From owner-freebsd-questions@FreeBSD.ORG Mon Oct 13 19:59:55 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56B6716A4B3 for ; Mon, 13 Oct 2003 19:59:55 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0B3B43FB1 for ; Mon, 13 Oct 2003 19:59:54 -0700 (PDT) (envelope-from barryhawkins@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id h9E2xsGc003755 for ; Mon, 13 Oct 2003 19:59:54 -0700 (PDT) Received: from mac.com (dsl027-161-197.atl1.dsl.speakeasy.net [216.27.161.197]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 3.0) with ESMTP id h9E2xqbn014153 for ; Mon, 13 Oct 2003 19:59:53 -0700 (PDT) Date: Mon, 13 Oct 2003 22:59:51 -0400 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Barry Hawkins To: FreeBSD Questions Content-Transfer-Encoding: 7bit Message-Id: <7AA36E92-FDF2-11D7-A861-000A95A0485E@mac.com> X-Mailer: Apple Mail (2.552) Subject: /tmp suddenly full - possible DOS hack? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2003 02:59:55 -0000 List, I have a single FreeBSD server (5.1) that I run at home behind a firewall with ports open for ssh, dns, and http. I began having trouble with my DNS not responding, then noticed that ssh was not responding either. Upon logging in at the server, I noticed error messages about my /tmp filesystem being full. Issuing df revealed the following: Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad0s1a 253678 72770 160614 31% / devfs 1 1 0 100% /dev /dev/ad0s1e 253678 542 232842 0% /tmp /dev/ad0s1f 8209710 3440818 4112116 46% /usr /dev/ad0s1d 253678 253106 -19722 108% /var Upon further investigation, I noticed a series of grossly bloated messages logs: -rw-r--r-- 1 root wheel 43001 Oct 13 22:37 messages -rw-r--r-- 1 root wheel 196001815 Oct 13 17:00 messages.0 -rw-r--r-- 1 root wheel 87398 Oct 13 16:00 messages.1.bz2 -rw-r--r-- 1 root wheel 87096 Oct 13 15:00 messages.2.bz2 -rw-r--r-- 1 root wheel 109446 Oct 13 14:00 messages.3.bz2 -rw-r--r-- 1 root wheel 184596 Oct 13 13:00 messages.4.bz2 -rw-r--r-- 1 root wheel 36822 Oct 13 12:00 messages.5.bz2 This is the first BSD box that I have had that allows DNS queries, and this is the first time I have experienced something like this. Is it some sort of DOS attack? I am sure there are a hundred variables that I am unaware of, but if some of the list sages could be so kind as to prod me in the right direction(s) I would be most appreciative. Thanks, -- Barry C. Hawkins All Things Computed site: www.allthingscomputed.com/ weblog: www.allthingscomputed.com/blog/