df report

plug@arcticmail.com plug@arcticmail.com
Sun, 10 Dec 2000 22:56:58 -0700 

Yeah, that is another possibility.  Rather than
replacing find and ls on your (possibly) compromised
filesystem, you may want to download Tom's bootroot

     http://www.toms.net/rb/

floppy, boot to the floppy, mount the suspect
filesystem on the floppy, then use the ls (and
du and find and so on) binary on the floppy to
do your investigation.  One thing to look for
is files and/or dirs named "...".

Assuming that you mount the suspect filesystem
on the floppy's /mnt directory, what does

cd /mnt
du -k | grep -v '/.*/'

tell you?


Good hunting,

D

* On Sun, Dec 10, 2000 at 11:36:13AM -0700, Brian Cluff wrote:
> Here's a sick thought, but it seems to me one of the only answer.  By chance
> could you be cracked?  I know that every time that I have been cracked you
> put patched versions of du, find, ls... etc etc. to hide files from my view.
> I would try putting a new version of find and ls on your machine and then
> try looking again.  If im right you will find your largre files, if im
> wrong, you haven't done any harm at all.
> 
> Brian Cluff
> ----- Original Message -----
> > Tried David's suggestion already, and tried looking
> > for hidden already and tried fsck'ing.
> >
> > Has me puzzled too :-(
> >
> > Mike
> > mgcon@getnet.com
> > http://www.getnet.com/~mgcon
> > Phoenix, AZ
> > USA
> >
> > On Sun, 10 Dec 2000 plug@arcticmail.com wrote:
> >
> > >
> > > It's not a hidden file, is it?  Try "ls -la | sort -n +4"
> > > in the same dir as the runaway procmail file.
> > >
> > > When you rebooted, did you do a proper reboot?  If you
> > > just killed the power, fsck'ing the filesystem would
> > > prolly be a good idea.  You could fsck the filesystem
> > > anyway, and look for the spacewasters to make an
> > > appearance in the "lost+found" directory.
> > >
> > >
> > > D
> > >
> > > * On Sun, Dec 10, 2000 at 08:09:15AM -0700, Mike Starke wrote:
> > > > Yes, I knew rebooting would do that. I just thought I would throw
> > > > that in for clarity.
> > > >
> > > > No, du does not report the correct size. And I thought there may have
> been
> > > > anothrer file layting around, but I do not see any indication
> > > > that it exists.
> > > >
> > > >
> > > > Mike
> > > > mgcon@getnet.com
> > > > http://www.getnet.com/~mgcon
> > > > Phoenix, AZ
> > > > USA
> > > >
> > > > On Sun, 10 Dec 2000, Eric Thelin wrote:
> > > >
> > > > > On Sat, 9 Dec 2000, Mike Starke wrote:
> > > > >
> > > > > > Was a procmail log that went wacky. The system has been rebooted
> > > > > > a couple times since the incident. No way to restart the same
> process
> > > > > > which created the mess.
> > > > > >
> > > > > > sync was a no go as well.
> > > > >
> > > > > Actually rebooting the server supersedes both previous suggestions.
> > > > > Does du show the desired size?  I would think that it would show you
> > > > > that there is another large file that is causing the problem.  At
> least
> > > > > I hope that is the problem since I can't think of anything else
> short of
> > > > > giving up and reformatting the drive.
> > > > >
> > > > >
> > > > > Eric
> > > > >
> > > > >
> > > > > --
> > > > > Eric Thelin
> erict@aztechbiz.com
> > > > >            AZtechBiz.com: Where Arizona Does Tech Business
> > > > >                Voice: 480-377-6743   Fax: 480-377-6755
> > > > >
> > > > >
> > > > > ________________________________________________
> > > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
> doesn't post to the list quickly and you use Netscape to write mail.
> > > > >
> > > > > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > >
> > > >
> > > >
> > > > ________________________________________________
> > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
> doesn't post to the list quickly and you use Netscape to write mail.
> > > >
> > > > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > >
> > >
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> post to the list quickly and you use Netscape to write mail.
> > >
> > > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> post to the list quickly and you use Netscape to write mail.
> >
> > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>