You didn't say, but is this Solaris ?
Can you use a ufsdump|ufsrestore pipeline to list the files ?
Example on linux:
dump 0Bf 1000000 - /var | restore -ivf -
restore > ls
2 ./ 16120 empty/ 11 lost+found/ 38153 run/
2 ../ 43 ftp/ 12 mail 40161 spool/
18107 adm/ 4017 lib/ 28114 named/ 46185 tmp/
20082 arpwatch/ 26105 local/ 34137 opt/
16065 cache/ 28113 lock/ 36145 preserve/
20081 db/ 12049 log/
Can you fsck all filesystems ?
You might want to remove the disks from this host and add them to another
that you don't suspect of being compromised (fresh install good). Do this
read-only and without executing anything on them. Back them up there and
examine the contents on that safe host. That should help determine what
you've got - rootkit, flaky disk, pinhead driving rm....
It is often the case that the man who can't tell a lie thinks he is the best
judge of one.
-- Mark Twain, "Pudd'nhead Wilson's Calendar"
/xfn itself seems a total crock. See "man xfn" and "man fns".
It's the X/Open Federated Naming Service and I have no need for it on
my workstation. YMMV
It's possible to use FNS (XFN) as base for resolving hosts or users ?
In FNS I define record like "user/ivosh" with some attributes
(password, real name etc.)
and whole OS use this record same way like it was written in
/etc/passwd file or NIS+ map.
Some idea maybe in xfn field in nsswitch.conf file ...
... but in Solaris 2.6 I tried and doesn't work.
Thanks for answers
12. What's in /xfn?
13. How to use /xfn