Could someone tell me if this behavior is like to be as a result of a hack and if so is there a better way of dealing with it than reformatting the hard drives and starting again with better security?
Symptoms
Disapearing disk space from the /var partition only. First noticed about 36hrs ago
Code:
[root@zs]# df -h
Filesystem Size Used Avail Use% Mounted on
...
/dev/hda6 48G 45G 0 100% /var
[root@zs]# du -sh /var
27G /var
More details in my original question at <a href="http://www.linuxquestions.org/questions/showthread.php?t=537040"> Disk space - du and df discrepency</a>.
while /var/log/http/access_log was still being up dated /var/log/http/error_log last changed ~36 hrs ago and I would have expected a few php warnings to appear in there since then.
ssh connections refused, first noticed about 12hrs ago.
No unrecognized processes were seen running, no malicious damage to web pages and nothing unusual on any other partition, just /var.
I disconnect it from the network about 12 hrs ago so now we have no web server running. There are the usual failed logins in /var/log/secure but the successful ones (that remain in the log) are accounted for.
I read the first thing to do is make sure I'm in control of the machine. How can I do that if I don't know where the disk space went and what its being used for?
The data are backed up so a rebuild is not out of the question but I'd rather not do it if this has some other cause that I can fix.
Thanks for your opinions.