On Tue, 23 Apr 2002 16:15:29 EDT, Tom Trelvik <tttat_private> said: Did you login as yourself and then 'su'? This would leave your original login shell still running, with all the implications (the biggest being that /home is still mounted, probably r/w, as you're doing this...) > # dhclient > # dd if=/dev/wd1a | nc -l <port#> This will take time.. Possibly a bunch of time... And as a result, you're looking at the age-old problem of "taking a snapshot of a live filesystem". > # vnconfig -cv svnd0 home.wd1a.fs > # mount -o rdonly,noexec,nosuid /dev/svnd0c mnt_point/ > # ls -l mnt_point/ So at this point you're mounting something without benefit of an fsck, a bad idea even if it *wasnt* a live filesystem. Even an 'fsck -n' would be a good idea at this point, just to be sure.... > This worked fine on all but one partition, /home. It would apear to Not surprising if you did an 'su'.... > I thought maybe they'd been corrupted somehow, but I can mount the > partition and read them just fine on the original compromised > machine. Trying to transfer the filesystems again gives the same results > reliably. I'm suspecting that what you're getting bit by is that the file system (and most notably your home directory) are changing while the dd/netcat are running - so things like .sh_history and so on are being created/etc. Try sticking a 'fsck' in between the vnconfig and mount, and see if that finds anything. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 20:31:46 PDT