Hey guys,
Earlier this week I started getting error emails from a cron job on one of my personal servers. It was complaining that the log file it was supposed to be reporting on didn't exist.
I ssh'ed into the box and was shocked to see that /var/log was no longer in existence! This box is on a public IP address, but behind a hardware firewall with only POP, SMTP, IMAP, HTTP and HTTPS open to the world. I downloaded a couple things (like chkrootkit) and scanned for rootkits and the like, but found nothing.
With the exception of the 'log' directory being gone, the machine seems to be operating as normal... no disk space mysteriously missing... no unusual spiking of the CPU or anything else.
I'd done a complete backup of /var about two weeks earlier, so I restored the old 'log' directory and things started to be written to like normal again. Nothing suspicious has shown up in any of the logs since.
This directory is on the same partition with /, so there isn't a chance that the partition went wonky (if a partition had been mounted just for /var/log) and unmounted.
Any ideas? Anyone ever seen something like this before?
Joe
Earlier this week I started getting error emails from a cron job on one of my personal servers. It was complaining that the log file it was supposed to be reporting on didn't exist.
I ssh'ed into the box and was shocked to see that /var/log was no longer in existence! This box is on a public IP address, but behind a hardware firewall with only POP, SMTP, IMAP, HTTP and HTTPS open to the world. I downloaded a couple things (like chkrootkit) and scanned for rootkits and the like, but found nothing.
With the exception of the 'log' directory being gone, the machine seems to be operating as normal... no disk space mysteriously missing... no unusual spiking of the CPU or anything else.
I'd done a complete backup of /var about two weeks earlier, so I restored the old 'log' directory and things started to be written to like normal again. Nothing suspicious has shown up in any of the logs since.
This directory is on the same partition with /, so there isn't a chance that the partition went wonky (if a partition had been mounted just for /var/log) and unmounted.
Any ideas? Anyone ever seen something like this before?
Joe
