Re: strange files

Mon, 19 Sep 2005 19:11:18 -0700 

On Mon, 2005-09-19 at 15:23 +1000, Peter Lieverdink wrote:
> Hi all,
> 
> I came across something odd this morning on a Sarge production server I
> manage remotely. The machine runs a self-compiled 2.6.12.2 kernel and I
> keep it up to date with security fixes. (I run upgrades and
> dist-upgrades when I get email from debian-security-announce).
> 
> The box is an HP/Compaq somethingorother server with the following
> controller:
> 
> 0000:04:03.0 RAID bus controller: Compaq Computer Corporation Smart
> Array 64xx (rev 01). The filesystem is ext3 on 2x160GB hardware RAID1.
> The box has 3 GB ECC RAM. None of the hardware reports any failure of
> any kind.
> 
> The weird this is that there are six files in / that should not be
> there. 'ls -l' gives me:
> 
> -rw-rw-rw-   1 root root    0 2005-08-17 23:08 ?
> -rw-rw-rw-   1 root root    0 2005-08-18 23:08 ?
> -rw-rw-rw-   1 root root    0 2005-09-06 23:13 ?
> -rw-rw-rw-   1 root root    0 2005-08-17 23:08 ???
> -rw-rw-rw-   1 root root    0 2005-08-18 23:08 ???
> -rw-rw-rw-   1 root root    0 2005-09-06 23:13 ???
> 
> Not useful.
> 
> I wrote a little C app that runs readdir() on / and gives me all the
> filenames as strings and a char[] cast into int. With an utf8 console I
> get the filenames as a series of squares now, but what I find more
> interesting is that when I print off the integer values of each of the
> chars in the filenames, I get this:
> 
> dir='/', file='', char[] = -10,-73,-128
> dir='/', file='?', char[] = -10,-73,-80,-110,25,8
> dir='/', file='', char[] = -14,-73,-128
> dir='/', file='򷰒', char[] = -14,-73,-80,-110,25,8
> dir='/', file='', char[] = -16,-73,-128
> dir='/', file='𷰒', char[] = -16,-73,-80,-110,25,8
> 
> ... negative numbers? (The strings won't paste properly). 

Perhaps you should be using unsigned integers. That might make a little
more sense since I think that character systems generally work with
positive integers. If these are supposed to be unicode characters, or
anything else that's not _supposed_ to be understood in signed 8 bit
chunks, it's quite likely that you would have integer overflows
resulting in negative numbers.

a simple shell script might make inspection of the files/filenames a
little easier. something like:

[EMAIL PROTECTED]:/tmp/test$ ls -l total 12
-rw-r--r--  1 david david 10 2005-09-19 21:28 ??
-rw-r--r--  1 david david 31 2005-09-19 21:30 ???
-rw-r--r--  1 david david  8 2005-09-19 21:30 ??
[EMAIL PROTECTED]:/tmp/test$ /bin/ls * | while read f ; do echo 'filename:';
echo $f |hd -o; echo 'file contents:'; cat $f |hd; echo
'-----------------'; done
filename:
00000000  01 02 0a                                          |...|
0000000  001001  000012
0000003
file contents:
00000000  62 6c 61 68 20 62 6c 61  68 0a                    |blah blah.|
0000000a
-----------------
filename:
00000000  04 05 06 0a                                       |....|
0000000  002404  005006
0000004
file contents:
00000000  61 6c 6c 20 79 6f 75 72  20 62 61 73 65 20 61 72  |all your
base ar|
00000010  65 20 62 65 6c 6f 6e 67  20 74 6f 20 75 73 0a     |e belong to
us.|
0000001f
-----------------
filename:
00000000  07 08 0a                                          |...|
0000000  004007  000012
0000003
file contents:
00000000  66 6f 6f 20 62 61 72 0a                           |foo bar.|
00000008
-----------------

dunno if that was helpful.

-davidc

-- 
gpg-key: http://www.zettazebra.com/files/key.gpg

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to