On Jul 23, 2002 10:48 +0200, Michael Hoennig wrote: > > Well, if this is a publicly available system, there is always the chance > > that your server has been compromised and is hosting warez or other > > junk. > > But even then, the bytes would have to be somewhere in use, right? Not if the tools themselves are compromised. Often, you will have a "du" (or worse, a kernel module that overrides the sys_stat syscall or something) which does not display some warez directory (e.g. ".. " or whatever). Similarly, ls and other tools will also be compromised. The only way to see to this directory is to cd into it, already knowing the name. > > If this isn't a critically busy system, you could go into single user > > mode and run "e2fsck -f <dev>" to see if there is something wrong with > > the filesystem. However, I suspect that as soon as you shut down to > > single user mode and your processes are killed that your space will > > become available again even before e2fsck is run. > > Fortunately it is ony a Standby- and Backup-Server. Thus, I stopped all > daemons, unmounted /var, called e2fsck, mounted again, started daemons > and: usage is 48% - about what I expected. Strange. It may also have been unlinked files in a directory that was deleted. If it happens again, you can try stopping the services one at a time to see which one is causing the problem, to help trace it down. Cheers, Andreas -- Andreas Dilger http://www-mddsp.enel.ucalgary.ca/People/adilger/ http://sourceforge.net/projects/ext2resize/
