"Peter Davoust" <[EMAIL PROTECTED]> posted [EMAIL PROTECTED], excerpted below, on Tue, 15 Aug 2006 14:51:51 +0000:
> Ok, so I had a 5 gig disk image I was using for a guest OS. I deleted it > and it brought be down to about 93% usage, and gave me back KDE. Then I > did a series of du -s /* etc, which took me to a directory I created for > a Java application I'm writing. Somehow, a file called fool was created, > and it was enourmous. I deleted it and it brought me down to 22% usage. > Is that insane or what? I guess the file was appropriately named..... Let's see... 5 gig = 7%, 1.4% per gig. 93%-22%=71% 71/1.4=... about 50 gigs. A 50 gig "fool" file! (This assumes you didn't delete some other small stuff you failed to mention.) Yeah, appropriately named, I'd say. Did you check the contents of the thing to see what in the world (um.. what on the disk :) it was? Maybe the creation/modification times, perhaps in comparison to other files? That name is ... strange... to say the least. Going just on the name, and the fact that it grew so huge, the possibility that immediately came to my mind was a cracker. Following the thought, the file would have been put there as a DoS, possibly because the cracker couldn't get access to anything else but could create a huge file as a disruption, or perhaps there was a trojan plant and it was an activity log the cracker planned on harvesting at some point for password hints or personal details. Hopefully it's nothing of the sort, but the name... f001d might have been a bit more suspicious, but not by much. Of course, I haven't done Java since about time I switched from MSWormOS as it's proprietary/slaveryware if you are using Sun or Blackdown, and somewhat limited at present with the Freedomware alternatives, and I don't know what you are developing, so for all I know, "fool" was a legit file. However, it still /sounds/ suspicious. I'd not be comfortable until I knew exactly why it was there, or at least until I had done a bit of forensics on my system and could be relatively sure I hadn't been compromised. Of course, one other possibility is a filesystem gone badly wrong, a small file and a file system accident, that an fsck on reboot reconstructed as using all the free space on the entire partition! That would account for the size, but not for the name, which would still need some sort of explanation. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman -- [email protected] mailing list
