External HDD crashes after multiple mount attempts

1 risposta [Ultimo contenuto]
amenex
Offline
Iscritto: 01/03/2015

Today I was running several nmap scans when I found that my external USB-connected HDD had suddenly lost its mounted state.

I was sure that my 'puter had been hacked, but found no odd behavior in my router's security log ... no login attempts other than mu own successful login.

dmesg revealed these ominous lines:

dmesg | tail
[13541.051903] audit: type=1400 audit(1541008900.227:265): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4570" pid=4570 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[13541.052702] audit: type=1400 audit(1541008900.227:266): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1442" pid=4570 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[13541.052787] audit: type=1400 audit(1541008900.227:267): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1425" pid=4570 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[13541.052847] audit: type=1400 audit(1541008900.227:268): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1450" pid=4570 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[13541.053046] audit: type=1400 audit(1541008900.227:269): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1444" pid=4570 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[13541.053287] audit: type=1400 audit(1541008900.227:270): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4570" pid=4570 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
[14028.710916] audit: type=1400 audit(1541009387.902:271): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4575" pid=4575 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[14028.710973] audit: type=1400 audit(1541009387.902:272): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4575" pid=4575 comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
[14028.711026] audit: type=1400 audit(1541009387.902:273): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4575" pid=4575 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14028.713112] audit: type=1400 audit(1541009387.902:274): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4575" pid=4575 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0

[14441.033001] audit: type=1400 audit(1541009800.238:275): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4618" pid=4618 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[14441.033056] audit: type=1400 audit(1541009800.238:276): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4618" pid=4618 comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
[14441.033108] audit: type=1400 audit(1541009800.238:277): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4618" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.034291] audit: type=1400 audit(1541009800.238:278): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1442" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.034423] audit: type=1400 audit(1541009800.238:279): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1425" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.034518] audit: type=1400 audit(1541009800.238:280): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1450" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.034816] audit: type=1400 audit(1541009800.238:281): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1444" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.035169] audit: type=1400 audit(1541009800.238:282): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4618" pid=4618 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0

[14028.713112] audit: type=1400 audit(1541009387.902:274): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4575" pid=4575 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
[14441.033001] audit: type=1400 audit(1541009800.238:275): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4618" pid=4618 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[14441.033056] audit: type=1400 audit(1541009800.238:276): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4618" pid=4618 comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
[14441.033108] audit: type=1400 audit(1541009800.238:277): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4618" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.034291] audit: type=1400 audit(1541009800.238:278): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1442" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.034423] audit: type=1400 audit(1541009800.238:279): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1425" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.034518] audit: type=1400 audit(1541009800.238:280): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1450" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.034816] audit: type=1400 audit(1541009800.238:281): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1444" pid=4618 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[14441.035169] audit: type=1400 audit(1541009800.238:282): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/4618" pid=4618 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0

[Restart, after a short break for lunch and my flu shot]

[ 35.862374] audit: type=1400 audit(1541010230.297:67): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1296" pid=1296 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[ 35.862387] audit: type=1400 audit(1541010230.297:68): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1296" pid=1296 comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
[ 35.862401] audit: type=1400 audit(1541010230.297:69): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1296" pid=1296 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[ 35.902164] audit: type=1400 audit(1541010230.337:70): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1297" pid=1297 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[ 35.902178] audit: type=1400 audit(1541010230.337:71): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1297" pid=1297 comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
[ 35.902195] audit: type=1400 audit(1541010230.337:72): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1297" pid=1297 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[ 35.949761] audit: type=1400 audit(1541010230.385:73): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1303" pid=1303 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[ 35.949779] audit: type=1400 audit(1541010230.385:74): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1303" pid=1303 comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
[ 35.949793] audit: type=1400 audit(1541010230.385:75): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1303" pid=1303 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[ 36.803003] audit: type=1400 audit(1541010231.237:76): apparmor="ALLOWED" operation="mknod" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1359" pid=1359 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

A search on "comm="smbd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0" finds a couple of _old_ bug discussions:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1719354 and
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1593502

As I was scanning for open ports 3389 (and finding ca. 10,000 in the previous ten days or so) it seems suspiciously related to my 'puter's sudden interest in samba, which I haven't used in several years.

The only shrieks my router makes are related to a great many improper packets during active nmap scans,but these stop when the scans finish. Almost no external IPv4's are showing up in the router logs

Here's what "tail -f /var/log/syslog | grep -i apparmor" gets:

Oct 31 15:51:58 REDACTED kernel: [ 1657.271157] audit: type=1400 audit(1541015518.222:106): apparmor="ALLOWED" operation="truncate" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/2748" pid=2748 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 31 15:51:58 REDACTED kernel: [ 1657.272136] audit: type=1400 audit(1541015518.222:107): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1359" pid=2748 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 31 15:51:58 REDACTED kernel: [ 1657.272202] audit: type=1400 audit(1541015518.222:108): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1280" pid=2748 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 31 15:51:58 REDACTED kernel: [ 1657.272369] audit: type=1400 audit(1541015518.222:109): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1297" pid=2748 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 31 15:51:58 REDACTED kernel: [ 1657.272425] audit: type=1400 audit(1541015518.222:110): apparmor="ALLOWED" operation="open" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/1303" pid=2748 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Oct 31 15:51:58 REDACTED kernel: [ 1657.272821] audit: type=1400 audit(1541015518.222:111): apparmor="ALLOWED" operation="unlink" profile="/usr/sbin/smbd" name="/run/samba/msg.lock/2748" pid=2748 comm="smbd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0

The more recent de-mountings my be related to the sheer number of writes of data to that HDD, considering that I have scanned about a million IPv4 addresses in the past couple of weeks and port the output to files in the troublesome HDD. I have also noticed that some rather hollow IPv4 addresses having nearly no hosts up cause stalling of the nmap scans in one particular ASN, at times freezing the 'puter. I had thought that my wireless dongle was the culprit, but those bug reports indicate otherwise.

I'm in select company, as only eight other folks were affected at the times the bugs were posted.

Thanks,
George Langford

amenex
Offline
Iscritto: 01/03/2015

The workaround is simply not to make those frequent writes to the USB-connected HDD;
I placed the output of nmap in a desktop folder with the aim of making just one big
transfer when this phase of my project is finished. Some nmap scans still stall when
very few hosts are up, but those scans can be stopped with Contr-C.

Thanks,
George Langford