Date: Mon, 2 Nov 1998 21:55:17 -0800 (PST) From: Joshua Lackey <jl@noether.uoregon.edu> To: Jay Nelson <jdn@acp.qiv.com> Cc: security@FreeBSD.ORG Subject: Re: hidden files question Message-ID: <Pine.LNX.3.96.981102214554.1003A-100000@noether.uoregon.edu> In-Reply-To: <Pine.BSF.3.96.981102202326.1860A-100000@acp.qiv.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Possible you had ``ls'' replaced with a version that hides files. You may try ``find /var -name "*" -print'' as I've found that script-jockies will replace ``ls'' but forget other similar programs. Best thing to do is to get a known good copy of ``ls'' and look at the directory. You may also want to reboot and then go into single-user mode to make sure no lkm's are hiding things from you. Samba has had some problems in the past (if I remember correctly.) It's painful, but you're going to have to reinstall. Look into tripwire so you don't have to do it again. Josh. On Mon, 2 Nov 1998, Jay Nelson wrote: > We have an office server running 2.2.7-RELEASE doing DNS, Samba and > mail. We have had several intrusion atempts over the past few weeks > that have failed. Today, /var was showing 50 MB and I could only > account for about 5MB. I could find no hidden files. > > Any combination I've used with find hasn't shown anything. Any ideas > on how I can find the missing 45MB? > > Is there a known benign condition that could account for this? > > Thanks > > -- Jay > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- jl@noether.uoregon.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.981102214554.1003A-100000>