bob at verysecurelinux.com
Tue Dec 9 18:17:39 EST 2003
On Tue, Dec 09, 2003 at 02:46:31PM -0500, David Hamm wrote:
> Had a machine with / formatted ext3 that was shutdown ungracefully.
> When it came up we had to run e2fsck manually. Now there are a bunch of
> files in lost+found. Are the files in lost+found usually files that
> were open when the system went down?
No. Some of them were files that had been modified or even just accessed
recently or whose directory (or directory's directory) had been altered,
or just caught in the crossfire.
More specifically, if a file (Inode, to be technical) has not been flagged
as deleted but whose inode number does not appear in any directory on the
file system, fsck cannot know which directory to put it in so it is placed
in a "catch all" dir, called lost+found. There should be a lost+found
dir on each file system, including /.
Search the list of files on your backup media to know where to put it.
Hopefully, your backup includes inode numbers 'cause that's all you have
to go on. Failing that, do "file /lost+found/*" and try to guess what
they do. If that does not clear it up and you have a good backup, you
can use the Trojan scan techniques in my book to determine where the
bob at verysecurelinux.com [Please use for email to me]
http://www.verysecurelinux.com [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
More information about the Ale