From owner-freebsd-security Wed May 1 6:21:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id CC6B137B416 for ; Wed, 1 May 2002 06:21:30 -0700 (PDT) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 172u2r-0001h0-00; Wed, 01 May 2002 06:21:21 -0700 Received: from mlevy.flncs.com (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with ESMTP id 5F185557E; Wed, 1 May 2002 09:24:38 -0400 (EDT) Message-Id: <5.1.0.14.2.20020501092030.00a983e8@imap.flncs.com> X-Sender: mlevy@imap.flncs.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 01 May 2002 09:22:45 -0400 To: pmcgarvey@vianetworks.co.uk From: Moti Subject: Re: newbie. possibly got hacked. need help. Cc: freebsd-security@freebsd.org In-Reply-To: References: <20020501044517.GF688@elvis.mu.org> <20020430232953.A72277@mail.texas-shooters.com> <20020501044517.GF688@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:31 AM 5/1/2002 +0100, Peter McGarvey wrote: >On Wednesday 01 May 2002 05:45 am, Bill Fumerola wrote: >> On Tue, Apr 30, 2002 at 11:29:53PM -0500, pr0ject wrote: >> > hate to say it, but if you've removed something huge or you have a >> > runaway process holding the memory space, you might try rebooting. >> >> rebooting? stay away from my systems. try just installing 'lsof' (in a >> ports collection near your) and see whats holding open the file. > >Hmm, installing a port whem /var is full does not strike me as a good idea. > >I've seen a similar thing twice, turns out qmail goes haywire if you've >got softupdates turned on. The only way to fix it is to reboot into >single-user mode and fsck the disk. Remembering to turn softupdates off >when it's finished. > >Another fun way to fill a volume is to delete a log file. Syslog will >happily backfill your volume without complaint until you HUP or restart it. > >-- >TTFN, FNORD > >Peter McGarvey >System Administrator >Network Operations, VIA Networks UK > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message looks like you've been pub scanned and someone uploaded warez to your ftp directory .... are you sure anonymous access is disabled ? i would check anyone delete the files under /var/ftp and run fsck if df still reports file systems full ! if you dont have to , dont use ftp , use ssh and scp for file copy and http to share them . ( in my opinion of course ) Moti To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message