Space Theft

[Punkluis]

I have had some users(3) show up on WHM as they are using like 400MB(average) but when I du -sh them on SSH it shows up they were actually using 16GB, they hid some files on folders named like "...", ".,/.,", "happy.gif/.,/..." now, WHM wasnt able to read those folders so they were stealing alot of space, how do I fix this?

[chirpy]

If they're owned by the user they would show up, but I would bet they're owned by nobody:nobody - either way, those are exploit files and those accounts or the scripts running in them have been compromised and you could have hackers daemons running on your server. you need to check the whole server over thoroughly.

[RoboCop777]

Whoa, this really sucks. I better start checking my folders. You maybe should disable their accounts or ask them whats going on.

[bman]

install rkhunter
http://downloads.rootkit.nl/rkhunter-1.2.4.tar.gz

in your linux root shell type
cd /usr/local
wget http://downloads.rootkit.nl/rkhunter-1.2.4.tar.gz
tar xzvf rkhunter-1.2.4.tar.gz
cd rkhunter-1.2.4
sh ./install.sh

[eth00]

As posted above sounds like your server might be hacked. What files have they uploaded to the server? I bet they will be illegal movies and games which if that is true is probably causing your server to transfer a lot more then is necessary.

As chirpy said file ownership is how quotas are determined.

[JohnBB]

Hi !

Maybe you have a tip for me? It seems someone is "hiding" 30 Gig of space on our server's HDD somehow. WHM does show 20 Gig being used for the /home directory -- and this on a 80 Gig HDD should not add up to 85%.

What would be a way to find directories like "...", ".,/.," --- if ownership would be "nobody"?

Best,
John

[chirpy]

It's probably simpler to use du from the top of /home and work your way downwards:

cd /home
du --max-depth=1 -h