From owner-freebsd-security Thu May 20 1:37:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from hydrogen.fircrest.net (metriclient-2.uoregon.edu [128.223.172.2]) by hub.freebsd.org (Postfix) with ESMTP id EF3C414EBD for ; Thu, 20 May 1999 01:37:16 -0700 (PDT) (envelope-from gurney_j@efn.org) Received: (from jmg@localhost) by hydrogen.fircrest.net (8.9.1/8.8.7) id BAA08176; Thu, 20 May 1999 01:36:57 -0700 (PDT) Message-ID: <19990520013657.62702@hydrogen.nike.efn.org> Date: Thu, 20 May 1999 01:36:57 -0700 From: John-Mark Gurney To: David G Andersen Cc: "Andrew G. Russell" , freebsd-security@FreeBSD.ORG Subject: Re: attack or failure References: <199905200403.XAA16431@tyr.agrknives.com> <199905200546.XAA18509@lal.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199905200546.XAA18509@lal.cs.utah.edu>; from David G Andersen on Wed, May 19, 1999 at 11:46:21PM -0600 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 3.0-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David G Andersen scribbled this message on May 19: > More sophisticated recovery techniques exist, if there's anything critical > on the system or you really want to find out what's going on. This'll get > you 90% of what's there with little effort, though. I'm not sure how my program (ffsrecov in ports) handles deleted files (which it sounds like it is)... but it might help you to recover some data files... just as long as the directory bit hasn't been cleared on the inode... be warned though, right now I'm mmap'ing the file to do the work which means that you are seriously limited on the file system size, no 4gig fs's for this unless you're on an Alpha.. I haven't tested how large it can, but I've used it successfully for a 1.8gig fs... and right now ffsrecov doesn't open the file system for writing, so it won't cause any more damage... it's just made for extracting data from the file system... if you have any more ideas for ways of pulling data out of the file system, I'd like to know... > Lo and behold, Andrew G. Russell once said: > > > > Last night, a system that has been running FreeBSD 2.1.5 for a number of > > years with the last upgrade being sendmail 8.8.4 being added. > > > > Three filesystems were cleared out, I don't know if newfs or rm -rf * were > > used on them. > > > > the filesystems were /x(local/src/obj...) /var /tmp > > the of course covers up the track quite nicely. > > > > the mod times on /tmp is May 18 21:09, on /var May 18 21:09 and on /x > > May 18 21:33 > > > > this being an old system, when I could not get at the /x filesystem, I rebooted. > > > > This system will be upgraded to 2.2.8, but I sure would like some clue as > > to how it happened. -- John-Mark Gurney Voice: +1 541 684 8449 Cu Networking P.O. Box 5693, 97405 "The soul contains in itself the event that shall presently befall it. The event is only the actualizing of its thought." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message