[nSLUG] Root Partition Woes

Bill Davidson bdavidso at supercity.ns.ca
Thu Feb 16 14:48:50 AST 2006


On Thu, 2006-16-02 at 14:09 -0400, Dop Ganger wrote:
> Unlikely; most logs should be in /var/log, unless you've edited the syslog 
> configuration. Most rootkits I've seen operate on /var/tmp, /tmp or 
> /var/lib, so it's probably not that (although I did seen one that kept 
> output in a hidden directory under /lib).

Yes, and I saw one once that used a hidden directory under /dev, too.
That was hard to find...

> If Ben's suggestion of du -x doesn't pan out,
     ^^^^^  **cough**

> ...and look for anything odd - 
> unfortunately I can't be any more specific than that, 

That's one of the hardest things about diagnosing problems -- sometimes
you just have to root around looking for something that "doesn't look
right", but if you don't know what "looks right", or what "right" means,
that can be daunting.

Bill Davidson
bdavidso at supercity.ns.ca


More information about the nSLUG mailing list