[vox-tech] find not found

Rod Roark rod at sunsetsystems.com
Sat Oct 23 18:10:57 PDT 2010 

On 10/23/2010 05:26 PM, Bill Broadley wrote:
> ...
> First, backup anything important.
> 
> It could of course be a strange typo while root, but I would also be
> suspicious of a disk error.  Any hints form dmesg?  Maybe a hdparm -long
> test would be indicated.
> 
> Another possibility is a hacked machine where they replace ps/find/ls
> and friends to hide... although to be honest seems like 99% of such
> attacks these days attack the kernel and hide that way.
> 
> The only way to be completely sure is install from trusted media, but
> you could:
> * boot from trusted media, figure out where all your disk space is
>   being used.  Maybe run a rootkit detector or two (but in my
>   experience they are useless).
> * Nmap from a remote machine, make sure only the ports you expect
>   are open.
> * Make sure you are patched of course
> * monitor network traffic upstream (from a different machine/fw).. even
>   just monitoring your uplink light.

Well, current dmesg does include this:

[    1.942506] EXT4-fs (sda1): INFO: recovery required on readonly filesystem
[    1.942509] EXT4-fs (sda1): write access will be enabled during recovery
...
[    3.570223] EXT4-fs (sda1): orphan cleanup on readonly fs
[    3.570235] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode 394234
...
[    3.584069] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode 391083
[    3.584077] EXT4-fs (sda1): 18 orphan inodes deleted
[    3.584079] EXT4-fs (sda1): recovery complete
[    4.307438] EXT4-fs (sda1): mounted filesystem with ordered data mode

This goes with the reboot that I did after findutils was reinstalled and
a system upgrade via synaptic was done.  /var/log/syslog from yesterday's
reboot did not show anything like that, however I do remember that reboot
showing the BIOS startup screen a second time, which struck me as being
weird at the time.

So, maybe something is going on with the hard drive.  But I didn't see
anything in "man hdparm" about doing a suitable test.  Guess I'll do
something with fsck later tonight.  By the way nightly backups are routine
here.

Thanks.

Rod

More information about the vox-tech mailing list