Re: How to catch process that removes files?
On 1/28/07, Andrew Sackville-West <firstname.lastname@example.org> wrote:
I know you've said this before, but is it the same files? or the same
directory? if it is, in that you can narrow down the scope somewhat,
maybe a simple chown root:root, chmod 000 on the appropriate part of
the file system will get you some info: if they still disappear, then
someone's got root...
Pretty much files under /var/run. I've only noticed files whose
dissapearance actually hurts a service. There doesn't seem to be a
logic, or I haven't seen it yet.
The chown idea is perhaps worth investigating. Well, if the culprit is
a daemon that runs with root priviledges it's not going to be much
use, but still... Or perhaps chattr -i and see if a specific error
message appears anywhere.
how many other users? just because YOU don't think its very
interesting doesn't mean others don't. sometimes its just interesting
to be able to do it...
I know I'm no help here, just trying to point out that you may be
eliminating possibilities that maybe shouldn't be eliminated.
I'm fairly sure there's no human involved in this. There's absolutely
no gain in this, since it's a fresh install, except perhaps in driving
me crazy. :) And if a regular 9-to-5 office accountant learned to hack
Debian just to get to me then I have bigger problems that this. :)
But seriously, Occam's Razor says that in this circumstances it's more
likely to be a crazed piece of software rather than a crazed person.