From owner-freebsd-security  Mon Nov  2 22:03:55 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA18773
          for freebsd-security-outgoing; Mon, 2 Nov 1998 22:03:55 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA18736
          for <security@FreeBSD.ORG>; Mon, 2 Nov 1998 22:03:51 -0800 (PST)
          (envelope-from avalon@coombs.anu.edu.au)
Message-Id: <199811030603.WAA18736@hub.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA250533011; Tue, 3 Nov 1998 17:03:31 +1100
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: hidden files question
To: jdn@acp.qiv.com (Jay Nelson)
Date: Tue, 3 Nov 1998 17:03:31 +1100 (EDT)
Cc: security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.981102202326.1860A-100000@acp.qiv.com> from "Jay Nelson" at Nov 2, 98 10:56:24 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Jay Nelson, sie said:
> 
> We have an office server running 2.2.7-RELEASE doing DNS, Samba and
> mail. We have had several intrusion atempts over the past few weeks
> that have failed. Today, /var was showing 50 MB and I could only
> account for about 5MB. I could find no hidden files.
> 
> Any combination I've used with find hasn't shown anything. Any ideas
> on how I can find the missing 45MB?
> 
> Is there a known benign condition that could account for this?   

Files still open which have been removed.

This is often the case with log files.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message