On Tue, 2006-06-27 at 15:06 -0400, Sam Drinkard wrote:
Jason Bradley Nance wrote:
<snip>
AFIK, the machine has not been compromised. It's pretty well sealed off with the exception of myself and 2 other very trusted users. Not exposed even on port 80. Named is really only caching, and I do know from past kills, it does write to /var/log/messages. I'm very tempted to boot again and see if something shows up somewhere else, but one of my main jobs just started up and I hate to kill it off due to time constraints.
Well, if you're not worried about a compromise under these circumstances... ;-)) I'd let your jobs finish and not sweat about it. You said you had plenty of disk space, did you "df -i" to see if you exhausted your i-nodes (unlikely, I know, but no assumptions are warranted now).
Do you have quotas? Any chance they hit someone they weren't supposed to hit? Permissions on the directoy still as they should be?
[wild-bill@wlmlfs08 ~]$ ls -dl /var/log drwxr-xr-x 22 root root 4096 Jun 25 04:02 /var/log
As folks have mentioned in other threads, a chkrootkit run might be appropriate if you can't find the cause.