HACKER's dirty work#$&@*!!

HACKER's dirty work#$&@*!!

Post by Randy Hislo » Fri, 01 Oct 1999 04:00:00



The hacker that broke my RedHat box (2.0.34) left it in the following
state...

When I try booting, everything looks normal until...

Mounted root (ext2 filesystem) readonly.
unable to open an initial console.

Wok the Hek do I do now??

Randy

 
 
 

HACKER's dirty work#$&@*!!

Post by Jason Dufai » Fri, 01 Oct 1999 04:00:00


Hmm.  Are you sure you were cracked (hack is not the proper term here,
BTW)?  What other signs do you have?

Why don't you boot in single-user mode and look around, maybe try an
fsck.  See your lilo docs for lilo: prompt syntax (don't know off the
top of my head) to boot to single user mode.


> The hacker that broke my RedHat box (2.0.34) left it in the following
> state...

> When I try booting, everything looks normal until...

> Mounted root (ext2 filesystem) readonly.
> unable to open an initial console.

> Wok the Hek do I do now??

> Randy

--

http://www.veryComputer.com/
"A laugh for the newsprint nightmare, a world that never was
Where the questions are all 'why' and the answers are all 'because'"
-Bruce*burn

 
 
 

HACKER's dirty work#$&@*!!

Post by Randy Hislo » Fri, 01 Oct 1999 04:00:00


Other signs??  I have a zodiac sign =;^)

The hacker had been on my machine undetected for three months and was doing
IMAP probes of thosands of machines on the internet.  I only realized this
when I started getting threatening e-mails from other sys admins who
detected the probing of their machines.  I started to monitor the hacker's
footsteps but he caught me doing that so he did a * to my machine
causing it to have a brain freeze and I can't boot it now.  Maybe he did an
rm* in the sbin dir or something.

I CANNOT boot in single user mode either.

Randy


> Hmm.  Are you sure you were cracked (hack is not the proper term here,
> BTW)?  What other signs do you have?

> Why don't you boot in single-user mode and look around, maybe try an
> fsck.  See your lilo docs for lilo: prompt syntax (don't know off the
> top of my head) to boot to single user mode.


> > The hacker that broke my RedHat box (2.0.34) left it in the following
> > state...

> > When I try booting, everything looks normal until...

> > Mounted root (ext2 filesystem) readonly.
> > unable to open an initial console.

> > Wok the Hek do I do now??

> > Randy

> --

> http://www.veryComputer.com/
> "A laugh for the newsprint nightmare, a world that never was
> Where the questions are all 'why' and the answers are all 'because'"
> -Bruce*burn

 
 
 

HACKER's dirty work#$&@*!!

Post by Tom Easte » Fri, 01 Oct 1999 04:00:00



> The hacker that broke my RedHat box (2.0.34) left it in the following
> state...

> When I try booting, everything looks normal until...

> Mounted root (ext2 filesystem) readonly.
> unable to open an initial console.

> Wok the Hek do I do now??

> Randy

My brain is fuzzy WRT RedHat releases vs. Linux kernel versions but if
you have RH5.[01] installation floppies, you can boot in rescue mode and
look around to see what the scoundrel did.

Of course, if you built the proper boot floppies when installing later
RedHat releases, you can do the same thing...

-Tom
--
Tom Eastep               \    Opinions expressed here

Shoreline, Washington USA  \    those of my employer

 
 
 

HACKER's dirty work#$&@*!!

Post by A.J. » Fri, 01 Oct 1999 04:00:00


Of course, you can always download Tom's root/boot (http://www.toms.net) and
do a look around with it -- be much easier than setting up another RH box
for now...



> > The hacker that broke my RedHat box (2.0.34) left it in the following
> > state...

> > When I try booting, everything looks normal until...

> > Mounted root (ext2 filesystem) readonly.
> > unable to open an initial console.

> > Wok the Hek do I do now??

> > Randy

> My brain is fuzzy WRT RedHat releases vs. Linux kernel versions but if
> you have RH5.[01] installation floppies, you can boot in rescue mode and
> look around to see what the scoundrel did.

> Of course, if you built the proper boot floppies when installing later
> RedHat releases, you can do the same thing...

> -Tom
> --
> Tom Eastep               \    Opinions expressed here

> Shoreline, Washington USA  \    those of my employer


 
 
 

HACKER's dirty work#$&@*!!

Post by Ni » Sat, 02 Oct 1999 04:00:00




Quote:> Mounted root (ext2 filesystem) readonly.
> unable to open an initial console.

This means the kernel can't open /dev/console - which means they may
have 'rm -rf /'d you. D'oh :(

Cross your fingers, boot off a floppy, and see what you can see.

Regards,
        Nic.

-- Nic B. <sky at wibble dot net> - Systems programmer, ihug (NZ) Ltd.
   Unless otherwise noted, I speak for myself, not ihug.

 
 
 

1. 2.4.19 place buffer dirtied in truncate() on inode's dirty data list

This is for 2.4.x:

block_truncate_page() does a __mark_buffer_dirty(bh) at the end, but it
does not file the buffer on the inode's dirty data queue, so only
bdflush can ever get to it, and other sync mechanisms which call
fsync_inode_data_buffers() do not see it.

This was causing a particular problem with O_DIRECT on an xfs
filesystem, since O_DIRECT tries to sync before doing the I/O.
Following a truncate(), O_DIRECT reads of the last block were not
returning the correct data, since the truncate never got synced down to
disk.

ext2 does not seem to be able to do an O_DIRECT read of the last
filesytem block, unless the file size is a multiple of block size, so it
doesn't show up there.

--- linux/fs/buffer.c_1.109     Mon Sep 23 13:10:56 2002

        flush_dcache_page(page);
        kunmap(page);

-       __mark_buffer_dirty(bh);
+       if (!atomic_set_buffer_dirty(bh)) {
+               __mark_dirty(bh);
+               buffer_insert_inode_data_queue(bh, inode);
+               balance_dirty();
+       }
+
        err = 0;

The balance_dirty() call is debatable, Andrew Morton pointed out that it
does add a bit more risk.  OTOH, if you go off and truncate a million
files in a row, you'll be in sorry shape without it.

2.5 apparently does not have this problem, it calls mark_buffer_dirty()
which seems to take care of things.

-Eric

--
Eric Sandeen      XFS for Linux     http://oss.sgi.com/projects/xfs

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. telnet server send packet every 15 minutes

3. Console fonts looking 'dirty' after X crashes

4. Solstice - sun - nfs - HELP

5. Need quick-'n'-dirty syntax lesson in csh

6. Problems compiling the kernel

7. where to learn down'n'dirty character mode / graphics

8. ipx use of cli/sti

9. Quick and dirty 'Joe' checker

10. LILO && NCR53C810 don't work together

11. MouseMan and 'selection -t mm &' doesn't work.

12. Can't get '&' to work from inside a script

13. LILO && NCR53C810 don't work together