mailliw
Posts: 39
Joined: Fri May 10, 2013 10:51 am

Directory disappeared...twice

Sun Jun 02, 2013 10:24 pm

Hi,

I've used terminal on a mac and shell on a server for quite a few years, but am still pretty green. I know my way around, but I am completely stumped and worried about what's just happened.

I SSHd into my pi to check on some scripts I've been writing, and found that an entire directory had disappeared. It was nowhere to be seen. I had backups on my laptop, so I put everything back and re-cloned two supporting repos from github.

An hour later, the *new* directory (a different name from the old one, and the scripts inside were also named differently) had also been deleted. I quickly changed my password again on the pi, and nothing else in the directory structure has disappeared. It is very, very odd though. The scripts aren't touching the filesystem at all, so it's not rogue code.

Any suggestions? I have TextWrangler, a great text editor for the Mac, accessing the pi over FTP...but it's not syncing entire directories. It only acts on changes when I hit save. Likewise I have AFP support for the Mac, but again I'm not syncing anything.

I did run rsync earlier to back things up to my laptop, but that's a manual process.

Do file/directory removals appear in a logfile that I could check? I'd really like to go through a file line by line and see a) the changes I made (in particular the second directory creation and subsequent deletion), but I don't know which logfile...and I fear it may all have been wiped since a shutdown.

Pathetically yours - grateful for any pointers.

Will

User avatar
FTrevorGowen
Forum Moderator
Forum Moderator
Posts: 5087
Joined: Mon Mar 04, 2013 6:12 pm
Location: Bristol, U.K.
Contact: Website

Re: Directory disappeared...twice

Mon Jun 03, 2013 8:12 am

Are you shutting down your Pi cleanly? ie. running "sudo shutdown -h now " (or similar), waiting for ~20 secs. for the green "act" LED to stop blinking (whilst the Pi is finalising all writes to the SDHC card) and only then switching off/unplugging power.
Which OS/version are you running?
Trev.
Still running Raspbian Jessie on some older Pi's (an A, B1, B2, B+, P2B, 3xP0, P0W) but Stretch on my 2xP3A+, P3B+, P3B, B+, A+ and a B2. See: https://www.cpmspectrepi.uk/raspberry_pi/raspiidx.htm

mailliw
Posts: 39
Joined: Fri May 10, 2013 10:51 am

Re: Directory disappeared...twice

Mon Jun 03, 2013 8:21 am

Hi Trevor.

I always reboot with "shutdown -r now" and use the -h flag to shutdown, but that's a good point about the green light. I didn't know that. Really good thought - perhaps that's it. But it's strange that it should have happened twice, to two separate directories, and I don't remember shutting down the Pi in between those two events!

I'm on the latest raspbian issued a couple of days ago.

pjc123
Posts: 913
Joined: Thu Mar 29, 2012 3:37 pm
Contact: Website

Re: Directory disappeared...twice

Mon Jun 03, 2013 1:20 pm

I can't find the post, but there was another person who lost an entire days worth of software coding work after SSHing in, saving the work and then rebooting. I don't know if the issue was ever resolved. One of the questions in that thread was whether the directory was being created under the /tmp directory....obviously not good.

The following will not help you with what a program might delete, but as far as actions you took on the command line, take a look at your history by either:

1) Using the up arrow key to show you each command one at a time.

2) Typing "history" to give you the whole list and/or redirecting it into a file.

3) Sometimes it is easier to just view the history file directly in an editor. vi lets you scroll up and down the list.
vi ~/.bash_history.
Last edited by pjc123 on Mon Jun 03, 2013 1:42 pm, edited 2 times in total.
My Raspberry Pi Project Page:
https://www.flaminghellmet.com/launch/

mailliw
Posts: 39
Joined: Fri May 10, 2013 10:51 am

Re: Directory disappeared...twice

Mon Jun 03, 2013 1:24 pm

Good thought, but no. /home/pi/me/* is where I keep everything ...

User avatar
RaTTuS
Posts: 10460
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: Directory disappeared...twice

Mon Jun 03, 2013 1:41 pm

if anyone else has access to it or it is connected to the internet via ssh then
100% of the time
add a new user
use that
and
disable the pi user
[or at the very least change the password]
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

mailliw
Posts: 39
Joined: Fri May 10, 2013 10:51 am

Re: Directory disappeared...twice

Mon Jun 03, 2013 1:53 pm

Yeah - nobody else has access and I've changed the pi pass. Good idea about deleting the pi account though - thanks.

pjc123
Posts: 913
Joined: Thu Mar 29, 2012 3:37 pm
Contact: Website

Re: Directory disappeared...twice

Mon Jun 03, 2013 1:56 pm

It could also be related to how you are editing files and/or creating/deleting directories. I only use editors that are located on the pi to edit files, almost exclusively vi, and delete/create directories from the command line, not through graphical ftp programs.
My Raspberry Pi Project Page:
https://www.flaminghellmet.com/launch/

mailliw
Posts: 39
Joined: Fri May 10, 2013 10:51 am

Re: Directory disappeared...twice

Wed Jun 05, 2013 12:06 pm

I think I'm being hacked, or have been hacked. I just used nano to create the script again, in a new file. I ran it. It was fine.

20 minutes later it failed to run. Inspecting it in nano revealed it had been completely torn apart, replaced with the following:

Code: Select all

anja o rasporedu tastature i trenutna konfiguracija će se zadržati.
Extended_description-sv.utf-8: Den aktuella tangentbordslayouten i konfigurationsfilen /etc/default/keyboard är definierad som XKBLAYOUT="${XK$
Extended_description-ta.utf-8: /etc/default/keyboard வடிவமைப்புக்கோப்பில் தற்போதைய இட அமைப்பு இப்படி வரையறுக்கப்பட்டுள்ளது:  XKBLAYOUT="${XKBLAYOUT}" மற்ற$
Extended_description-te.utf-8: ప్రస్తుతము  /etc/default/keyboard అమరిక ఫైల్ లో  కీబోర్డు నమూనా  నిర్వచించబడినతీరు XKBLAYOUT="${XKBLAYOUT}" మరియు  XKBVARIANT="$
Extended_description-th.utf-8: ผังแป้นพิมพ์ปัจจุบันในแฟ้มค่าตั้ง /etc/default/keyboard กำหนดไว้เป็น XKBLAYOUT="${XKBLAYOUT}" และ XKBVARIANT="${XKBVARIANT}"$
Extended_description-tr.utf-8: /etc/default/keyboard yapılandırma dosyasındaki klavye düzeni  XKBLAYOUT="${XKBLAYOUT}" ve  XKBVARIANT="${XKBVA$
Extended_description-ug.utf-8: نۆۋەتتىكى ھەرپتاختا جايلاشتۇرۇش سەپلىمە ھۆججەت /etc/default/keyboard تە XKBLAYOUT="${XKBLAYOUT}" ۋە XKBVARIANT=$


Looks extremely dodgy to me. Advice?!

User avatar
rpdom
Posts: 15234
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Directory disappeared...twice

Wed Jun 05, 2013 12:44 pm

I can think of a few possibilities there. (There are probably others too).

a) The file wasn't written properly. Yes, it will look like it was, but that is because all the writes are cached in memory for a while and when you re-read the file you will see the cached version. Use the "sync" command (no need for sudo for that) to force the cache to be written out, then do "dmesg | tail" to check the system log for any errors that might have happened.

b) You might have been hacked. Is your Pi visible from the internet? Have you change the pi user password?

c) I have seen this sort of behaviour before on a fake card. It claimed to be 8GB, but was really only 2GB. Once I wrote past the 2GB limit it started again at 0 and corrupted the card. Although that did mess up the partition table as well and I had to reformat.

mailliw
Posts: 39
Joined: Fri May 10, 2013 10:51 am

Re: Directory disappeared...twice

Wed Jun 05, 2013 1:22 pm

Thanks for the reply. I just don't see how I could've been hacked. Yes, it's possible - it's connected to my network - but I think you're right about the card being corrupt. And I think rsync is to blame: it has now ruined vast chunks of system files, including /etc/sudoers which contains a list of languages, not users! Ridiculous.

So it's back to square one and a reformat, while I try to remember how the hell I managed to get the wifi dongle working.

Return to “Troubleshooting”