used as  Comment
-------------------------------------------------------------------------------
test                    Disk            
The command completed successfully.

But when I try to browse the whole network, I get a logon failure:

$ net view
System error 1326 has occurred.

Logon failure: unknown user name or bad password.

This is an authentication problem.  When I issue 'net view \\server' on the
client, the smbd log shows

[2003/11/02 06:55:03, 3] auth/auth.c:check_ntlm_password(216)
  check_ntlm_password:  Checking password for unmapped user [CLIENT

[2003/11/02 06:55:03, 3] auth/auth.c:check_ntlm_password(219)

But when I issue just 'net view', the smbd log instead shows

[2003/11/02 06:55:32, 3] auth/auth.c:check_ntlm_password(216)

with the new password interface
[2003/11/02 06:55:32, 3] auth/auth.c:check_ntlm_password(219)

So for some reason the 'net view \\server' request is processing my user
name, but 'net view' isn't.

Any ideas what could cause this?
Thanks,
Andrew.

--
To reply by email, change "deadspam.com" to "alumni.utexas.net"

2. REDHAT 4.0 Install Problem

3. Q: Viewing a file 'Real Time'

4. IBM-PC-Network (2 MBit/s) help needed

5. It's not bad canned meat...

6. Why "-lm"? Isn't #include <math.h> enough?

7. a really basic question: calendar manager's window name

8. Recovering rm'd files

9. How to recover the file's on the tape?

10. Can you recover rm'ed files on a _single user_ system?

11. recovering rm'd files

12. recovering user's files after upgrade