ZFS - directory entry

Matthew Seaman matthew at FreeBSD.org
Wed Dec 14 16:38:16 UTC 2016 

On 2016/12/14 16:14, Alan Somers wrote:
> On Wed, Dec 14, 2016 at 8:27 AM, Dirk-Willem van Gulik
> <dirkx at webweaving.org> wrote:
>> A rather odd directory entry (in /root, the home dir of root/toor) appeared on a bog standard FreeBSD 10.2 (p18) lightly loaded machine under ZFS during/post a backup:
>>
>> $ ls -la /root | tail -q
>> ----------   1 root  wheel  9223372036854775807 Jan  1  1970 ?%+?kD?H???x,?5?Dh;*s!?h???jw??????\h?:????????``?13?@?????OA????????Puux????<T]???R??Qv?g???]??%?R?
>>
>> OS and ZFS is installed with a bog standard sysinstall. ‘SMART’ nor smartd have reported anything. nothing in dmesg, syslog of boot log. Any suggestions as how to debug or get to the root of this ?
>>
>> And in particular - what is a risk of a reboot (to get a kernel with debug, etc) causing the issue to ‘go away’ - and hence stopping the forensic ?
>>
>> Dw.
>>
>> sudo zpool list -v
>> NAME         SIZE  ALLOC   FREE  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
>> tank        25.2T  9.27T  16.0T         -    17%    36%  1.53x  ONLINE  -
>>   raidz3    25.2T  9.27T  16.0T         -    17%    36%
>>     ada0p3      -      -      -         -      -      -
>>     ada1p3      -      -      -         -      -      -
>>     ada2p3      -      -      -         -      -      -
>>     ada3p3      -      -      -         -      -      -
>>     ada4p3      -      -      -         -      -      -
>>     ada5p3      -      -      -         -      -      -
>>     ada6p3      -      -      -         -      -      -
> 
> Two things to try:
> 1) zpool scrub.  This will reveal any corrupt metadata objects
> 2) Maybe the filename is created in an encoding not supported by your
> current terminal.  Try "LANG=en_US.UTF-8 ls -l"
> 3) Use zdb to examine the file.  First, do "ls -li /root" to get the
> object id.  It's the same as the inode number.  Then, assuming /root
> is in the tank/root filesystem, do "zdb -ddddd tank/root <object id>".
> That might reveal some clues.
> 

That file size is one less than 8192 PiB or 0x7fffffffffffffff bytes.
That would be pretty impressive, if it was real.

	Cheers,

	Matthew




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20161214/e56f6dd8/attachment.sig>

More information about the freebsd-hackers mailing list