|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Firewall
From: Dave Dittrich (dittrich
CAC.WASHINGTON.EDU)Date: Wed Mar 15 2000 - 00:40:11 CST
- Next message: CL: Nelson, Jeff: "Re: Cracked; rootkit - entrapment question?"
- Previous message: Seth Georgion: "Re: Cracked; rootkit - entrapment question?"
- In reply to: Chuck Phillips: "Re: Firewall"
- Reply: Dave Dittrich: "Re: Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 12 Mar 2000, Chuck Phillips wrote:
> Damian Gerow writes:
> > And I've got a new problem. On another firewall, I noticed that the
> > whole HD (968 Meg) got eaten up really quickly. So I deleted all
> > source, and all leftover debian packages (it's running potato), and
> > freed up something like 100 Meg. Within the next 20 minutes, it was all
> > gone again.
> >
> > A "du -c -h" reports 84 Meg total being used up. A "df" reports 100
> > percent usage.
>
> You would see this if some process opens a file for writing and the file is
> deleted _but while the file handle is still open_; the file still exists
> and occupies disk space (as "df" reveals), but can no longer be accessed
> via any file name (as reflected by "du"). This is often done for temporary
> files both to reduce the chance of file name collisions and to ensure the
> file gets deleted if the process gets killed -- even if killed with a "kill
> -9". For one example, see tmpfile(3). See also df(1) (which queries the
> disk device), and du(1) (which traverses the file system).
This is also done, occasionally, to hide running executable files.
Unlink the program after running, and you won't see it with "ls"
anymore.
> If this is the problem, I would expect the file system to have space when
> you first reboot -- and then quickly fill up after the offending process
> starts. If the disk *is* full when you first reboot and you still have
> this large disparity between "df" and "du", then it's probably something
> else.
Try getting a copy of "lsof" and looking for open file handles on the
partition that is getting filled. Check to see if those files have
directory entries using "ls" and you should be able to identify the
problem. Try: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
-- Dave Dittrich Client Services dittrich<a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrich
PGP 6.5.1 key fingerprint: FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
- Next message: CL: Nelson, Jeff: "Re: Cracked; rootkit - entrapment question?"
- Previous message: Seth Georgion: "Re: Cracked; rootkit - entrapment question?"
- In reply to: Chuck Phillips: "Re: Firewall"
- Reply: Dave Dittrich: "Re: Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]