[nSLUG] Root Partition Woes

Dop Ganger nslug at fop.ns.ca
Thu Feb 16 14:09:15 AST 2006


On Wed, 15 Feb 2006, Rowan Townshend wrote:

> Something I have noticed while scanning my logs is that there is a lot 
> of people trying to exploit Samba & SSH on the server, could that be 
> leaving some sort of memory foot print on the / partition perhaps?

Unlikely; most logs should be in /var/log, unless you've edited the syslog 
configuration. Most rootkits I've seen operate on /var/tmp, /tmp or 
/var/lib, so it's probably not that (although I did seen one that kept 
output in a hidden directory under /lib).

If Ben's suggestion of du -x doesn't pan out, it could be a process that's 
operating on a deleted file. Try lsof -n | grep deleted to see what's 
running. Restarting or killing the relevant processes should cause them to 
abandon the file, and a df will show you afterwards if it had an effect. 
If that doesn't do it, try lsof -n | less and look for anything odd - 
unfortunately I can't be any more specific than that, but lsof will list 
every open file on the system, so that might give you a hint.

Cheers... Dop.

!DSPAM:43f4bfd491247249318936!




More information about the nSLUG mailing list