During a routine trawl through the ext3 files, I found some astronomical file sizes, billions and billions of GB. They also has strange user and group names. I can not delete these "weird files" (the term used by the operating system utilities).
Here are a few examples. The original files were created on Windoze 98 version 2 circa 2001.
2411957 p--x---rwx 65487 299196551 2101198676 775118685 Apr 5 1943 00002434.thm 2411959 ?--xr-srwT 6581 42211 24637 1333254828 Jan 30 2029 00002435 2411960 -rwxr-xr-x 44608 305922048 3679253821 14580319157523353423 Dec 1 1949 00002437
lsattr: Operation not supported While reading flags on .....
stat ....... A "normal" file looks this this example:
File: `00002436' Size: 47537 Blocks: 96 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2411956 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-09-13 17:36:21.000000000 +0100 Modify: 2001-02-21 00:52:50.000000000 +0000 Change: 2013-03-12 06:26:36.000000000 +0000
The problem files look like this:
File: `00002434.thm' Size: 775118685 Blocks: 3429617551 IO Block: 4096 fifo Device: fd00h/64768d Inode: 2411957 Links: 65487 Access: (0107/p--x---rwx) Uid: (299196551/ UNKNOWN) Gid: (2101198676/ UNKNOWN) Access: 1951-12-14 00:29:38.000000000 +0000 Modify: 1943-04-05 10:37:22.000000000 +0200 Change: 2011-08-13 06:50:44.000000000 +0100
File: `00002435' Size: 1333254828 Blocks: 1402834881 IO Block: 4096 weird file Device: fd00h/64768d Inode: 2411959 Links: 6581 Access: (3156/?--xr-srwT) Uid: (42211/ UNKNOWN) Gid: (24637/ UNKNOWN) Access: 1926-11-04 02:28:28.000000000 +0000 Modify: 2029-01-30 15:25:30.000000000 +0000 Change: 1928-09-14 11:19:14.000000000 +0100
File: `00002437' Size: 14580319157523353423 Blocks: 1664918158 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2411960 Links: 44608 Access: (0755/-rwxr-xr-x) Uid: (305922048/ UNKNOWN) Gid: (3679253821/ UNKNOWN) Access: 2014-09-13 17:36:28.000000000 +0100 Modify: 1949-12-01 22:31:41.000000000 +0000 Change: 2030-03-17 01:15:08.000000000 +0000
rm: cannot remove `00002437': Operation not permitted
However using 'lsattr 00002437' to expose the flags, then removing the flags with 'chattr -{flag) 00002437' eventually permitted me to delete the file with 'rm 00002437'.
The remaining two files appear un-touchable.
lsattr 00002435 lsattr: Operation not supported While reading flags on 00002435
chattr -a 00002434.thm ('a' was a random choice) chattr: Operation not supported while reading flags on 00002434.thm
find . -inum 2411959 -exec rm -i {} ; rm: remove weird file `./00002435'? y rm: cannot remove `./00002435': Operation not permitted
All advice, except to transfer everything to a new partition then reformat the bad partition (which I will do eventually), appreciated.
On 09/13/2014 12:20 PM, Always Learning wrote:
During a routine trawl through the ext3 files, I found some astronomical file sizes, billions and billions of GB. They also has strange user and group names. I can not delete these "weird files" (the term used by the operating system utilities).
Here are a few examples. The original files were created on Windoze 98 version 2 circa 2001.
2411957 p--x---rwx 65487 299196551 2101198676 775118685 Apr 5 1943 00002434.thm 2411959 ?--xr-srwT 6581 42211 24637 1333254828 Jan 30 2029 00002435 2411960 -rwxr-xr-x 44608 305922048 3679253821 14580319157523353423 Dec 1 1949 00002437
lsattr: Operation not supported While reading flags on .....
stat ....... A "normal" file looks this this example:
File: `00002436' Size: 47537 Blocks: 96 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2411956 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-09-13 17:36:21.000000000 +0100 Modify: 2001-02-21 00:52:50.000000000 +0000 Change: 2013-03-12 06:26:36.000000000 +0000
The problem files look like this:
File: `00002434.thm' Size: 775118685 Blocks: 3429617551 IO Block: 4096 fifo Device: fd00h/64768d Inode: 2411957 Links: 65487 Access: (0107/p--x---rwx) Uid: (299196551/ UNKNOWN) Gid: (2101198676/ UNKNOWN) Access: 1951-12-14 00:29:38.000000000 +0000 Modify: 1943-04-05 10:37:22.000000000 +0200 Change: 2011-08-13 06:50:44.000000000 +0100
File: `00002435' Size: 1333254828 Blocks: 1402834881 IO Block: 4096 weird file Device: fd00h/64768d Inode: 2411959 Links: 6581 Access: (3156/?--xr-srwT) Uid: (42211/ UNKNOWN) Gid: (24637/ UNKNOWN) Access: 1926-11-04 02:28:28.000000000 +0000 Modify: 2029-01-30 15:25:30.000000000 +0000 Change: 1928-09-14 11:19:14.000000000 +0100
File: `00002437' Size: 14580319157523353423 Blocks: 1664918158 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2411960 Links: 44608 Access: (0755/-rwxr-xr-x) Uid: (305922048/ UNKNOWN) Gid: (3679253821/ UNKNOWN) Access: 2014-09-13 17:36:28.000000000 +0100 Modify: 1949-12-01 22:31:41.000000000 +0000 Change: 2030-03-17 01:15:08.000000000 +0000
rm: cannot remove `00002437': Operation not permitted
However using 'lsattr 00002437' to expose the flags, then removing the flags with 'chattr -{flag) 00002437' eventually permitted me to delete the file with 'rm 00002437'.
The remaining two files appear un-touchable.
lsattr 00002435 lsattr: Operation not supported While reading flags on 00002435 chattr -a 00002434.thm ('a' was a random choice) chattr: Operation not supported while reading flags on 00002434.thm find . -inum 2411959 -exec rm -i {} \; rm: remove weird file `./00002435'? y rm: cannot remove `./00002435': Operation not permittedAll advice, except to transfer everything to a new partition then reformat the bad partition (which I will do eventually), appreciated.
Have you run an fsck on this partition lately?
After unmounting filesystem (assuming this is one of filesystems you can not run fsck when it is mounted) and running fsck as Steven suggested, try to delete files in question (if they are still present). If they still resist, there may be immutable bit that got set somehow, you will need to use chattr command then to unset it first, then you should be able to delete files.
Good luck.
Valeri
On Sat, September 13, 2014 12:20 pm, Always Learning wrote:
During a routine trawl through the ext3 files, I found some astronomical file sizes, billions and billions of GB. They also has strange user and group names. I can not delete these "weird files" (the term used by the operating system utilities).
Here are a few examples. The original files were created on Windoze 98 version 2 circa 2001.
2411957 p--x---rwx 65487 299196551 2101198676 775118685 Apr 5 1943 00002434.thm 2411959 ?--xr-srwT 6581 42211 24637 1333254828 Jan 30 2029 00002435 2411960 -rwxr-xr-x 44608 305922048 3679253821 14580319157523353423 Dec 1 1949 00002437
lsattr: Operation not supported While reading flags on .....
stat ....... A "normal" file looks this this example:
File: `00002436' Size: 47537 Blocks: 96 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2411956 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-09-13 17:36:21.000000000 +0100 Modify: 2001-02-21 00:52:50.000000000 +0000 Change: 2013-03-12 06:26:36.000000000 +0000
The problem files look like this:
File: `00002434.thm' Size: 775118685 Blocks: 3429617551 IO Block: 4096 fifo Device: fd00h/64768d Inode: 2411957 Links: 65487 Access: (0107/p--x---rwx) Uid: (299196551/ UNKNOWN) Gid: (2101198676/ UNKNOWN) Access: 1951-12-14 00:29:38.000000000 +0000 Modify: 1943-04-05 10:37:22.000000000 +0200 Change: 2011-08-13 06:50:44.000000000 +0100
File: `00002435' Size: 1333254828 Blocks: 1402834881 IO Block: 4096 weird file Device: fd00h/64768d Inode: 2411959 Links: 6581 Access: (3156/?--xr-srwT) Uid: (42211/ UNKNOWN) Gid: (24637/ UNKNOWN) Access: 1926-11-04 02:28:28.000000000 +0000 Modify: 2029-01-30 15:25:30.000000000 +0000 Change: 1928-09-14 11:19:14.000000000 +0100
File: `00002437' Size: 14580319157523353423 Blocks: 1664918158 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2411960 Links: 44608 Access: (0755/-rwxr-xr-x) Uid: (305922048/ UNKNOWN) Gid: (3679253821/ UNKNOWN) Access: 2014-09-13 17:36:28.000000000 +0100 Modify: 1949-12-01 22:31:41.000000000 +0000 Change: 2030-03-17 01:15:08.000000000 +0000
rm: cannot remove `00002437': Operation not permitted
However using 'lsattr 00002437' to expose the flags, then removing the flags with 'chattr -{flag) 00002437' eventually permitted me to delete the file with 'rm 00002437'.
The remaining two files appear un-touchable.
lsattr 00002435 lsattr: Operation not supported While reading flags on 00002435 chattr -a 00002434.thm ('a' was a random choice) chattr: Operation not supported while reading flags on 00002434.thm find . -inum 2411959 -exec rm -i {} \; rm: remove weird file `./00002435'? y rm: cannot remove `./00002435': Operation not permittedAll advice, except to transfer everything to a new partition then reformat the bad partition (which I will do eventually), appreciated.
-- Thank you,
Paul. England, EU.
Centos, Exim, Apache, Libre Office is the future. Micro$oft is the past.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Thank you to Steven and to Valeri for an excellent idea.
The fsck cured the problem. The problem files were removed by fsck during its recovery/rectification.
Thanks again.
Paul. England, EU
Good luck for Scotland's Independence !
On Sun, Sep 14, 2014, Always Learning wrote:
Thank you to Steven and to Valeri for an excellent idea.
The fsck cured the problem. The problem files were removed by fsck during its recovery/rectification.
The first thing you should do when you find files or directories is use 'lsattr' to check the attributes. In particular look for the 'i' attribute which marks the entry as immutable. A favorite trick of crackers is to put their own versions of commands such as /bin/ps, /bin/ls, /usr/bin/find, etc. to hide their activity.
You can use the 'chattr' command to change the attributes with something like 'chattr -i /bin/ps' to remove immutable attribute. If there are multiple attributes shown by the 'lsattr' command, simply add them like 'chattr -iAs /bin/ps'. It also takes the -R option to run recursively through a directory.
Bill
On 2014-09-14, Bill Campbell centos@celestial.com wrote:
On Sun, Sep 14, 2014, Always Learning wrote:
The fsck cured the problem. The problem files were removed by fsck during its recovery/rectification.
The first thing you should do when you find files or directories is use 'lsattr' to check the attributes.
The OP already did that.
You can use the 'chattr' command to change the attributes with something like 'chattr -i /bin/ps' to remove immutable attribute.
The OP tried chattr, and reported that it failed for certain files. This is why other people suggested an fsck; these are both indicators of a damaged filesystem.
--keith
-
Always Learning -
Bill Campbell -
Keith Keller -
Steven Stern -
Valeri Galtsev