Hello, I was fairly new to Gentoo but I have done about 10 installs in the past few weeks because it seems that a virus keeps finding its way in to my system and I believe it may have come from Gentoo itself. This is going to sound crazy, but I swear to you this happens every time and happens on 3 different servers. Here is what happens : First I lost all of my servers from a hidden directory being created in tmp that has its own proc and dev directories which are then automatically mounted, probably by a script in the system that I can not find. That part may not be unique, I have heard of that before. But here's the insain part. I started from scratch, deleted all my partions, formated everything multiple times. I even deleted all partions, clicked w in fdisk, rebooted and did it again. After I do my install (happened 5 out of 5 times on 2 different servers), and did all my emerges, I disconnect the network cable so that if someone got in to my router, they wouldn't be able to connect and I would be safe. So the only time I am connected is when I do my emerges and only when booted from the cd. After I set up everything and reboot, my boot partion is all messed up showing that my grub directory is gone, my kernel images are gone (basically everything I put in boot is gone) except now there is a new directory in there called boot. Inside that boot is another boot, inside that another, and so on. I went in to about 50 of these directories and the structure continues. Also, this is also crazy, there is a .initrd directory inside tmp. Thats the directory that caused all the problems before I lost my info. When I try to boot after the install, the system is read only, all my kernel stuff is long gone, grub seems to be unmerged, and the .initrd directory is back in tmp. If I reboot 3 times, the system is basically destroyed by the time I start up and it is impossible to boot without the kernel (obviously). So this has been killing me, so I started over again and deleted all my partions. Now I am starting to think maybe the iso image that I download from your site may have had this on it because I have nothing at all on my hard drive, but everything is still there. I might not be able to explain this part well enough, but when the cd loads up, I do a cd / to get to root and then I look around. In /tmp the .initrd directory is there and in /boot/ there is that long chain of boot directories in there. Since I have nothing on my hard drive at all, where else could it come from ? I also am about 99% sure that /tmp/.initrd directory is th entire problem (or at least the start of it) because on my old systems that tmp directory was there and had its own proc and dev directories inside of it which were mounted (don't ask me how that happened, it wasn't me). My servers were up for a year with no problems, but one of servers had a controller fail so we needed to boot from cd to see if we could save the data. We were able to save it, so we did an rsync to my other server to copy the data. Then the next day that server started having problems, and it had never had even one problem before that. It happened again on a 3rd server, which is amd (the others I used x86). My data center has some of the best techs I have ever seen and one of them (I think) is an editor or tester for Gentoo. His name is Mark Irwin from Tampa Florida. My other tech who is even better than Mark is named Ken Sietz, who is known around here and a super genius and he has no idea whatsoever could have been able to get the kind of access this virus has. So my new theory is that it must have been on the cd. How else could it get on to a new install that I deleted the partions 3 times, formated 3 times and rebooted 3 times before I even started. I made no connections to any computers, I cleared my router and closed all incoming connections and it happens in my house and dat center. The only time the internet cable was connected was when I emerged and I didn't see how that could do this. Please don't think I am crazy, I am starting to feel crazy, but this is really happening. And this is the absolute nastiest virus I have ever seen in my life. It seems harmless at first, but it won't go away and it waits a while and then starts to delete stuff. My computer was booted from cd for 8 hours, I kept checking my back up and the files were all there. Then I looked again and it deleted the www directory in var, my databases and parts of etc. I losted all my data, my last back up was from 4 months ago so some of my clients got really hurt by this. I lost thousands of dollars, 3 servers, websites have been down for 4 days now and I haven't slept since it happened. I might try another version of linux, but that would really suck because I love Gentoo. Please Please Please Please help me, and check out your mirrors for any iso image that may have been attacked. This thing spreads as soon as it sees any type of connection to another server and immediately is on the connected server and then won't go away. My email is pretty much down, so if you guys want more info you can call me at 813 728 7093 if I forgot any info you need. Please, this is about to put me out of business, and I am a really really good developer. Reproducible: Always Steps to Reproduce: 1. Just install from cd and its there when you reboot 2. 3. Actual Results: see details above
ok, first of all the myth about boot directories within boot directories -- if you do an ls -al /boot you'll see that it contains a symlink like so: boot -> . in other words, /boot/boot is just a symlink to /boot/ itself. Nothing to worry about there, honest, but yes, you can definitely keep going to 50 times cd'ing into the same place via that symlink.
The handbook's fstab example suggests noauto option for /boot if you followed this example you'll have to mount /boot to make the kernels and grub/grub.conf appear. You haven't provided any info about the cd you are talking about. Which cd image did you burn? Which mirror did you download it from? What md5sum does that image have?
Hi Everyone, I am really sorry for this bug report, I did get rocked by some malware getting on to 3 of my servers and I think that I thought I saw signs of it happening again with a new install. I am 99% sure now that I was wrong about the problem being from Gentoo. I feel pretty dumb about posting it here, I have my own open source shopping cart project and I hate when someone can't figure something out and reports it as a bug. In my defense, from how I saw things it made sense. The directory that was in /tmp/.initrd/ was where the malware was attacking from and when i saw it was there again I really believed the malware had gotten in to my fresh install. I also didn't understand at that time how to view my boot partition's files, so I thought the kernel images were deleted, which is also what that malware was doing to my system so it wouldn't boot. I had a 1 character typo in my grub.conf so I couldn't boot without the cd, so it all seemed like it was happening again. I also didn't realize that /boot/boot was a symbolic link. So all those inexperienced mistakes made me jump to conclusions, plus the fact that haven't slept for 3 days and am pretty paranoid now. I think I got my install complete, we'll see in a little while if the server will show web pages. If anyone knows anything about what hit me or how to prevent it again, please share. I really really appreciate that some of you answered and it seems that if I wasn't resolving this ticket that more of you would have responded in time. So thank you, its nice knowing there is help when you need it. I really respect the Gentoo project and really enjoy all the great documentation your editors have produced. I might be a newbie with linux, but I am a pretty good php developer / algorithm writter. I have my own shopping cart software and have written an entire flash website builder (www.amazingflash.com), so if you guys want another developer to help in any way let me know. I like to add to things that truly help the internet. I planned on making myself a command line installer and I have some really nice condensed install steps that work great for me. I have it down to about 15 steps that take up about 3 sheets of paper hand written. So its short and sweet. Let me know if you guys want it. Paul
I apologize for the bug spam here, but I'm changing the location of this one to its proper place.
Changing resolution code.