Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 12-28-2016, 06:47 PM   #1
LQ Newbie
Registered: Oct 2016
Posts: 3

Rep: Reputation: Disabled
root filled w/ 0 byte files very fast

Warning panel popped to say root directory is almost full. checked log files to find files opened in /dev at a specific time somehow automatically. There is a group of encrypted files newly created also near the same time, some of which are gigabytes large. Opened as administrator only to find gibberish, but lots of it.
It appears something is producing these files very rapidly. A first line of defence would be to delete these files. So a command using the creation date and time as a filtering aspect might get things under control.
Then finding what is producing the files would be a big help also. Wouldn't know where to begin with either of these ideas.
Any help would be greatly appreciated. Thanks for reading this.
Old 12-28-2016, 10:34 PM   #2
Registered: Jan 2009
Location: Maryland-Pennsylvania border, USA
Distribution: openSUSE 15.2/15.3, Tumbleweed, Kubuntu 18.04/21.04, macOS 10.15, antiX 19, and Linux Mint 19.3
Posts: 860
Blog Entries: 45

Rep: Reputation: 120Reputation: 120
What distro and version are you on?

How old is your harddisk?

What do you know about your security situation?
Old 12-29-2016, 03:27 AM   #3
LQ Guru
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524

Rep: Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015
See the find -ctime switch
Old 01-02-2017, 05:11 PM   #4
LQ Newbie
Registered: Oct 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Been gone from this post for a few days. Sorry about that. I got to digging into the problem, and here's what I came up with:
Somehow, of which is still unknown to me, ecryptfs-utils got downloaded and halfway installed in my system. When it does this a shitload of files are created. There is a "migration" script to be run, which copies the entire home folder to these newly encrypted files, creating an encrypted home folder. After proper inspection and determining success of the migration of files, the original home folder is deleted leaving only the encrypted version. It is in this transitional process that there are some many files in the system. Once it's done, all is normal again.

Problem: I don't want the encrypting system in my main Linux Mint 17.3 system. I'd rather set up a VM and install ecryptfs there so I can play with it without risking the main system.

Question: How do I delete all these new files and return to normal? I've been searching around for the solution for a couple of days and am still unresolved.

Thanks for reading this.

Last edited by geckobub; 01-02-2017 at 05:15 PM.
Old 01-10-2017, 09:17 PM   #5
LQ Newbie
Registered: Oct 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
ecryptfs invasion update

Update for the ecryptfs invasion. I did find a page which provided seemly pertinent instructions on how to remove the ecrypt system from the home directory. I followed these instructions as explicitly as I could ascertain and the entire home folder was deleted along with the ecrypt system.

Unfortunately, I did not have a current enough backup without the ecrypt system to enjoy an easy restore of the home folder. Hence, I cut my losses and did the thing I was planning on for several months: upgrade to 18.1. Much of the home folder was retrievable (in pieces) and the upgrade went reasonably smooth.

However, the issue of ecryptfs getting into my system without any assistance from me is still an unanswered question.

Security: firewall per default settings. Other than this, no other active hardening of the system. As a reminder, this was Linux Mint Mate 17.3 with 3.19 kernel.

Other than this, I have nothing else to report. I still have the ecrypt backup files and could investigate various logs and whatever, but I am not experienced enough to know where to look nor what to look for. If anyone would like to point the way to find out more about this invasion, I'm willing to do the digging if someone with experience does the pointing to where I should dig.

Thanks again.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
fsck.ext4 zero-filled Files on a lvm-partition because of dying drive DrBenzo Linux - Newbie 5 01-24-2014 07:44 AM
[SOLVED] memcpy fails to copy data, but byte by byte assignment work venu_s Programming 7 07-08-2011 03:29 AM
Root filled when tarring /home aragon127 Linux - Software 4 10-15-2006 02:32 PM
.xsession-errors filled my root partition now i cant boot suse10.0 64bit ianio Linux - Hardware 1 03-23-2006 04:40 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:30 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration