Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-18-2003, 12:36 AM
|
#1
|
Member
Registered: Nov 2001
Location: n chicago, IL. USA
Distribution: Slackware/Debian
Posts: 308
Rep:
|
hack ?
2 nights in a row my rh7.3 just reboot'd all by it self.
(kinda like hittin the reset button on the box)
was talkin to bro in irc, when it lock'd up. before that i was getting hits at my win2k box(zone alarm).
default ipchains
linksys router/nat /using ip
box won'tboot
at boot, getting :
EXT3-fs: group descriptors corrupted!
mount:error 22 mounting 22
pivotroot: pivot_root(sysroot./sysroot/inird) faild:2
kernel panic: No init founf. try passing init=option kerel
well i'm reacting without checking to see if it will boot with boot disk.
hack'd maybe ?
|
|
|
01-18-2003, 02:05 AM
|
#2
|
Member
Registered: Jun 2001
Posts: 302
Rep:
|
reinstall if in doubt
tricky.
ext3 filesystem problem - "group descriptors"
This may mean that ext3 is correcting the problem
or
it's something that shouldn't happen. If it is a broken filesystem then this is the reason that the kernel is panicing because it can't find it's initrd file.
Innit = A phrase used by common scum in England.
Init in linux = a part of the linux kernel/that part of bootup, that is stored somehow seporate from the actual kernel for some reason. AKA initialisation i guess.
However, the filesystem may be fine; it's just a minor problem due to the filesystem not unmounting correctly before reboot with ext3 telling you that it's fixing the problem like a journaling filesystem should.
So if the filesystem is fine and the ext3 Group descriptors error message is not critical what could be causing the problem?
The error message "init" not found happens when a someone tries to run a new kernel without telling lilo (via /etc/lilo* perhaps) where it can find initrd. This means it needs to be told where the init file is.
Now, it's just possible that someone has hacked you, replaced your kernel with one they've cooked up and got the thing to reboot, only they screwed up because they didn't sort out initrd so it won't boot anymore.
If the filesystem is damaged, or someone who you know has installed a new kernel = not hacked.
If filesystem was actually fine or we have confidence in the idea that the sudden reboot was NOT caused by a system crash that I personally haven't heard of = Hack likely.
What I'd do:
- out of interest for hack check the filesystem to see if it's ok, possibly checking for badblocks (boot from floppy distro/install cdrom/rescue cdrom + fsck /dev/DEVICE).
- backup as little as possible bearing in mind it could all be infected / dodgy
- Blank and format the lot
- reinstall anyway just in case
- update stuff fast, keep updated. Understand how redhat updates work - do they include a kernel update that could confuse lilo as to it's init perhaps?
Or just reinstall.
|
|
|
01-18-2003, 06:34 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,417
|
I agree with jago25_98 filesystem checking is the first thing you should do.
"well i'm reacting without checking to see if it will boot with boot disk".
You're on the bloody wrong track. You should always try all options to determine the cause of the problem.
If it all doesn't work try to read the filesystem booting from a rescue disk and save all logs. If you can find anomalies post 'em here. While booting from the rescue disk run your filesystem integrity checker (you have one of these, right?: Aide, Samhain or Tripwire). If unsure load up chkrootkit(.org) as well.
If there's nothing in the logs, no unknown files/devices on the filesystem and chkrootkit doesn't return weirdness then chances are getting smaller (in the good sense) your box has been hacked.
*If you don't have a filesystem integrity checker, can't run chkrootkit or can't access/read the logs your chances of detecting a possible compromise are smaller as well: in a bad way tho. Then a reformat of the disk and reinstall is the only option to make sure you have a "trusted" box.
**Overclocking, a bad power supply or excessive heat can lead to spontaneous reboots as well.
|
|
|
01-18-2003, 01:03 PM
|
#4
|
Member
Registered: Nov 2001
Location: n chicago, IL. USA
Distribution: Slackware/Debian
Posts: 308
Original Poster
Rep:
|
well hardware is fine i quit overclocking awhile ago( cook'd mobo/cpu).
i was able to get everything going again, with rescue disks. i had to take wife out for breakfast, and when i cam back system was lock'd up. tried to rescue again but couldn't get it goin again.
i'll try again later, gota lota work to do.
thanks for the help, will post back when i have time /results
(maybe this should be moved to another forum)
|
|
|
01-21-2003, 11:54 AM
|
#5
|
Member
Registered: Nov 2001
Location: n chicago, IL. USA
Distribution: Slackware/Debian
Posts: 308
Original Poster
Rep:
|
well this was a brand new kg7-raid mobo, thing will get past post, and then lock up.
is it possible to hack to bios ?
week after i order'd computer parts for a friend, he calls and says someone order'd a Dell on his card, and had to shut down his visa.
i set this up with medium firewall settings at install, cookies disabled.
looks like someone definately got past the nat and into the box.
time to do some extensive reading !!!
|
|
|
All times are GMT -5. The time now is 10:31 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|