LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   hack ? (https://www.linuxquestions.org/questions/linux-security-4/hack-41894/)

spooge 01-18-2003 12:36 AM
hack ?
 
2 nights in a row my rh7.3 just reboot'd all by it self.
(kinda like hittin the reset button on the box)

was talkin to bro in irc, when it lock'd up. before that i was getting hits at my win2k box(zone alarm).

default ipchains
linksys router/nat /using ip
box won'tboot

at boot, getting :

EXT3-fs: group descriptors corrupted!
mount:error 22 mounting 22
pivotroot: pivot_root(sysroot./sysroot/inird) faild:2
kernel panic: No init founf. try passing init=option kerel

well i'm reacting without checking to see if it will boot with boot disk.

hack'd maybe ?

jago25_98 01-18-2003 02:05 AM
reinstall if in doubt
 
tricky.

ext3 filesystem problem - "group descriptors"

This may mean that ext3 is correcting the problem

or

it's something that shouldn't happen. If it is a broken filesystem then this is the reason that the kernel is panicing because it can't find it's initrd file.

Innit = A phrase used by common scum in England.
Init in linux = a part of the linux kernel/that part of bootup, that is stored somehow seporate from the actual kernel for some reason. AKA initialisation i guess.

However, the filesystem may be fine; it's just a minor problem due to the filesystem not unmounting correctly before reboot with ext3 telling you that it's fixing the problem like a journaling filesystem should.

So if the filesystem is fine and the ext3 Group descriptors error message is not critical what could be causing the problem?

The error message "init" not found happens when a someone tries to run a new kernel without telling lilo (via /etc/lilo* perhaps) where it can find initrd. This means it needs to be told where the init file is.
Now, it's just possible that someone has hacked you, replaced your kernel with one they've cooked up and got the thing to reboot, only they screwed up because they didn't sort out initrd so it won't boot anymore.

If the filesystem is damaged, or someone who you know has installed a new kernel = not hacked.

If filesystem was actually fine or we have confidence in the idea that the sudden reboot was NOT caused by a system crash that I personally haven't heard of = Hack likely.

What I'd do:

- out of interest for hack check the filesystem to see if it's ok, possibly checking for badblocks (boot from floppy distro/install cdrom/rescue cdrom + fsck /dev/DEVICE).
- backup as little as possible bearing in mind it could all be infected / dodgy
- Blank and format the lot
- reinstall anyway just in case
- update stuff fast, keep updated. Understand how redhat updates work - do they include a kernel update that could confuse lilo as to it's init perhaps?

Or just reinstall.

unSpawn 01-18-2003 06:34 AM
I agree with jago25_98 filesystem checking is the first thing you should do.

"well i'm reacting without checking to see if it will boot with boot disk".
You're on the bloody wrong track. You should always try all options to determine the cause of the problem.

If it all doesn't work try to read the filesystem booting from a rescue disk and save all logs. If you can find anomalies post 'em here. While booting from the rescue disk run your filesystem integrity checker (you have one of these, right?: Aide, Samhain or Tripwire). If unsure load up chkrootkit(.org) as well.

If there's nothing in the logs, no unknown files/devices on the filesystem and chkrootkit doesn't return weirdness then chances are getting smaller (in the good sense) your box has been hacked.

*If you don't have a filesystem integrity checker, can't run chkrootkit or can't access/read the logs your chances of detecting a possible compromise are smaller as well: in a bad way tho. Then a reformat of the disk and reinstall is the only option to make sure you have a "trusted" box.

**Overclocking, a bad power supply or excessive heat can lead to spontaneous reboots as well.

spooge 01-18-2003 01:03 PM
well hardware is fine i quit overclocking awhile ago( cook'd mobo/cpu).
i was able to get everything going again, with rescue disks. i had to take wife out for breakfast, and when i cam back system was lock'd up. tried to rescue again but couldn't get it goin again.

i'll try again later, gota lota work to do.
thanks for the help, will post back when i have time /results

(maybe this should be moved to another forum)

spooge 01-21-2003 11:54 AM
well this was a brand new kg7-raid mobo, thing will get past post, and then lock up.

is it possible to hack to bios ?

week after i order'd computer parts for a friend, he calls and says someone order'd a Dell on his card, and had to shut down his visa.

i set this up with medium firewall settings at install, cookies disabled.
looks like someone definately got past the nat and into the box.

time to do some extensive reading !!!


All times are GMT -5. The time now is 11:40 AM.