[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ext3 device reported to be 100% full, but we do not know where?

On Jul 23, 2002  10:48 +0200, Michael Hoennig wrote:
> > Well, if this is a publicly available system, there is always the chance
> > that your server has been compromised and is hosting warez or other
> > junk.
> But even then, the bytes would have to be somewhere in use, right?  

Not if the tools themselves are compromised.  Often, you will have
a "du" (or worse, a kernel module that overrides the sys_stat syscall
or something) which does not display some warez directory (e.g. ".. "
or whatever).  Similarly, ls and other tools will also be compromised.
The only way to see to this directory is to cd into it, already knowing
the name.

> > If this isn't a critically busy system, you could go into single user
> > mode and run "e2fsck -f <dev>" to see if there is something wrong with
> > the filesystem.  However, I suspect that as soon as you shut down to
> > single user mode and your processes are killed that your space will
> > become available again even before e2fsck is run.
> Fortunately it is ony a Standby- and Backup-Server.  Thus, I stopped all
> daemons, unmounted /var, called e2fsck, mounted again, started daemons
> and: usage is 48% - about what I expected.  Strange.

It may also have been unlinked files in a directory that was deleted.
If it happens again, you can try stopping the services one at a time
to see which one is causing the problem, to help trace it down.

Cheers, Andreas
Andreas Dilger

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]