Date: Tue, 03 Nov 1998 00:21:28 -0600 From: Philip Kizer <pckizer@nostrum.com> To: Jay Nelson <jdn@acp.qiv.com> Cc: security@FreeBSD.ORG Subject: Re: hidden files question Message-ID: <3413.910074088@mail.nostrum.com> In-Reply-To: Your message of "Mon, 02 Nov 1998 22:56:24 CST." <Pine.BSF.3.96.981102202326.1860A-100000@acp.qiv.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jay Nelson <jdn@acp.qiv.com> wrote: >We have an office server running 2.2.7-RELEASE doing DNS, Samba and >mail. We have had several intrusion atempts over the past few weeks >that have failed. Today, /var was showing 50 MB and I could only >account for about 5MB. I could find no hidden files. > >Any combination I've used with find hasn't shown anything. Any ideas >on how I can find the missing 45MB? > >Is there a known benign condition that could account for this? Paranoia is good; but, yes, there is a possible benign condition. I haven't seen fuser available, but you can alway use lsof (/usr/ports/sysutils/lsof) to see if there are any processes that have open files in that filesystem that have been unlinked but not closed (A program, perhaps syslog, has open a logfile that was unlinked [via unlink(2) or rm(1) that calls unlink(2)], but not HUPped or otherwise told to close the open file that no longer has a directory entry pointing to it.) That condition can cause what you are seeing. If that is what you are seeing, then the cause may or may not be so benign, but the condition itself is. Start with lsof to see which files have open files in /var (when you get a NAME output that is only a mount-point, use find with the -inum option on that filesystem to locate a directory entry associated with the open file). If you find programs running with files open in /var but cannot find the file itself, there's your best candidate. If all program's open files are accounted for and can be found in some directory, then get worried. In that case, you do have good backups, right? :) -philip To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3413.910074088>