LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-18-2003, 12:36 AM   #1
spooge
Member
 
Registered: Nov 2001
Location: n chicago, IL. USA
Distribution: Slackware
Posts: 307

Rep: Reputation: 31
hack ?


2 nights in a row my rh7.3 just reboot'd all by it self.
(kinda like hittin the reset button on the box)

was talkin to bro in irc, when it lock'd up. before that i was getting hits at my win2k box(zone alarm).

default ipchains
linksys router/nat /using ip
box won'tboot

at boot, getting :

EXT3-fs: group descriptors corrupted!
mount:error 22 mounting 22
pivotroot: pivot_root(sysroot./sysroot/inird) faild:2
kernel panic: No init founf. try passing init=option kerel

well i'm reacting without checking to see if it will boot with boot disk.

hack'd maybe ?
 
Old 01-18-2003, 02:05 AM   #2
jago25_98
Member
 
Registered: Jun 2001
Posts: 278

Rep: Reputation: 30
reinstall if in doubt

tricky.

ext3 filesystem problem - "group descriptors"

This may mean that ext3 is correcting the problem

or

it's something that shouldn't happen. If it is a broken filesystem then this is the reason that the kernel is panicing because it can't find it's initrd file.

Innit = A phrase used by common scum in England.
Init in linux = a part of the linux kernel/that part of bootup, that is stored somehow seporate from the actual kernel for some reason. AKA initialisation i guess.

However, the filesystem may be fine; it's just a minor problem due to the filesystem not unmounting correctly before reboot with ext3 telling you that it's fixing the problem like a journaling filesystem should.

So if the filesystem is fine and the ext3 Group descriptors error message is not critical what could be causing the problem?

The error message "init" not found happens when a someone tries to run a new kernel without telling lilo (via /etc/lilo* perhaps) where it can find initrd. This means it needs to be told where the init file is.
Now, it's just possible that someone has hacked you, replaced your kernel with one they've cooked up and got the thing to reboot, only they screwed up because they didn't sort out initrd so it won't boot anymore.

If the filesystem is damaged, or someone who you know has installed a new kernel = not hacked.

If filesystem was actually fine or we have confidence in the idea that the sudden reboot was NOT caused by a system crash that I personally haven't heard of = Hack likely.

What I'd do:

- out of interest for hack check the filesystem to see if it's ok, possibly checking for badblocks (boot from floppy distro/install cdrom/rescue cdrom + fsck /dev/DEVICE).
- backup as little as possible bearing in mind it could all be infected / dodgy
- Blank and format the lot
- reinstall anyway just in case
- update stuff fast, keep updated. Understand how redhat updates work - do they include a kernel update that could confuse lilo as to it's init perhaps?

Or just reinstall.
 
Old 01-18-2003, 06:34 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872
I agree with jago25_98 filesystem checking is the first thing you should do.

"well i'm reacting without checking to see if it will boot with boot disk".
You're on the bloody wrong track. You should always try all options to determine the cause of the problem.

If it all doesn't work try to read the filesystem booting from a rescue disk and save all logs. If you can find anomalies post 'em here. While booting from the rescue disk run your filesystem integrity checker (you have one of these, right?: Aide, Samhain or Tripwire). If unsure load up chkrootkit(.org) as well.

If there's nothing in the logs, no unknown files/devices on the filesystem and chkrootkit doesn't return weirdness then chances are getting smaller (in the good sense) your box has been hacked.

*If you don't have a filesystem integrity checker, can't run chkrootkit or can't access/read the logs your chances of detecting a possible compromise are smaller as well: in a bad way tho. Then a reformat of the disk and reinstall is the only option to make sure you have a "trusted" box.

**Overclocking, a bad power supply or excessive heat can lead to spontaneous reboots as well.
 
Old 01-18-2003, 01:03 PM   #4
spooge
Member
 
Registered: Nov 2001
Location: n chicago, IL. USA
Distribution: Slackware
Posts: 307

Original Poster
Rep: Reputation: 31
well hardware is fine i quit overclocking awhile ago( cook'd mobo/cpu).
i was able to get everything going again, with rescue disks. i had to take wife out for breakfast, and when i cam back system was lock'd up. tried to rescue again but couldn't get it goin again.

i'll try again later, gota lota work to do.
thanks for the help, will post back when i have time /results

(maybe this should be moved to another forum)
 
Old 01-21-2003, 11:54 AM   #5
spooge
Member
 
Registered: Nov 2001
Location: n chicago, IL. USA
Distribution: Slackware
Posts: 307

Original Poster
Rep: Reputation: 31
well this was a brand new kg7-raid mobo, thing will get past post, and then lock up.

is it possible to hack to bios ?

week after i order'd computer parts for a friend, he calls and says someone order'd a Dell on his card, and had to shut down his visa.

i set this up with medium firewall settings at install, cookies disabled.
looks like someone definately got past the nat and into the box.

time to do some extensive reading !!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hack,,, apenguinlinux General 4 02-22-2005 10:13 AM
hack,, apenguinlinux General 5 02-22-2005 09:40 AM
hack ?help me !! liumang Linux - Security 10 11-28-2004 04:21 AM
are they trying to hack me? epox111 Linux - Security 9 09-10-2003 08:23 PM
what the hack is this? doublefailure Linux - Security 13 04-24-2003 12:23 PM


All times are GMT -5. The time now is 08:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration