[lug] ls -l /var/tmp = drwxrwxrwt 16 root root 1478656 Mar 19 10:38tmp

D. Stimits stimits at idcomm.com
Mon Mar 19 14:54:57 MST 2001


Bob Collins wrote:
> 
> "D. Stimits" wrote:
> [snip]
> 
> ls -ald * gave: argument list too long.
> 
> ls -ald gave: drwxrwxrwt  16 root     root      1478656 Mar
> 19 10:38 .
> 
> It looks like most of the files were created by kde.

That sounds entirely too long. A misbehaved app can do that, or problems
with the window manager, or even malicious intent. Try instead of
listing all things, list them in groups, e.g.:
ls -ald [a-d]*
ls -ald [e-l]*
ls -ald [m-r]*
ls -ald [s-t]*
ls -adl [u-z]*

Use rm -Rf on groups that you don't think are a problem. With that many
temp files, I'd be willing to say "this shouldn't be", and wipe them. Or
maybe better yet, create a directory: /tmp2, then use mv, and do for
example:
mv [a-d]* /tmp2/

Then examine them. It isn't necessarily something malicious going on,
but you need to find out why this is happening. I would be at least
somewhat suspicious. It probably isn't SuperForker, since it doesn't
pile lots of files in one directory, it instead creates subdirectory
after subdirectory as one deep subdirectory. Find out who owns those
files, and what group they are when you find something obviously wrong.
Look for dates as well, try to find a pattern. If necessary, use rm -f
on a group, you can't let that many files sit in tmp, it isn't "right".

> 
> >  10:38 ectories are in /tmp/? Most X related ones can be removed
> > (probably best while X isn't running, init to non-X runlevel if it
> > automatically runs X at startup). Some of those are:
> > .ICE-unix
> > .X11-unix
> > .esd
> > .gnome
> > .xf86config*
> > .kfm-cache-*
> > nscomm*
> > orbit-*
> >
> > There are in fact annoyance programs that take advantage of filling up a
> > partition through tmp entries. The one that I've helped others fix in
> > the past is "SuperForker", a fork bomb that builds subdirectories,
> > recursively, in /tmp/ where anyone has permission. It grows until the
> > system is out of resources, and uses directory names that can't be typed
> > in at the keyboard without special escape sequences. What does it show
> > if you type from /tmp/ "ls -ald *"?
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> --
>    Regards, Bob Collins
> People often find it easier to be a result of the past than
> a
> cause of the future.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list