interesting behaviour.

John B. Milton jbm at uncle.UUCP
Tue Dec 13 17:57:24 AEST 1988 

In article <1430 at umbc3.UMD.EDU> alex at umbc3.UMD.EDU (Alex S. Crain) writes:

>Ok, here's ths story. I arrive home very late yesterday, and before
>going to sleep I check for mail on nerwin, my 3b1. Nothing interesting,
>so I get out of mail and soemthing doesn't feel right, so I start
>up mail again, but mail responds with
Just what do you mean by "doesn't feel right"? Was it too slow?

>	No mail for ubluit.
Thad already mentioned the ubluit == You Blew It

>since ubluit is not my login, I start to wonder, and when ls comes
>back with
>
>	/bin/ls: not a directory
Yup, this means trouble.

>I really get worried. I discover that I can get to /usr/* but /bin is
>gone and /etc dissapears afters minute.  I go to reboot the machine,
>but its too late because / no lnger exists, not evern a boot track. I
>reboot from the floppy, the hard disk is unmountable, so I shut the
>thing off and go to bed wondering.
It sounds like the disk was being erased from the beginning of /dev/rfp002.
Actually it sounds like it was being filled with "ubluitubluitubluit..."

>	Now a couple of things figure in here. On the one side:
>
>	 I've been screwing around with the kernal, and my mailer
Like what have you been doing? Patching things with loadable drivers?

>program had been known to trigger my mistakes, so I might have hosed
>myself. But its never happened before like this, and usually I just
>trash the freelist, and my error is *always* "inode > 2^24", which
>kills the machine instantly. This time, the machine worked for a
>little while, and faded, losing directories, as if there was /etc/mkfs
>in background. 

>	ubluit is a very interesting name to pop out of nowhere. I
>have no users with that name, nor any user programs, nor have I ever
>seen anything like that before. I find it very coincidential that it
>should become my login id just before the machine died.
Ah, yeh, I would say that.

>	Naturally, I don't have any uucp records. but I don't allow
>dialins, so all traffic goes via umbc3.umd.edu. umbc3's LOGFILE has an
>entry
Are you absolutely sure?

>uucp uunet (12/9-4:36-13470) daemon X.uunetCvPQ3 XQT
>(PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin;export PATH;rmail
>nerwin!alex )
>I'm not sure what this says, but I do know that the machine died about
>4:30 am on 12/9, and I haven't sent any mail for several days. Can
>some uucp guru explain exactly what this message means?
Sorry, I can't help you out with this one, but this looks like a remote
mail uux request.

[paranoid, no root pass wrong people delicate]

Right now, get a snap shot of ALL the nerwin related uucp files for later
analysis.

Did you remove write permission from /?
When you read your mail, did you use the [Msg] key, type mail directly?
Do you have old style UUCP, or HDB UUCP?
What commands did you have in your L.cmds/Permissions file?
  (sorry to speak about your system in the past tense...)
Keep that disk! There may still be lots of good info left. It could be mounted
  as the second disk (um, once I get my board out...) and dumped/examined.
What was in your USERFILE?

Can you stat the disk from the diagnostics:

1. Boot diags
2. enter s4test
3. enter 6,12
Does it print an page of info, or give you an error?

MORE INFO!

John

-- 
John Bly Milton IV, jbm at uncle.UUCP, n8emr!uncle!jbm at osu-cis.cis.ohio-state.edu
(614) h:294-4823, w:764-2933;  Got any good 74LS503 circuits?

More information about the Comp.sys.att mailing list