interesting behaviour.

Alex S. Crain alex at umbc3.UMD.EDU
Sat Dec 10 13:08:56 AEST 1988


	Something of interest to the netlanders.....

Ok, here's ths story. I arrive home very late yesterday, and before
going to sleep I check for mail on nerwin, my 3b1. Nothing interesting,
so I get out of mail and soemthing doesn't feel right, so I start
up mail again, but mail responds with

	No mail for ubluit.

since ubluit is not my login, I start to wonder, and when ls comes
back with

	/bin/ls: not a directory

I really get worried. I discover that I can get to /usr/* but /bin is
gone and /etc dissapears afters minute.  I go to reboot the machine,
but its too late because / no lnger exists, not evern a boot track. I
reboot from the floppy, the hard disk is unmountable, so I shut the
thing off and go to bed wondering.

	Now a couple of things figure in here. On the one side:

	 I've been screwing around with the kernal, and my mailer
program had been known to trigger my mistakes, so I might have hosed
myself. But its never happened before like this, and usually I just
trash the freelist, and my error is *always* "inode > 2^24", which
kills the machine instantly. This time, the machine worked for a
little while, and faded, losing directories, as if there was /etc/mkfs
in background. 

	On the other side...

	ubluit is a very interesting name to pop out of nowhere. I
have no users with that name, nor any user programs, nor have I ever
seen anything like that before. I find it very coincidential that it
should become my login id just before the machine died.

	Naturally, I don't have any uucp records. but I don't allow
dialins, so all traffic goes via umbc3.umd.edu. umbc3's LOGFILE has an
entry

uucp uunet (12/9-4:36-13470) daemon X.uunetCvPQ3 XQT
(PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin;export PATH;rmail
nerwin!alex )

I'm not sure what this says, but I do know that the machine died about
4:30 am on 12/9, and I haven't sent any mail for several days. Can
some uucp guru explain exactly what this message means?

	Normally I'm not very paranoid, and I don't keep a password on
root, but in light of all the accusations of software tamering, I
can't rule out the possibility of sabatoge. The unixpc is notorius for
security loopholes, so I suppose someone could have set a trogen horse
in the mailer (why I don't know). I suppose its possible that some
things I've said might have pissed off the wrong people.

	I realize that this is a delicate situation, and I would
certainly not accuse anyone without much more evidence then this,
which is circumstancial at best. Unfortunatly, nerwin's files are
completely gone, so theres nothing there, but I can get to umbc3's
files (umbc3 is a VAX running 4.2). Is there anything that I should
look at to try tracing nerwins last communications?

	Thoughts are appreciated...

-- 
					:alex
Alex Crain
Systems Programmer			alex at umbc3.umd.edu
Univ Md Baltimore County		nerwin!alex at umbc3.umd.edu



More information about the Unix-pc.general mailing list