Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Repairing a Possible Attack
- Date: Sun, 20 Dec 2009 23:42:34 -0500
- From: Patrick Bernier <pat@example.com>
- Subject: Re: [tlug] Repairing a Possible Attack
- References: <4B2EAF3D.20000@example.com>
- User-agent: Mutt/1.5.18 (2008-05-17)
Quoting CL: > Between 23:30 last evening and 06:30 this morning, over 150Gb of disk > space on my desktop PC -- running Kubuntu 9.10 -- has disappeared > leaving me zero disk space. I suspect Something Bad (tm). Before you panic, do keep in mind that there is a possibility of some other kind of problem suddenly eating your disk space. And an /unsuccessful/ attack might have filled your logs, too. I would suggest first trying to find /what/ is using all that disk space. > Before nuking the entire installation and doing an NSA wipe of the HDD > is there some easier way of identifying the problem and eliminating only > the bad parts and patching? Like listing all files that have been > written since a certain time / date; listing by size, listing what > system changes have occurred? etc? You can use "find" to look for recently created/modified files, e.g.: find / -mtime -1 ...will give you a list of all files modified in the last 24 hours. Change -1 to -2 for 48 hours, etc. Likewise, you can use -size to check for big files: find / -size +1G ...will give you a list of all files greater than 1GiB. If it's not a single big file but a bunch of small files you're hunting, you can find the biggest directories (in terms of data contained, not number of files) on your system easily: du -Sk / | sort -n | tail All these commands can take quite a while to run, of course ;-> If you don't find anything, maybe some kind of rootkit is preventing you from seeing the files. Rebooting with a clean OS (e.g. install/rescue CD) would likely help. If indeed your system was compromised, at that point you'll want to reinstall anyway, but it can be a learning experience to try to figure out /what/ happened. Just make sure you keep it disconnected from the network while you play with it, and keep your data drives disconnected as well. Again, inspecting from a known-clean OS is safer! -- () Patrick (L.) Bernier <pat@example.com> () http://www.TZoNE.ORG/~pat/ () GPG B070 BBB6 188D EB1E 353A 90E4 96FF D8EB 1ADC BE03 () "Words have meaning, and names have power." -- Lorien
- Follow-Ups:
- Re: [tlug] Repairing a Possible Attack
- From: Francois Cartegnie
- Re: [tlug] Repairing a Possible Attack
- References:
- [tlug] Repairing a Possible Attack
- From: CL
- [tlug] Repairing a Possible Attack
- Prev by Date: Re: [tlug] Repairing a Possible Attack
- Next by Date: Re: [tlug] MS vs Google
- Previous by thread: Re: [tlug] Repairing a Possible Attack - FIXED
- Next by thread: Re: [tlug] Repairing a Possible Attack
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |