Help please. Hard disk space drastically dropped. My system hacked?

A newbie to linux I am, and any help is appreciated.

Yesterday when I was browsing the internet as usual, my openSUSE 12.3 suddenly warned me of low disk space. I should still had some 1 to 2G (out of 500G hard disk) left the day before. Immediately I took a look at the lower right corner of Dolphin to see how much empty space left, and found it kept dropping to some 60M within seconds. Fearing hacking activities, I quit all applications, unplugged the network cable, and restarted the computer. After the computer was restarted, I checked Dolphin again and found that the empty space increased back to about 1.1G (possibly what I originally had before the drop). It was stabilized and no longer dropped.[FONT=arial]I reconnected the network cable and the computer looked normal again.

Does it look like my computer is hacked or already compromised with malicious codes planted? What could have been the cause? What can I do to diagnose if it happens again?

Thanks very much.

[/FONT]

No I doubt it many reasons could be for the machine to use temp files and that does use up space. Web browsers do tend to use a lot of space for temp files.

But i’d say 1-2 gig free space on a hard drive is not enough. You should do some house cleaning. deleting files or moving files you don’t use often to backup disk

By default openSUSE installs home to a separate partition. The root partition is where all the system files and tmp files live. home is where your personal files and settings live.

I assume you are talking about space on the root since root and home are separate partitions and have separate space assigned

On 2014-10-15 04:06, porkchop wrote:

> I should still had some 1 to 2G
> (out of 500G hard disk)

2 GB is awfully little nowdays.

> Does it look like my computer is hacked or already compromised with
> malicious codes planted?

I very much doubt it.

> What could have been the cause? What can I do
> to diagnose if it happens again?

Everything normal if you only have 2 GB free… start deleting files.
Many applications and things use lot of temporary files that eat space
fast, and then they free it when finished.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Thanks for the help. Unfortunately I think it was home partition that had the problem. When the space drop happened, I believe Dolphin was showing my home directory, and therefore the indicator of empty space at the lower right corner should be reflecting the space in /home instead of root. After I rebooted the computer, I saw that the space already restored itself to 1.1G which was probably what I had originally, and then I cleaned up something in trash, and freed the space further to 5.3G to see if it would drop again. It didn’t. After seeing your reply I checked the space in root today and found it actually had 12.6G free space. The following is the result of df I just used to check the space.

Filesystem Size Used Avail Use% Mounted on
devtmpfs 2.0G 32K 2.0G 1% /dev
tmpfs 2.0G 80K 2.0G 1% /dev/shm
tmpfs 2.0G 3.5M 2.0G 1% /run
/dev/sda2 20G 6.1G 13G 33% /
tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup
tmpfs 2.0G 3.5M 2.0G 1% /var/lock
tmpfs 2.0G 3.5M 2.0G 1% /var/run
/dev/sda3 437G 431G 5.4G 99% /home
total 468G 437G 30G 94%

Another funny thing is that (not sure if it is related), after the space drop and computer restarted yesterday, the hostname changed itself from 192.168.x.x into “linux-SOMETHING.site” without me interfering with it. I recall when openSUSE first installed and started up in my computer, it only showed 192.168.x.x in the command prompt in Kconsole and on the start button menu. It now change into a hostname by itself.

Your advice is greatly appreciated.

Thanks for the advice. But it seems that the space drop happened to my /home partition rather than root. The details is in a previous post. There was also a change of hostname without me interfering with it. Would you think it looks suspicious? Sorry about being nervous. Your advice is greatly appreciated.

/etc/HOSTNAME does not show the ip, you might be talking about /etc/hosts file. Also the default PS1 in openSUSE does not show the ip. Are you sure you are in openSUSE?

Things seem to sound creepier. :frowning:

I guess I can be sure it is openSUSE as I keep seeing the green chameleon. I believe it is openSUSE 12.3 as I labelled my disk so after downloading it from openSUSE site.

I have never checked /etc/HOSTNAME since the system was installed. But the topmost line (above the search bar) in the start button menu had always read “MY NAME (MY LOGIN NAME) on 192.168.x.x openSUSE” ever since it was installed. I remember I installed some older openSUSE versions before and they did show a hostname instead of the local IP. But I thought openSUSE 12.3 changed this practice.

Maybe I should just download 13.1 and install a brand new system instead.

Thanks.

On 2014-10-15 07:26, porkchop wrote:

> Another funny thing is that (not sure if it is related), after the space
> drop and computer restarted yesterday, the hostname changed itself from
> 192.168.x.x into “linux-SOMETHING.site” without me interfering with it.
> I recall when openSUSE first installed and started up in my computer, it
> only showed 192.168.x.x in the command prompt in Kconsole and on the
> start button menu. It now change into a hostname by itself.

That happens when you use the (default) setting to allow dhcp to change
the name automatically. Ie, the router tells you what name to use, not
you. The name you set is ignored.

Actually, the “linux-SOMETHING.site” is the typical name that openSUSE
defines, and “192.168.x.x” would be the one defined by the router.

Some routers do this, some don’t. If the router doesn’t, you get the one
that the openSUSE installation defined. And you can, of course, change it.

You can disable this automatism in network settings. The procedure
differs if you use network manager or traditional setup.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On 2014-10-15 08:46, porkchop wrote:

> Maybe I should just download 13.1 and install a brand new system
> instead.

If you wish, yes, but so far nothing is broken nor hacked :slight_smile:

Except that you have a lot of files. You should have a good look and
find out what is in there.

There is a tool I like, “baobab”, that explores the disk and tells you,
graphically, where space is spent. It is a gnome tool. For kde3 there is
“kdirstat”. For kde4 there is “kdf”, but it lacks. I have in my list
“filelight”, which I think it is a kde tool, but I don’t remember the
details and I don’t have it installed to check.

What I typically use is ‘mc’. It is a text “GUI”, it runs in a terminal.
It is a powerful file browser, much powerful and faster than popular
graphical tools. The only thing it does not do is “graphics”.

Use it in a terminal as root (su -). Go to the "/home/ menu. In the
“command” menu, one item is “show directory sizes”. This thing in Linux
takes long, so just wait. Then, on the “left” or “right” menu, select
“order” to “size”, to easily see what directories are huge. Then get
inside a likely culprit, and again, display sizes. Till you find
something that should not be there or that you can be sure you can delete.

Then tell us :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

That’s very reassuring. Thanks.

And thanks to the heaps of advice on tools to check out the problem, as well as the explanation on the hostname. Valuable to a newbie. Guess it’s time for work. :slight_smile: