Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Repairing a Possible Attack



Quoting CL:
> Between 23:30 last evening and 06:30 this morning, over 150Gb of disk 
> space on my desktop PC -- running Kubuntu 9.10 -- has disappeared 
> leaving me zero disk space.  I suspect Something Bad (tm).

Before you panic, do keep in mind that there is a possibility of some other
kind of problem suddenly eating your disk space. And an /unsuccessful/
attack might have filled your logs, too.

I would suggest first trying to find /what/ is using all that disk space.

> Before nuking the entire installation and doing an NSA wipe of the HDD 
> is there some easier way of identifying the problem and eliminating only 
> the bad parts and patching?  Like listing all files that have been 
> written since a certain time / date; listing by size, listing what 
> system changes have occurred?  etc?

You can use "find" to look for recently created/modified files, e.g.:

	find / -mtime -1

...will give you a list of all files modified in the last 24 hours. Change -1
to -2 for 48 hours, etc.

Likewise, you can use -size to check for big files:

	find / -size +1G

...will give you a list of all files greater than 1GiB.

If it's not a single big file but a bunch of small files you're hunting,
you can find the biggest directories (in terms of data contained, not
number of files) on your system easily:

	du -Sk / | sort -n | tail

All these commands can take quite a while to run, of course ;->

If you don't find anything, maybe some kind of rootkit is preventing you
from seeing the files. Rebooting with a clean OS (e.g. install/rescue CD)
would likely help. If indeed your system was compromised, at that point
you'll want to reinstall anyway, but it can be a learning experience to try
to figure out /what/ happened. Just make sure you keep it disconnected from
the network while you play with it, and keep your data drives disconnected
as well. Again, inspecting from a known-clean OS is safer!

-- 
()  Patrick (L.) Bernier <pat@example.com>
()  http://www.TZoNE.ORG/~pat/
()  GPG B070 BBB6 188D EB1E 353A 90E4 96FF D8EB 1ADC BE03
()  "Words have meaning, and names have power." -- Lorien


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links