[Gllug] ext3 filesystem suddenly full

Ken Smith kens at kensnet.org
Thu Jun 21 13:01:41 UTC 2007 

Chris Bell wrote:
> On Thu 21 Jun, Ken Smith wrote:
>   
>> On an FC3 box there is 17G ext3 filesystem in a LV mounted as /.
>>
>> /home and a couple of other specific things are in other LV's mounted 
>> under /. I've unmounted them so that / & /boot is left mounted
>>
>> A couple of days ago my regular log file said...(as it has for months)
>>
>> /dev/mapper/VolGroup00-LogVol00 17G  4.4G   12G  28% /
>>
>> Now it says 
>>
>> /dev/mapper/VolGroup00-LogVol00 17G   17G     0 100% /
>>
>> Totaling up the contents of the directories in / with 'du' I can account for 5.1G's wo
>> rth. So where has over 11G's worth of stuff, that I can't find, come from? Especially 
>> as the system has not been changing.
>>
>> Any ideas
>>
>> Ken
>>
>>
>>
>>     
> DOS attack with junk emails?
>
>   
May be, nothing obvious in the relevant directories...The Yum & up2date 
caches are empty...

# cd /var/spool/mail
# ls -al
total 276
drwxrwxr-x   2 root  mail   4096 Mar 29  2006 .
drwxr-xr-x  17 root  root   4096 Aug  9  2006 ..
-rw-rw----   1 ***** mail      0 Mar 16  2006 *****
-rw-rw----   1 ***   mail      0 Mar 18  2006 ***
-rw-rw----   1 ****  mail    474 Mar 29  2006 ****
-rw-------   1 root  root 255770 Mar 22  2006 root
# cd ..
# ls -al
total 148
drwxr-xr-x  17 root   root    4096 Aug  9  2006 .
drwxr-xr-x  24 root   root    4096 Mar 18  2006 ..
drwxr-xr-x   2 root   root    4096 Mar 16  2006 anacron
drwx------   3 daemon daemon  4096 Apr 15  2005 at
drwxrwx---   2 smmsp  smmsp   4096 Jun 21 08:12 clientmqueue
drwx------   2 root   root    4096 Jul 11  2005 cron
drwx--x---   3 root   sys    16384 Mar 18 04:04 cups
drwxr-xr-x   2 root   root    4096 Aug 12  2004 lpd
drwxrwxr-x   2 root   mail    4096 Mar 29  2006 mail
drwxr-xr-x   4 root   root    4096 Aug  9  2006 MailScanner
drwx------   2 root   mail   12288 Jun 21 13:45 mqueue
drwx------   2 root   root    4096 Jun 19 04:13 mqueue.in
drwxr-xr-x   2 rpm    rpm     4096 Nov  2  2004 repackage
drwxrwxrwt   2 root   root    4096 Dec 30 16:10 samba
drwxr-x---   2 squid  squid   4096 Oct 20  2005 squid
drwxr-xr-x   2 root   root    4096 Oct 27  2004 up2date
drwxrwxrwt   2 root   root    4096 Oct  5  2004 vbox
# du -h MailScanner/
{snip}
568K    MailScanner/

The bash history is there going back several weeks. Which is often 
hidden by an attacker.

Hmmmmm

Ken


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list