Xref: utzoo unix-pc.general:1839 comp.sys.att:4897 Path: utzoo!utgpu!watmath!uunet!lll-winken!lll-tis!ames!ncar!mailrus!uflorida!haven!umbc3!alex From: alex@umbc3.UMD.EDU (Alex S. Crain) Newsgroups: unix-pc.general,comp.sys.att Subject: interesting behaviour. Message-ID: <1430@umbc3.UMD.EDU> Date: 10 Dec 88 03:08:56 GMT Reply-To: alex@umbc3.UMD.EDU (Alex S. Crain) Organization: University of Maryland, Baltimore County Lines: 70 Something of interest to the netlanders..... Ok, here's ths story. I arrive home very late yesterday, and before going to sleep I check for mail on nerwin, my 3b1. Nothing interesting, so I get out of mail and soemthing doesn't feel right, so I start up mail again, but mail responds with No mail for ubluit. since ubluit is not my login, I start to wonder, and when ls comes back with /bin/ls: not a directory I really get worried. I discover that I can get to /usr/* but /bin is gone and /etc dissapears afters minute. I go to reboot the machine, but its too late because / no lnger exists, not evern a boot track. I reboot from the floppy, the hard disk is unmountable, so I shut the thing off and go to bed wondering. Now a couple of things figure in here. On the one side: I've been screwing around with the kernal, and my mailer program had been known to trigger my mistakes, so I might have hosed myself. But its never happened before like this, and usually I just trash the freelist, and my error is *always* "inode > 2^24", which kills the machine instantly. This time, the machine worked for a little while, and faded, losing directories, as if there was /etc/mkfs in background. On the other side... ubluit is a very interesting name to pop out of nowhere. I have no users with that name, nor any user programs, nor have I ever seen anything like that before. I find it very coincidential that it should become my login id just before the machine died. Naturally, I don't have any uucp records. but I don't allow dialins, so all traffic goes via umbc3.umd.edu. umbc3's LOGFILE has an entry uucp uunet (12/9-4:36-13470) daemon X.uunetCvPQ3 XQT (PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin;export PATH;rmail nerwin!alex ) I'm not sure what this says, but I do know that the machine died about 4:30 am on 12/9, and I haven't sent any mail for several days. Can some uucp guru explain exactly what this message means? Normally I'm not very paranoid, and I don't keep a password on root, but in light of all the accusations of software tamering, I can't rule out the possibility of sabatoge. The unixpc is notorius for security loopholes, so I suppose someone could have set a trogen horse in the mailer (why I don't know). I suppose its possible that some things I've said might have pissed off the wrong people. I realize that this is a delicate situation, and I would certainly not accuse anyone without much more evidence then this, which is circumstancial at best. Unfortunatly, nerwin's files are completely gone, so theres nothing there, but I can get to umbc3's files (umbc3 is a VAX running 4.2). Is there anything that I should look at to try tracing nerwins last communications? Thoughts are appreciated... -- :alex Alex Crain Systems Programmer alex@umbc3.umd.edu Univ Md Baltimore County nerwin!alex@umbc3.umd.edu