bad pmd ffff810000207808(9090909090909090).

bad pmd ffff810000207808(9090909090909090).

[OGAWA Hirofumi]

Hi,

I've found today the following error in syslog. It seems have a strange
pattern. And it also happened at a month ago.

Any idea for debuging this?

Thanks.


May  6 07:21:36 duaron kernel: kjournald starting.  Commit interval 5 seconds
May  6 07:21:36 duaron kernel: EXT3 FS on sda2, internal journal
May  6 07:21:36 duaron kernel: EXT3-fs: mounted filesystem with ordered data mode.
May  6 07:21:36 duaron kernel: NET: Registered protocol family 15
May  6 07:21:36 duaron kernel: /devel/linux/works/linux-2.6/mm/memory.c:127: bad pmd ffff810000207808(9090909090909090).
May  6 07:21:36 duaron kernel: r8169: eth0: link up
May  6 07:21:36 duaron kernel: r8169: eth0: link up
May  6 07:21:36 duaron kernel: scsi 4:0:0:0: Direct-Access     USB2.0   CF  Card Reader   9144 PQ: 0 ANSI: 0
May  6 07:21:36 duaron kernel: sd 4:0:0:0: [sdc] Attached SCSI removable disk
May  6 07:21:36 duaron kernel: sd 4:0:0:0: Attached scsi generic sg3 type 0
May  6 07:21:36 duaron kernel: scsi 4:0:0:1: Direct-Access     USB2.0   CBO Card Reader   9144 PQ: 0 ANSI: 0
May  6 07:21:36 duaron kernel: sd 4:0:0:1: [sdd] Attached SCSI removable disk


Apr  9 03:53:40 duaron kernel: scsi 4:0:0:1: Direct-Access     USB2.0   CBO Card Reader   9144 PQ: 0 ANSI: 0
Apr  9 03:53:40 duaron kernel: sd 4:0:0:1: [sdd] Attached SCSI removable disk
Apr  9 03:53:40 duaron kernel: sd 4:0:0:1: Attached scsi generic sg4 type 0
Apr  9 03:53:40 duaron kernel: usb-storage: device scan complete
Apr  9 03:53:40 duaron kernel: NET: Registered protocol family 15
Apr  9 03:53:40 duaron kernel: /devel/linux/works/linux-2.6/mm/memory.c:127: bad pmd ffff810000207208(9090909090909090).
Apr  9 03:53:40 duaron kernel: r8169: eth0: link up
Apr  9 03:53:40 duaron kernel: r8169: eth0: link up
Apr  9 03:53:40 duaron kernel: RPC: Registered udp transport module.
Apr  9 03:53:40 duaron kernel: RPC: Registered tcp transport module.
Apr  9 03:53:40 duaron kernel: NET: Registered protocol family 10
Apr  9 03:53:40 duaron kernel: lo: Disabled Privacy Extensions
Apr  9 03:53:42 duaron kernel: p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available
-- 
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: bad pmd ffff810000207808(9090909090909090).

[Jan Engelhardt]

On Tuesday 2008-05-06 14:00, OGAWA Hirofumi wrote:

>Hi,
>
>I've found today the following error in syslog. It seems have a strange
>pattern. And it also happened at a month ago.
>
>Any idea for debuging this?
>

90 is NOP on x86, perhaps something got rooted?

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: bad pmd ffff810000207808(9090909090909090).

[OGAWA Hirofumi]

Jan Engelhardt <jengelh@medozas.de> writes:

> On Tuesday 2008-05-06 14:00, OGAWA Hirofumi wrote:
>
>>I've found today the following error in syslog. It seems have a strange
>>pattern. And it also happened at a month ago.
>>
>>Any idea for debuging this?
>>
>
> 90 is NOP on x86, perhaps something got rooted?

I see. I'm not sure, but I didn't notice this soon, maybe it worked as
almost usual.

Thanks.
-- 
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: bad pmd ffff810000207808(9090909090909090).

[Willy Tarreau]

On Tue, May 06, 2008 at 09:52:58PM +0900, OGAWA Hirofumi wrote:
> Jan Engelhardt <jengelh@medozas.de> writes:
> 
> > On Tuesday 2008-05-06 14:00, OGAWA Hirofumi wrote:
> >
> >>I've found today the following error in syslog. It seems have a strange
> >>pattern. And it also happened at a month ago.
> >>
> >>Any idea for debuging this?
> >>
> >
> > 90 is NOP on x86, perhaps something got rooted?
> 
> I see. I'm not sure, but I didn't notice this soon, maybe it worked as
> almost usual.

I got immediate same feeling as Jan here. It looks very much like someone
has tried to inject code into your system. The problem is that you don't
know if this finally succeeded. Maybe some backdoor is now installed in
your kernel. If I were you, I would isolate the machine, reboot it on CD
and check MD5s (particularly the ones of the kernel and modules) before
rebooting it.

Willy

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: bad pmd ffff810000207808(9090909090909090).

[OGAWA Hirofumi]

Willy Tarreau <w@1wt.eu> writes:

>> I see. I'm not sure, but I didn't notice this soon, maybe it worked as
>> almost usual.
>
> I got immediate same feeling as Jan here. It looks very much like someone
> has tried to inject code into your system. The problem is that you don't
> know if this finally succeeded. Maybe some backdoor is now installed in
> your kernel. If I were you, I would isolate the machine, reboot it on CD
> and check MD5s (particularly the ones of the kernel and modules) before
> rebooting it.

Hm.. I've checked md5sum as far as I can do (/var/lib/dpkg/info/*.md5sums).
It seems to have no difference except data files.

And this machine is in back of firewall of other machine, and the kernel
is builded from source each every day or a hour or such.

So, it is unlikely...

Thanks.
-- 
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: bad pmd ffff810000207808(9090909090909090).

[Willy Tarreau]

On Wed, May 07, 2008 at 08:06:47AM +0900, OGAWA Hirofumi wrote:
> Willy Tarreau <w@1wt.eu> writes:
> 
> >> I see. I'm not sure, but I didn't notice this soon, maybe it worked as
> >> almost usual.
> >
> > I got immediate same feeling as Jan here. It looks very much like someone
> > has tried to inject code into your system. The problem is that you don't
> > know if this finally succeeded. Maybe some backdoor is now installed in
> > your kernel. If I were you, I would isolate the machine, reboot it on CD
> > and check MD5s (particularly the ones of the kernel and modules) before
> > rebooting it.
> 
> Hm.. I've checked md5sum as far as I can do (/var/lib/dpkg/info/*.md5sums).
> It seems to have no difference except data files.
> 
> And this machine is in back of firewall of other machine, and the kernel
> is builded from source each every day or a hour or such.
> 
> So, it is unlikely...

OK. At least it was worth checking!

Regards,
Willy

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>