From owner-freebsd-questions  Sat Dec 23 11:41:44 2000
From owner-freebsd-questions@FreeBSD.ORG  Sat Dec 23 11:41:42 2000
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by hub.freebsd.org (Postfix) with ESMTP id 27F3537B400
	for <freebsd-questions@freebsd.org>; Sat, 23 Dec 2000 11:41:37 -0800 (PST)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Sat, 23 Dec 2000 19:41:03 +0000
Received: from cmjg (helo=localhost)	by mail.ilrt.bris.ac.uk 
          with local-esmtp (Exim 3.16 #1)	id 149uX6-0006vk-00;
          Sat, 23 Dec 2000 19:40:44 +0000
Date: Sat, 23 Dec 2000 19:40:44 +0000 (GMT)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
To: Edwin Groothuis <mavetju@chello.nl>
Cc: mysql-freebsd <mysql-freebsd@home.com>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: Weird /var behavior or was I hacked?
In-Reply-To: <20001221165506.F59674@d9168.upc-d.chello.nl>
Message-ID: <Pine.GSO.4.21.0012231938440.26603-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Jan Grant <Jan.Grant@bristol.ac.uk>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 21 Dec 2000, Edwin Groothuis wrote:

> On Thu, Dec 21, 2000 at 09:44:34AM -0500, mysql-freebsd wrote:
> > There is this huge difference between 767 MB reported occupied by df
> > and 14 MB of the sum of all teh files. Looks as if somebody got
> > in, made an invisible partition within /var.
> 
> Looks like a daemon which has files still open although they don't
> exist in the directory-table anymore. Reboot is one solution :-)
> 
> The other option is to find the evil process which has still these
> files open, use lsof (/usr/ports/*/lsof) for it: 
> 				/usr/local/sbin/lsof | grep var

Or try http://tribble.ilrt.bris.ac.uk/~cmjg/unix/scripts/openfiles

(usage: openfiles /var)

no rocket science, it just finds open files which don't appear in the
filesystem.

-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287163 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk
Leverage that synergy! Ooh yeah, looking good! Now stretch - and relax.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message