Hacker News new | past | comments | ask | show | jobs | submit login

It's a good article. Beware though:

  lsof +L1 shows you all open files that have a link count less than 1, 
  often indicative of a cracker trying to hide something
On OS X, lsof +L1 returns tons of files, this is normal.



Thank you. I was a little concerned when my MBP spewed out a list with this option. I tried a little look-up on why that is normal.

From the manpage:

When +L is followed by a number, only files having a link count less than that number will be listed. (No number may follow -L.) A specification of the form ``+L1'' will select open files that have been unlinked. A specification of the form ``+aL1 <file_system>'' will select unlinked open files on the specified file system.

On my MBP (SL) at least, all the files listed with +L1 are from /private/var/folders/

A quick search seems to hint that this is the location to store secure caches and temp files for Snow Leopard.


Indeed - this also indicates files that have deletion pending. A UNIX greybeard warned me about this as I was exploring the getdirentries() syscall.


Why would "lsof +L1" possibly signify "a cracker trying to hide something"? I'm wondering becuase I have lots(!) of results for this command.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: