From owner-freebsd-security  Mon Nov  2 21:55:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA17381
          for freebsd-security-outgoing; Mon, 2 Nov 1998 21:55:31 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from noether.uoregon.edu (noether.uoregon.edu [128.223.36.95])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA17376
          for <security@FreeBSD.ORG>; Mon, 2 Nov 1998 21:55:29 -0800 (PST)
          (envelope-from jl@noether.uoregon.edu)
Received: from localhost (jl@localhost)
	by noether.uoregon.edu (8.8.7/8.8.7) with SMTP id VAA01049;
	Mon, 2 Nov 1998 21:55:17 -0800
Date: Mon, 2 Nov 1998 21:55:17 -0800 (PST)
From: Joshua Lackey <jl@noether.uoregon.edu>
Reply-To: Joshua Lackey <jl@noether.uoregon.edu>
To: Jay Nelson <jdn@acp.qiv.com>
cc: security@FreeBSD.ORG
Subject: Re: hidden files question
In-Reply-To: <Pine.BSF.3.96.981102202326.1860A-100000@acp.qiv.com>
Message-ID: <Pine.LNX.3.96.981102214554.1003A-100000@noether.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Possible you had ``ls'' replaced with a version that hides files.  You may
try ``find /var -name "*" -print'' as I've found that script-jockies will
replace ``ls'' but forget other similar programs.  Best thing to do is to
get a known good copy of ``ls'' and look at the directory.  You may also
want to reboot and then go into single-user mode to make sure no lkm's are
hiding things from you.

Samba has had some problems in the past (if I remember correctly.)

It's painful, but you're going to have to reinstall.  Look into tripwire
so you don't have to do it again.

Josh.

On Mon, 2 Nov 1998, Jay Nelson wrote:

> We have an office server running 2.2.7-RELEASE doing DNS, Samba and
> mail. We have had several intrusion atempts over the past few weeks
> that have failed. Today, /var was showing 50 MB and I could only
> account for about 5MB. I could find no hidden files.
> 
> Any combination I've used with find hasn't shown anything. Any ideas
> on how I can find the missing 45MB?
> 
> Is there a known benign condition that could account for this?   
> 
> Thanks
> 
> -- Jay
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

--
jl@noether.uoregon.edu



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message