From owner-freebsd-security  Mon Nov  2 20:57:06 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA10650
          for freebsd-security-outgoing; Mon, 2 Nov 1998 20:57:06 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from tok.qiv.com (tok.qiv.com [205.238.142.68])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA10645
          for <security@freebsd.org>; Mon, 2 Nov 1998 20:57:05 -0800 (PST)
          (envelope-from jdn@acp.qiv.com)
Received: (from uucp@localhost)
	by tok.qiv.com (8.8.8/8.8.5) with UUCP id WAA07863
	for security@freebsd.org; Mon, 2 Nov 1998 22:56:58 -0600 (CST)
Received: from localhost (jdn@localhost)
	by acp.qiv.com (8.8.8/8.8.8) with SMTP id WAA02152
	for <security@freebsd.org>; Mon, 2 Nov 1998 22:56:25 -0600 (CST)
	(envelope-from jdn@acp.qiv.com)
Date: Mon, 2 Nov 1998 22:56:24 -0600 (CST)
From: Jay Nelson <jdn@acp.qiv.com>
To: security@FreeBSD.ORG
Subject: hidden files question
Message-ID: <Pine.BSF.3.96.981102202326.1860A-100000@acp.qiv.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

We have an office server running 2.2.7-RELEASE doing DNS, Samba and
mail. We have had several intrusion atempts over the past few weeks
that have failed. Today, /var was showing 50 MB and I could only
account for about 5MB. I could find no hidden files.

Any combination I've used with find hasn't shown anything. Any ideas
on how I can find the missing 45MB?

Is there a known benign condition that could account for this?   

Thanks

-- Jay


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message