Re: /var partition overflow (due to spyware?) in FreeBSD default install

From: Brett Glass (brett_at_lariat.org)
Date: 10/24/03

  • Next message: Garance A Drosihn: "Re: /var partition overflow (due to spyware?) in FreeBSD default install" 
    Date: Thu, 23 Oct 2003 18:41:12 -0600
To: Garance A Drosihn <drosih@rpi.edu>, security@freebsd.org

    At 06:01 PM 10/23/2003, Garance A Drosihn wrote:

    >My /etc/newsyslog.conf indicates that /var/log/messages
    >should be rotated whenever it gets over 100K.

    Absolutely correct. And the default /etc/crontab doesn't
    run newsyslog often enough to catch it before it overflows the
    entire disk -- at least when there's a storm of these messages.
    (By the way, I've received a note via private e-mail suggesting
    that the QHosts worm could be the cuplrit, but it doesn't have
    these symptoms.)

    >I'm sure that /var can fill up even if /var/log/messages is
    >rotated every hour, if the error messages are coming in fast
    >enough. But the file should be getting rotated once per hour
    >in the default install, not once per day.

    Actually, you're correct. newsyslog runs once per hour in the
    default install. This shows just how fast the messages can
    accumulate. And when it DID finally run, it didn't have room to
    compress the old file, so the log remained uncompressed and the
    disk remained full.

    >I do not think that the correct solution is to rotate the
    >files at an even faster rate.

    Running newsyslog doesn't ALWAYS rotate the log. In the case
    of /var/messages, it checks to see whether the log needs it.

    >Just how large is /var on the
    >machine where you're seeing this problem?

    On the machine from which I took those messages, it's 256M.

    --Brett

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Garance A Drosihn: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"

    Relevant Pages

    • RE: Force newsyslog to rotate from custon script
      ... I need an return code or exit code from the newsyslog command to ... Does newsyslog issue such codes and how would I code an csh script ... Force newsyslog to rotate from custon script ...
      (freebsd-questions)
    • Re: Apache log rotation
      ... >> I know I can use newsyslog to rotate them, ... All you need to make sure that only the last line has the HUP ... specifying the same process on multiple entries in newsyslog.conf. ...
      (freebsd-questions)
    • Re: newsyslog and apache
      ... >> cronolog instead of depending on newsyslog to rotate your logs daily? ... > - Noah ...
      (freebsd-questions)
    • Re: Apache log rotation question...
      ... newsyslog -nvvf /tmp/newsyslog.conf ... you've added, just so the time to rotate is "this hour" (ie, whatever ... for this run, then sends all signals it is supposed to send, then ... and finally it compresses any of the ...
      (freebsd-questions)
    • Re: /var partition overflow (due to spyware?) in FreeBSD default install
      ... >log file if it's above a certain size. ... of the code in newsyslog assumes that the program is run only ... in the default install, not once per day. ... I do not think that the correct solution is to rotate the ...
      (FreeBSD-Security)