[nSLUG] Root Partition Woes
nslug at fop.ns.ca
Thu Feb 16 14:09:15 AST 2006
On Wed, 15 Feb 2006, Rowan Townshend wrote:
> Something I have noticed while scanning my logs is that there is a lot
> of people trying to exploit Samba & SSH on the server, could that be
> leaving some sort of memory foot print on the / partition perhaps?
Unlikely; most logs should be in /var/log, unless you've edited the syslog
configuration. Most rootkits I've seen operate on /var/tmp, /tmp or
/var/lib, so it's probably not that (although I did seen one that kept
output in a hidden directory under /lib).
If Ben's suggestion of du -x doesn't pan out, it could be a process that's
operating on a deleted file. Try lsof -n | grep deleted to see what's
running. Restarting or killing the relevant processes should cause them to
abandon the file, and a df will show you afterwards if it had an effect.
If that doesn't do it, try lsof -n | less and look for anything odd -
unfortunately I can't be any more specific than that, but lsof will list
every open file on the system, so that might give you a hint.
More information about the nSLUG