RE: Strange disk problems - file dates out of wack
On 26-Oct-97 Colin R. Telmer wrote: A server in my department has suddenly created (or altered) some files and I cannot figure out how to remove them. Below is the a part of the original note sent to me and I have tried various attempts to remove the files as weel with no avail. I even went to the point of creating a user with uid 28757 but that did not help either. One thing that isn't mentioned below is that when the I tried to remove the files the kernel stated operation not permitted rather than the usual permissions stuff. Any ideas how I can get rid of these files? I think it's almost certain that the data on your hard disk has got corrupted (see below). A possible cause is RAM corruption at a time when data was being written back to disk during an update. -- Forwarded message -- Date: Fri, 24 Oct 1997 11:29:40 -0400 (EDT) From: James G. MacKinnon [EMAIL PROTECTED] To: Colin R. Telmer [EMAIL PROTECTED] Cc: James G. Mackinnon [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: frisch On Fri, 24 Oct 1997, Colin R. Telmer wrote: Unmounted /home without any problems and ran e2fsck with the check for bad blocks and force options. However, the disk seems to be fine. Strange. Here are the key parts of the original note: There are several directories that are claimed (by du) to be absurdly big: 501597058 ./reevesj/.netscape/cache/13 634965987 . 1017117464 ./reevesj/.netscape/cache 1017117572 ./reevesj/.netscape 1017168521 ./reevesj Of course, those numbers are not correct! Looking more closely at /reevesj/.netscape/cache, one finds: br--r-srwx 1 2878729728 73, 60 May 21 2025 07 Notice the date and the permissions! Whatever this is, I cannot remove it, even using rm -f, as root! I also cannot change the permissions. Then, within the directory /reevesj/.netscape/cache/13, one finds: c---rwxr-t 1 2494228192 60, 62 Jan 25 2026 cache340259B30115B9F pr-s-wxr-- 1 3155811396 0 Jan 13 1983 cache340259B30125B9F.gif p-ws-wx-wx 1 6019 23682 0 Jan 31 1940 cache343150330010C49.gif Notice the dates! Again, it seems to be impossible to remove these or change the permissions. Note also that /reevesj/.netscape/cache (which should be an ordinary directory, first char in directory listing should be d, not b) now appear as a block device (b) with major number 73 and minor 60, which are not maj/min numbers known to me. Likewise, cache340259B30115B9F appears not a file but as a character device with major,minor = 60,62 which again is an unknown type; the two .gifs appear as named pipes (p). Given that the very nature of the file types has changed, taken with the zany dates and sizes etc, it is almost certain that parts of the hard disk have been written with false data. At the same time, other less obvious corruptions may have occurred which may make files inaccessible or only partially accessible, or point to spurious data. This is the sort of thing that fsck should notice; James MacK says that fsck /was/ run, apparently normally, which is puzzling; but apparently only options -c -f were used which may not reveal serious trouble. Try (non-destructively) e2fsck -fnV on the device with these files and stand back ... (at any rate pipe it through less). I predict several thousand lines of possibly alarming information. Depending on what you see, you may judge that it's worth taking the chance to give fsck a free reign to try to make the filesystem clean (though it may zap some stuff in so doing); or else raw-backup (dd to another device) the bytes on the device and then either do fsck, or reformat the filesystem, or replace the hard drive. In any case it looks pretty dire from here. Sorry. Best wishes, Ted. E-Mail: Ted Harding [EMAIL PROTECTED] Date: 26-Oct-97 Time: 17:00:08 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Strange disk problems - file dates out of wack
On Sun, 26 Oct 1997 09:42:59 EST Colin R. Telmer ([EMAIL PROTECTED]) wrote: Unmounted /home without any problems and ran e2fsck with the check for bad blocks and force options. However, the disk seems to be fine. Strange. Here are the key parts of the original note: There are several directories that are claimed (by du) to be absurdly big: 501597058 ./reevesj/.netscape/cache/13 634965987 . 1017117464 ./reevesj/.netscape/cache 1017117572 ./reevesj/.netscape 1017168521 ./reevesj Of course, those numbers are not correct! Looking more closely at /reevesj/.netscape/cache, one finds: br--r-srwx 1 2878729728 73, 60 May 21 2025 07 Notice the date and the permissions! Whatever this is, I cannot remove it, even using rm -f, as root! I also cannot change the permissions. What does lsattr say ? Maybe it's an immutable file (chattr it). Phil. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Strange disk problems - file dates out of wack
On Sun, 26 Oct 1997, Philippe Troin wrote: Looking more closely at /reevesj/.netscape/cache, one finds: br--r-srwx 1 2878729728 73, 60 May 21 2025 07 Notice the date and the permissions! Whatever this is, I cannot remove it, even using rm -f, as root! I also cannot change the permissions. What does lsattr say ? Maybe it's an immutable file (chattr it). frisch:/home/reevesj/.netscape/cache# lsattr 07 lsattr 1.10, 24-Apr-97 for EXT2 FS 0.5b, 95/08/09 lsattr: No such device While reading flags on 07 frisch:/home/reevesj/.netscape/cache# lsattr 13 lsattr 1.10, 24-Apr-97 for EXT2 FS 0.5b, 95/08/09 lsattr: Invalid argument While reading flags on 13/cache340259B30125B9F.gif lsattr: Invalid argument While reading flags on 13/cache343150330010C49.gif lsattr: No such device While reading flags on 13/cache340259B30115B9F I also tried chattr -i 07 but got the same error message. Any other ideas? Thanks for the suggestion. Cheers, Colin. -- Colin Telmer, Institute of Intergovernmental Relations School of Policy Studies Building, Room 309, Queen's University Kingston, Ontario, Canada, K7L-3N6 (613)545-6000x4219 mailto:[EMAIL PROTECTED] http://terrapin.econ.queensu.ca -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
RE: Strange disk problems - file dates out of wack
On Sun, 26 Oct 1997, Ted Harding wrote: Try (non-destructively) e2fsck -fnV on the device with these files and stand back ... (at any rate pipe it through less). I predict several thousand lines of possibly alarming information. Depending on what you see, you may judge that it's worth taking the chance to give fsck a free reign to try to make the filesystem clean (though it may zap some stuff in so doing); or else raw-backup (dd to another device) the bytes on the device and then either do fsck, or reformat the filesystem, or replace the hard drive. I have done a e2fsck -fnv but it also did not reveal any problems (output below). However, it did reveal the existence of 27 block device files that I assume have no reason to be under /home. I'm at a loss - any other suggestions? Thanks, Colin. frisch:/# e2fsck -fnv /dev/hda6 e2fsck 1.10, 24-Apr-97 for EXT2 FS 0.5b, 95/08/09 Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information 25948 inodes used (4%) 902 non-contiguous inodes (3.5%) # of inodes with ind/dind/tind blocks: 2230/249/41 1169173 blocks used (54%) 0 bad blocks 24468 regular files 1128 directories 19 character device files 27 block device files 3 fifos 20 links 292 symbolic links (292 fast symbolic links) 2 sockets 25959 files -- Colin Telmer, Institute of Intergovernmental Relations School of Policy Studies Building, Room 309, Queen's University Kingston, Ontario, Canada, K7L-3N6 (613)545-6000x4219 mailto:[EMAIL PROTECTED] http://terrapin.econ.queensu.ca -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Strange disk problems - file dates out of wack
Philippe Troin [EMAIL PROTECTED] writes: Unmounted /home without any problems and ran e2fsck with the check for bad blocks and force options. However, the disk seems to be fine. Strange. You might want to try the debugfs program. Perhaps it can unlink the files. -- Ben Pfaff [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Senders of unsolicited commercial e-mail will receive free 32MB core files! -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
RE: Strange disk problems - file dates out of wack
On 26-Oct-97 Colin R. Telmer wrote: I have done a e2fsck -fnv but it also did not reveal any problems (output below). However, it did reveal the existence of 27 block device files that I assume have no reason to be under /home. I'm at a loss - any other suggestions? Thanks, Colin. frisch:/# e2fsck -fnv /dev/hda6 e2fsck 1.10, 24-Apr-97 for EXT2 FS 0.5b, 95/08/09 24468 regular files 1128 directories 19 character device files 27 block device files 3 fifos 20 links 292 symbolic links (292 fast symbolic links) 2 sockets 25959 files This ties in with what you first posted -- only more so. You then showed 1 block device (filetype letter b): fsck has found 27. You showed 2 character device (filetype letter c): fsck has found 19. It would be most bizarre if any of these things were legitimately under /home, and they are almost certainly all spurious. You also showed 2 fifos (named pipes, filetype letter p): fsck has found 3. fsck has also found 2 sockets. Fifos and sockets are quite possible in /home, depending on what users are doing, but both of the fifos you showed had the names of .gif files (though they showed in the listing with size 0, as fifos should). So at least these two are spurious; probably the sockets are too. This also ties in with the results you got with Philippe Troin's suggestion of lsattr: frisch:/home/reevesj/.netscape/cache# lsattr 07 lsattr 1.10, 24-Apr-97 for EXT2 FS 0.5b, 95/08/09 lsattr: No such device While reading flags on 07 This, according to the directory listing purports to be a block device with major,minor = 73,60 and such a combination corresponds to no device type that I know of. frisch:/home/reevesj/.netscape/cache# lsattr 13 lsattr 1.10, 24-Apr-97 for EXT2 FS 0.5b, 95/08/09 lsattr: Invalid argument While reading flags on 13/cache340259B30125B9F.gif lsattr: Invalid argument While reading flags on 13/cache343150330010C49.gif lsattr: No such device While reading flags on 13/cache340259B30115B9F The first two files purported to be fifos (pipes) while their names suggest they should be .gif files, and lsattr has found invalid flags. The third file purported to be a character device with maj,min = 60,62 (again unkown type), and lsattr again finds No such device. My impression is that so much corrupt info has been written to disk that it is probably fubar (in the orignal military sense of that expression). There is a program which allows direct editing of inodes, but it's a very long shot at the best of times even for experts (which I'm not); and in any case I reckon attempting to mend the disk by hand needs an expert sitting in front of the machine. I'll back off now: I think it's time for any real filesystem experts reading all this evidence to give a considered diagnosis (and prognosis). I'm only speaking from memories of painful experience, and general knowledge ... Best wishes, Ted. E-Mail: Ted Harding [EMAIL PROTECTED] Date: 26-Oct-97 Time: 19:26:52 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Strange disk problems - file dates out of wack - solved
On 26 Oct 1997, Ben Pfaff wrote: Philippe Troin [EMAIL PROTECTED] writes: Unmounted /home without any problems and ran e2fsck with the check for bad blocks and force options. However, the disk seems to be fine. Strange. You might want to try the debugfs program. Perhaps it can unlink the files. I ran debugfs -w /dev/hda6, changed into the appropriate directory, rm'd the files (some complaints, but proceeded), quit and the files were gone:). I then ran a e2fsck -fvcy /dev/hda6 (unmounted) and it repaired a few screwy inodes. Everthing seems to be fine now. Thanks for all the help. Cheers, Colin. -- Colin Telmer, Institute of Intergovernmental Relations School of Policy Studies Building, Room 309, Queen's University Kingston, Ontario, Canada, K7L-3N6 (613)545-6000x4219 mailto:[EMAIL PROTECTED] http://terrapin.econ.queensu.ca -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
