Security Incidents mailing list archives
Re: Firewall
From: cdp () PEAKPEAK COM (Chuck Phillips)
Date: Sun, 12 Mar 2000 09:12:26 -0700
Damian Gerow writes:
And I've got a new problem. On another firewall, I noticed that the whole HD (968 Meg) got eaten up really quickly. So I deleted all source, and all leftover debian packages (it's running potato), and freed up something like 100 Meg. Within the next 20 minutes, it was all gone again. A "du -c -h" reports 84 Meg total being used up. A "df" reports 100 percent usage.
You would see this if some process opens a file for writing and the file is deleted _but while the file handle is still open_; the file still exists and occupies disk space (as "df" reveals), but can no longer be accessed via any file name (as reflected by "du"). This is often done for temporary files both to reduce the chance of file name collisions and to ensure the file gets deleted if the process gets killed -- even if killed with a "kill -9". For one example, see tmpfile(3). See also df(1) (which queries the disk device), and du(1) (which traverses the file system). If this is the problem, I would expect the file system to have space when you first reboot -- and then quickly fill up after the offending process starts. If the disk *is* full when you first reboot and you still have this large disparity between "df" and "du", then it's probably something else.
In the "bin" directory was an executable file called "[". Would anyone know why?
An experienced UNIX person should know. It's an alias for the "test" command and is usually a soft link or a hard link to that command. In the dark ages of UNIX, you had to write (in Bourne shell): if test -f "$fileName"; then ... fi Now, you instead write: if [ -f "$fileName" ]; then ... fi With this trick, the implementation of "if" didn't need to change. Note that when called with a name of "[", the "test" command expects the last argument to be a "]" -- which is otherwise ignored. See test(1). Not to say "test" couldn't be trojaned, but a non-S[UG]ID executable file called "[" in the same directory as the "test" command is normal. Chuck
Current thread:
- Firewall Damian Gerow (Mar 10)
- <Possible follow-ups>
- Re: Firewall Chuck Phillips (Mar 12)
- Re: Firewall Dave Dittrich (Mar 14)