Update:
Thanks to Sven Joachim and Andrew Pollock for informing me about /etc/init.d/mountoverflowtmp which exists to mount a tmpfs named overflow if /tmp is full at boot time. It appears that the system was not compromised. But regular reinstalls are always a good thing.
On the 24th of August this year I noticed the following on my SE Linux Play Machine [1]:
root@play:/root# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hda 1032088 938648 41012 96% /
tmpfs 51296 0 51296 0% /lib/init/rw
udev 10240 24 10216 1% /dev
tmpfs 51296 4 51292 1% /dev/shm
/dev/hdb 516040 17128 472700 4% /root
/dev/hdc 1024 8 1016 1% /tmp
overflow 1024 8 1016 1% /tmp
The kernel message log had the following:
[210511.546152] su[769]: segfault at 0 ip b7e324e3 sp bfa4b064
error 4 in libc-2.7.so[b7dbb000+158000]
[210561.527839] su[778]: segfault at 0 ip b7eb14e3 sp bfec84d4 error 4 in
libc-2.7.so[b7e3a000+158000]
[210585.270372] su[784]: segfault at 0 ip b7e044e3 sp bff1b534 error 4 in
libc-2.7.so[b7d8d000+158000]
[210595.855278] su[789]: segfault at 0 ip b7e014e3 sp bfd18324 error 4 in
libc-2.7.so[b7d8a000+158000]
[210639.496847] su[796]: segfault at 0 ip b7e874e3 sp bf99e7b4 error 4 in
libc-2.7.so[b7e10000+158000]
Naturally this doesn’t look good, the filesystem known as “overflow” indicates a real problem. It appears that the machine was compromised. So I’ve made archival copies of all the data and reinstalled it.
As the weather here is becoming warmer I’ve used new hardware for my new Play Machine. The old system was a 1.8GHz Celeron with 1280M of RAM and two IDE disks in a RAID-1 array. The new system is a P3-800 with 256M of RAM and a single IDE disk. It’s a Compaq Evo which runs from a laptop PSU and is particularly energy efficient and quiet. The down-side is that there is no space for a second disk and only one RAM socket so I’m limited to 256M – that’s just enough to run a Xen server with a single DomU.
I put the new play machine online on Friday the 23rd of October after almost two months of down-time.
Actually, the only problem that the “overflow” filesystem indicates is that you were running out of disk space. Such a filesystem is mounted automatically on boot if / has no space left, see /etc/init.d/mountoverflowtmp.
I hope you will investigate this and blog about how they got in if you can find that out.
The overflow /tmp thing doesn’t automatically imply anything nefarious. It just means the system booted up with a full /tmp. See /etc/init.d/mountoverflowtmp