[nSLUG] Root Partition Woes

Bill Davidson bdavidso at supercity.ns.ca
Thu Feb 16 14:48:50 AST 2006


Hi:

On Thu, 2006-16-02 at 14:09 -0400, Dop Ganger wrote:
> Unlikely; most logs should be in /var/log, unless you've edited the syslog 
> configuration. Most rootkits I've seen operate on /var/tmp, /tmp or 
> /var/lib, so it's probably not that (although I did seen one that kept 
> output in a hidden directory under /lib).

Yes, and I saw one once that used a hidden directory under /dev, too.
That was hard to find...

> If Ben's suggestion of du -x doesn't pan out,
     ^^^^^  **cough**

[snip]
> ...and look for anything odd - 
> unfortunately I can't be any more specific than that, 

That's one of the hardest things about diagnosing problems -- sometimes
you just have to root around looking for something that "doesn't look
right", but if you don't know what "looks right", or what "right" means,
that can be daunting.


-- 
Bill Davidson
bdavidso at supercity.ns.ca

!DSPAM:43f4c91392901773696549!




More information about the nSLUG mailing list