Hello, On Sat, 11 Aug 2012, Carlos E. R. wrote:

...

Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux [..] I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.

Naaah. Those are a _LOT_ bigger than 31kB. DCR: do not do anything just yet. -dnh -- A Perl program is correct if it gets the job done before your boss fires you. -- Larry Wall -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-08-11 05:50, David Haller wrote:

Hello,

On Sat, 11 Aug 2012, Carlos E. R. wrote:

...

...

Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux [..] I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.

Naaah. Those are a _LOT_ bigger than 31kB.

Where do you get that 31kb figure from? 63 blocks is a lot more than that. - -- Cheers / Saludos, Carlos E. R. (from 12.1 "Asparagus" GM (bombadillo)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAmQ4UACgkQU92UU+smfQUh9wCfY2CEUBaUAJis1IdLtH6g+9A8 A5AAoI8ry3yk7qN7OmNrLzouNXTT6t1h =MZFW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-08-11 05:50, David Haller wrote:

...

Hello,

On Sat, 11 Aug 2012, Carlos E. R. wrote:

...

...

Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux [..] I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.

Naaah. Those are a _LOT_ bigger than 31kB.

Where do you get that 31kb figure from? 63 blocks is a lot more than that.

1 block = 512byte (unless it's one of the newer disk with 4K blocks), but the number listed under fdisk:Blocks is number of 1k blocks. -- Per Jessen, Zürich (22.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Hello, [... still up ...] @DCR: thought of some important points, see PS! On Sat, 11 Aug 2012, Carlos E. R. wrote:

On 2012-08-11 05:50, David Haller wrote:

...

[..]

...

I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.

Naaah. Those are a _LOT_ bigger than 31kB.

Where do you get that 31kb figure from? 63 blocks is a lot more than that.

Sectors, Carlos, sectors! And AFAIK virtually _all_ HDD and SSDs still work with 512 Byte sectors externally, even if they use 4k sectors internally. So, sector 0 is the MBR, sector 63 is the start of the first partition (at least in dcr's traditional case, nowadays, one tends to format on 1M or at least 4k boundaries, e.g.[0]). That leaves us sectors 1-62, each 512 B in size "unused", which is how I came up with the 31kB. And mind you: if there is space available (as is after the MBR, that 31k, but not, say, on a ext2 /-partition, there's only 1 unused sector, ext* starts at sector 2 of that partition), GRUB (and lilo) do install partly into that space. In dcr's case GRUB uses at least the space up to offset 0x274F, probably up to 0x27CF of the disk for its "stage1.5". Which translates to GRUB using ~18 sectors of space after the MBR, or sectors 1-19 inclusive, with the reiserfs "driver" taking up the last used sectors. See od -tx1z -Ax dcr-sda-0.img |less that dcr "mistakenly" sent to the ML instead of in a tarball via PM just to me ;) I hope the list can handle the traffic impact. And many other bootmanagers (used to) also use the unused space after the MBR. And some drainbamaged "dongling" stuff, much fun ensues if you need more than one of those that try to do that (I never did :). -dnh, you need more coffee? I'm up 24hrs and drained a number of beers, and I _still_ can remember and write about stuff like this somewhat coherently? Gah!! What's that say about me ... *sigh* ;) Well, that stuff _did_ stick in my memory :) Anyway, you know, read with a grain of .., ahhm, pounds of salt ... No, I will not "analyze" dcr's images "today" or give any advice but "wait for me to have slept"... (which should be some time on Sunday, UTC). Oh, but I do have something for dcr: PS@dcr: please run a antivirus check (total<something> online?) on that dcr-sda-0.img file[1]. There _is_ some code in sector 29 which looks fishy to me at a first glance. And as that partition is active and ISTR there are some "trojans"/"viruses" about that "kidnap" your disk by encrypting it, and a normal Winders MBR would just boot that fishy partition... "You" might've been *very* lucky to have Grub and not a normal DOS bootcode in your MBR ... Anyway: *DO NOT* boot from that "bogus" active partition or Winders until we've found out what's up. Oh, I guess it'd be safe to set the linux partition as "active" (or at least deactivate the bogus one) using fdisk (just toggle the "active" flag) or whatever from a linux system (rescue or whatever). That should help you not booting accidently from that fishy partition. *blebb* *burp* *yawn* .oO( need sleep ) *grins inanely* [0] # fdisk -l /dev/sda [..] /dev/sda1 2048 109053951 54525952 83 Linux /dev/sda2 109053952 218105855 54525952 83 Linux [1] I will too, "tomorrow", once I'm up and awake again. -- If you want me, I'll be under my desk in a foetal position, whimpering, and occasionally gently cursing. -- D. C. Staples -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 08/11/2012 09:00 AM, David Haller wrote:

PS@dcr: please run a antivirus check (total<something> online?) on that dcr-sda-0.img file[1]. There _is_ some code in sector 29 which looks fishy to me at a first glance. And as that partition is active and ISTR there are some "trojans"/"viruses" about that "kidnap" your disk by encrypting it, and a normal Winders MBR would just boot that fishy partition... "You" might've been *very* lucky to have Grub and not a normal DOS bootcode in your MBR ...

WOW, Not this is strange. Only 3 of 42 virus scanners identified the file as infected. The virus scanners that flagged the file as infected were: Antivirus Result Update DrWeb Trojan.Tdlphaze.1 20120811 Kaspersky Rootkit.Boot.Pihar.b 20120811 Microsoft Trojan:DOS/Alureon.J 20120811 You can see the full results at: https://www.virustotal.com/file/8565f52c05d538dbe288cd83b63ec2fad0a6f11197b2... The remaining major scanner engines flagged it as clean. I don't know if this means we are dealing with a new variant of some virus, or if the other engines just missed it, or if it is a false positive on those three? Thank you for the link, that is a fantastic virus scanning tool! -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org