SOS! my LInux box is self destructing! (long)

Net Llama beemer9
Mon May 17 11:28:11 PDT 2004 

I've gotten myself into one hell of a mess, and i'm dumbfounded on how
to fix it.
Last night, I configured my COL-3.1.1 box to provide remote X logins
using kdm, as per these instructions:
http://sxs.sourceforge.net/sxs/remotexkdm.html

Everything was working perfectly.

So, i wake up this morning, and boot up this same box, to come upon
utter chaos. The first sign something wasn't right was when i tried to
login using kdm), and as soon as i hit enterafter typing my password, a
little error window appears to state "System bootup in progress - please
wait".  I did a bit of research, and determined that this occurs when
there is a /etc/nologin file (although i couldn't figure out why such a
file was created).  So, i found both /etc/nologin (and its contents were
nothing but the error that i just mentioned), and /etc/ nologin.boot
(whic
h had the same contents as nologin).  I deleted both, and was able to
login as a normal user (root is apparently not effected by these files).
 At this point, i'm just thinking that this is some strange artifact
from the remote X config, and that i'm good to go.  No dice.

I went ahead to dial into my ISP (my *only* connection to the internet
is via a 56k modem) using the same PPP script i've been using for over a
year, and i wait, and wait, and finally i start to suspect something is
wrong, as ppp0 isn't coming up. So i tail the messages expecting to see
the normal pppd and chat logging info, with perhaps some stupid 'no
carrier' error (which happens occasionally with my ISP), but instead i
see *NOTHING*.  Its doing the normal syslog stuff, but there's nothing
from pppd, as if its never ran at all.  So, i try to run the ppp dialup
script from the command line (i normally use a tiny Tcl/Tk app to start
& stop the dialup, since my wife isn't all that enthused about using the
command line), and it exits immediately, with no errors or feedback
whatsoever.  Its as if pppd doesn't even work.  Now i'm starting to get
very worried.

I'm thinking surely a remote X setup can't break ppp, but since i'm
desperate, i decide to back out of the entire remote X configuration.  I
switch to the first virtual console, and log in as root, to change to
runlevel 3, and that's when i notice that the /etc/issue banner that
normally appears is different.  Its advertising the default "Caldera
OpenLinux 3.1.1" rather than the customized message that I had put there
oh so long ago.  I'm wondering how the hell did that get changed?  But i
continue, and go to change the default runlevel 5 behavior in
/etc/inittab back to what it was, pre-remote-X-setup, only to my horror,
it already looks as if it has been changed.  Its the same as it was
before i changed it last night.  This makes absolutely no sense, because
if i glance over to the client that is supposed to be receiving the
remote X, it is!  How can this be possible?

So i'm not at all sure what's going on, and i think, i'm just going to
reboot, and everything will be ok (stupid windoze mentality).  As root,
i do a "shutdown -r now", and instead of it doing its normal runlevel 6
stuff, it dumps me to the ominous "Hit Control-D to reboot, or enter
root password for maintenance mode" message.  I'm thinking, WTF??  For
starters, the file system definitely doesn't need a fsck, because its
not ext2/3, its XFS.  ALso, i now i didn't shutdown improperly, because
the box has been up for the past hour while i frantically tried to
figure out what was going on.  If i type the root password, it dumped me
back to a root shell prompt.  Then, no matter what i type, it give me
that same "Control-D" error.  If i hit COntrol-D, i get another
Control-D error.  So, i hit control-alt-del, and it spontaneously
reboots. 

After it came back up, it was basically the same routine all over again,
with the nologin files, and ppp being in a coma.  I did figure out that
its does the Control-D thing when i issue a reboot, but not if i tell it
to just halt at the end of a shutdown.

I am completely & utterly confused at this point.  THe only other change
that I made last night (as root) was to install the safe new version of
OpenSSH.  I've started to consider the possibility that my box was
compromised, but if that did happen, i must have either been asleep at
the wheel, or they were damn good.  I monitor all of my logs on a very
regular basis, i've locked down or turned off all services that i don't
use or need, and i've had IP Filter setup for quite some time.  The only
external services that i've even offered were sshd, and the remote X
that i setup last night.

Hopefully someone can shed some light on what is going on here.

=====
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lonni J. Friedman                     netllama at linux-sxs.org

Linux Step-by-step help:           http://netllama.ipfox.com

                                                 .

__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

More information about the Linux-users mailing list