One of my servers had crashed last night and I found the following entry in the messages and warn files this morning: Jan 3 02:01:10 sparc-sun kernel: vs-7042: entry_points_to_object: entry must be visible \|/ ____ \|/ Jan 3 02:01:10 sparc-sun kernel: "@'/ .. \`@" Jan 3 02:01:10 sparc-sun kernel: /_| \__/ |_\ Jan 3 02:01:10 sparc-sun kernel: \__U_/ Jan 3 02:01:10 sparc-sun kernel: rateup(7073): Kernel bad trap Jan 3 02:01:10 sparc-sun kernel: TSTATE: 0000004411009600 TPC: 000000000101d2f8 TNPC: 000000000101d2fc Y: 00000000 Tainted: P Jan 3 02:01:10 sparc-sun kernel: g0: fffff80010e81000 g1: 0000000000000001 g2: 0000000000000001 g3: 0000000000000000 Jan 3 02:01:10 sparc-sun kernel: g4: fffff80000000000 g5: 0000000000000000 g6: fffff800168a4000 g7: 0000000000000000 Jan 3 02:01:10 sparc-sun kernel: o0: 0000000000000039 o1: 00000000006bbde1 o2: 0000000000000000 o3: 000000000060ea44 Jan 3 02:01:10 sparc-sun kernel: o4: fffff8001311972f o5: 000000006f6c6400 sp: fffff800168a6ef1 ret_pc: 000000000101d2f0 Jan 3 02:01:10 sparc-sun kernel: l0: fffff80013119688 l1: 0000000000000064 l2: 000000000000ff00 l3: fffff800168a7840 Jan 3 02:01:10 sparc-sun kernel: l4: 0000000000ff0000 l5: 000000000fffffff l6: 00000000ffffffff l7: ffffffffffffffff Jan 3 02:01:10 sparc-sun kernel: i0: 0000000000000000 i1: 000000000103db98 i2: fffff80013119690 i3: 0000000000000006 Jan 3 02:01:10 sparc-sun kernel: i4: 0000000000000080 i5: 00000000808da621 i6: fffff800168a6fb1 i7: 000000000100ab10 Jan 3 02:01:10 sparc-sun kernel: Caller[000000000100ab10] Jan 3 02:01:10 sparc-sun kernel: Caller[000000000100af6c] Jan 3 02:01:10 sparc-sun kernel: Caller[00000000004732d8] Jan 3 02:01:10 sparc-sun kernel: Caller[00000000004733cc] Jan 3 02:01:10 sparc-sun kernel: Caller[000000000047364c] Jan 3 02:01:10 sparc-sun kernel: Caller[00000000004105b4] Jan 3 02:01:10 sparc-sun kernel: Caller[000000000001b4b4] Jan 3 02:01:10 sparc-sun kernel: Instruction DUMP: 13004107 7fd09934 921263c8 <91d02005> 01000000 9de3bf30 c6162008 d05e2028 d0122004 Is someone on the kernel development team being funny (the first few lines) or is there a possibility I have been hacked. This machine has NO internet access from the outside. Sun sparc enterprise1 Suse 7.3 (for sparc) Second part As a result of the crash I lost a couple of files which have been restored from backup, but there is now a corrupt directory (moved the corrupt one to a different name before restoring files) containing the following using ls -la: sparc-sun:/usr/local # ll stats.corrupt/ ls: stats.corrupt/íA: No such file or directory total 0 drwxr-xr-x 2 root root 80 Jan 3 07:51 . drwxr-xr-x 17 root root 424 Jan 3 08:10 .. drwxr-xr-x 17 root root 424 Jan 3 08:10 .. sparc-sun:/usr/local # Yes you are seeing two entrys for .. and I cannot delete the corrupted directory. Any suggestions on how to remove the dir short of formatting the filesystem? Thanks, -- Ken Schneider Senior UNIX Administrator Network Administrator
On 3 Jan 2003, Ken Schneider wrote: Good chances you have not been hacked. I remember to have seen this 'smiley' somewhere in the kernel source. Sebastian
One of my servers had crashed last night and I found the following entry in the messages and warn files this morning:
Jan 3 02:01:10 sparc-sun kernel: vs-7042: entry_points_to_object: entry must be visible \|/ ____ \|/ Jan 3 02:01:10 sparc-sun kernel: "@'/ .. \`@" Jan 3 02:01:10 sparc-sun kernel: /_| \__/ |_\ Jan 3 02:01:10 sparc-sun kernel: \__U_/ Jan 3 02:01:10 sparc-sun kernel: rateup(7073): Kernel bad trap Jan 3 02:01:10 sparc-sun kernel: TSTATE: 0000004411009600 TPC: 000000000101d2f8 TNPC: 000000000101d2fc Y: 00000000 Tainted: P Jan 3 02:01:10 sparc-sun kernel: g0: fffff80010e81000 g1: 0000000000000001 g2: 0000000000000001 g3: 0000000000000000 Jan 3 02:01:10 sparc-sun kernel: g4: fffff80000000000 g5: 0000000000000000 g6: fffff800168a4000 g7: 0000000000000000 Jan 3 02:01:10 sparc-sun kernel: o0: 0000000000000039 o1: 00000000006bbde1 o2: 0000000000000000 o3: 000000000060ea44 Jan 3 02:01:10 sparc-sun kernel: o4: fffff8001311972f o5: 000000006f6c6400 sp: fffff800168a6ef1 ret_pc: 000000000101d2f0 Jan 3 02:01:10 sparc-sun kernel: l0: fffff80013119688 l1: 0000000000000064 l2: 000000000000ff00 l3: fffff800168a7840 Jan 3 02:01:10 sparc-sun kernel: l4: 0000000000ff0000 l5: 000000000fffffff l6: 00000000ffffffff l7: ffffffffffffffff Jan 3 02:01:10 sparc-sun kernel: i0: 0000000000000000 i1: 000000000103db98 i2: fffff80013119690 i3: 0000000000000006 Jan 3 02:01:10 sparc-sun kernel: i4: 0000000000000080 i5: 00000000808da621 i6: fffff800168a6fb1 i7: 000000000100ab10 Jan 3 02:01:10 sparc-sun kernel: Caller[000000000100ab10] Jan 3 02:01:10 sparc-sun kernel: Caller[000000000100af6c] Jan 3 02:01:10 sparc-sun kernel: Caller[00000000004732d8] Jan 3 02:01:10 sparc-sun kernel: Caller[00000000004733cc] Jan 3 02:01:10 sparc-sun kernel: Caller[000000000047364c] Jan 3 02:01:10 sparc-sun kernel: Caller[00000000004105b4] Jan 3 02:01:10 sparc-sun kernel: Caller[000000000001b4b4] Jan 3 02:01:10 sparc-sun kernel: Instruction DUMP: 13004107 7fd09934 921263c8 <91d02005> 01000000 9de3bf30 c6162008 d05e2028 d0122004
Is someone on the kernel development team being funny (the first few lines) or is there a possibility I have been hacked.
This machine has NO internet access from the outside. Sun sparc enterprise1 Suse 7.3 (for sparc)
Second part
As a result of the crash I lost a couple of files which have been restored from backup, but there is now a corrupt directory (moved the corrupt one to a different name before restoring files) containing the following using ls -la:
sparc-sun:/usr/local # ll stats.corrupt/ ls: stats.corrupt/íA: No such file or directory total 0 drwxr-xr-x 2 root root 80 Jan 3 07:51 . drwxr-xr-x 17 root root 424 Jan 3 08:10 .. drwxr-xr-x 17 root root 424 Jan 3 08:10 .. sparc-sun:/usr/local #
Yes you are seeing two entrys for .. and I cannot delete the corrupted directory. Any suggestions on how to remove the dir short of formatting the filesystem?
Thanks,
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
On Fri, Jan 03, 2003 at 08:52:29AM -0500, Ken Schneider wrote:
Is someone on the kernel development team being funny (the first few lines) or is there a possibility I have been hacked.
IIRC, this smiley was put into the sparc crash handler by Dave Miller, the original author of the Sparc ports. He lost quite a bit of hair over the Sparc stuff, but he kept his humor (even though some of his humor was later edited out of the kernel source though, because it was considered offensive and politically incorrect by People Who Care).
sparc-sun:/usr/local # ll stats.corrupt/ ls: stats.corrupt/íA: No such file or directory total 0 drwxr-xr-x 2 root root 80 Jan 3 07:51 . drwxr-xr-x 17 root root 424 Jan 3 08:10 .. drwxr-xr-x 17 root root 424 Jan 3 08:10 .. sparc-sun:/usr/local #
Yes you are seeing two entrys for .. and I cannot delete the corrupted directory. Any suggestions on how to remove the dir short of formatting the filesystem?
If it's an ext2 file system I think you may be able to fix it using debugfs. For others I'm afraid you're doomed to live with it. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
participants (3)
-
Ken Schneider
-
Olaf Kirch
-
Sebastian Krahmer