William L. Maltby wrote:
AFIK, the machine has not been compromised. It's pretty well sealed off with the exception of myself and 2 other very trusted users. Not exposed even on port 80. Named is really only caching, and I do know from past kills, it does write to /var/log/messages. I'm very tempted to boot again and see if something shows up somewhere else, but one of my main jobs just started up and I hate to kill it off due to time constraints.
Well, if you're not worried about a compromise under these circumstances... ;-)) I'd let your jobs finish and not sweat about it. You said you had plenty of disk space, did you "df -i" to see if you exhausted your i-nodes (unlikely, I know, but no assumptions are warranted now).
Do you have quotas? Any chance they hit someone they weren't supposed to hit? Permissions on the directoy still as they should be?
[wild-bill@wlmlfs08 ~]$ ls -dl /var/log drwxr-xr-x 22 root root 4096 Jun 25 04:02 /var/log
As folks have mentioned in other threads, a chkrootkit run might be appropriate if you can't find the cause.
There is no way this machine could be compromised from outside. It just can't happen. Plenty of i-nodes, plenty of disk space, no quotas, all the lock files are correct, directory perms are OK, file perms are OK, etc. It may be time to reboot anyhow and see if it comes back, or if something pops up during the reboot -- hang the run -- I need the log files to make sure some other software is working, and it appears that the logging for it is bombed too, even tho it's got it's own logging facility, it does use syslog to write. Have tried with and without it active, and no joy.
There's gotta be something strange.. now that I think about it, my daily log got really short sometime back, but don't remember exactly when. I assumed it was due to stopping a lot of processes. Hmmm.... someone tell me what processes besides syslog and dbus are required for it.. I may have stepped on my thingy myself!