Date: Wed, 19 May 1999 23:46:21 -0600 (MDT) From: David G Andersen <danderse@cs.utah.edu> To: arussell@tyr.agrknives.com (Andrew G. Russell) Cc: freebsd-security@FreeBSD.ORG Subject: Re: attack or failure Message-ID: <199905200546.XAA18509@lal.cs.utah.edu> In-Reply-To: <199905200403.XAA16431@tyr.agrknives.com> from "Andrew G. Russell" at May 19, 99 11:03:26 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Before you create/touch/break anything on your filesystems, you'll most
likely want to 'strings' the raw filesystem device and pipe it through
either grep, or a little perl script, to look for syslog patterns. I've
used it a few times in case of emergency (like the one you've described),
and it tends to pick out most of the interesting syslog entries.
Stick a floppy in, and do:
strings /dev/sd0c | ./findsysl > /dev/fd0
(where findsysl is something like:
#!/usr/bin/perl
while (<STDIN>) {
if (/^[A-Z][a-z][a-z] +\d\d:\d\d:\d\d <compname> /) {
print;
}
}
Or pipe to 'more' to see if it's getting anything interesting. _don't_
cat it to the filesystem, because it'll clobber old data.
More sophisticated recovery techniques exist, if there's anything critical
on the system or you really want to find out what's going on. This'll get
you 90% of what's there with little effort, though.
-Dave
Lo and behold, Andrew G. Russell once said:
>
> Last night, a system that has been running FreeBSD 2.1.5 for a number of
> years with the last upgrade being sendmail 8.8.4 being added.
>
> Three filesystems were cleared out, I don't know if newfs or rm -rf * were
> used on them.
>
> the filesystems were /x(local/src/obj...) /var /tmp
> the of course covers up the track quite nicely.
>
> the mod times on /tmp is May 18 21:09, on /var May 18 21:09 and on /x
> May 18 21:33
>
> this being an old system, when I could not get at the /x filesystem, I rebooted.
>
> This system will be upgraded to 2.2.8, but I sure would like some clue as
> to how it happened.
>
> Thanks in advance for any help/thoughts.
>
> A.G. Russell
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
--
work: danderse@cs.utah.edu me: angio@pobox.com
University of Utah http://www.angio.net/
Computer Science - Flux Research Group "What's footnote FIVE?"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905200546.XAA18509>