Re: How to catch process that removes files?

[WireSpot <wirespot@gmail.com>]

On 1/28/07, Andrew Sackville-West <andrew@farwestbilliards.com> wrote:
> I know you've said this before, but is it the same files? or the same
> directory? if it is, in that you can narrow down the scope somewhat,
> maybe a simple chown root:root, chmod 000 on the appropriate part of
> the file system will get you some info: if they still disappear, then
> someone's got root...

Pretty much files under /var/run. I've only noticed files whose
dissapearance actually hurts a service. There doesn't seem to be a
logic, or I haven't seen it yet.

The chown idea is perhaps worth investigating. Well, if the culprit is
a daemon that runs with root priviledges it's not going to be much
use, but still... Or perhaps chattr -i and see if a specific error
message appears anywhere.

> how many other users? just because YOU don't think its very
> interesting doesn't mean others don't. sometimes its just interesting
> to be able to do it...
>
> I know I'm no help here, just trying to point out that you may be
> eliminating possibilities that maybe shouldn't be eliminated.

I'm fairly sure there's no human involved in this. There's absolutely
no gain in this, since it's a fresh install, except perhaps in driving
me crazy. :) And if a regular 9-to-5 office accountant learned to hack
Debian just to get to me then I have bigger problems that this. :)

But seriously, Occam's Razor says that in this circumstances it's more
likely to be a crazed piece of software rather than a crazed person.