[CLUE-Tech] Disappearing files

Thu Jun 10 18:10:06 MDT 2004

Angelo Bertolli wrote:

>
>> Sorry I can't provide more info but libfam may be of interest to you.
>> <snip from http://packages.debian.org/stable/admin/libfam-dev >
>> --------------------
>> FAM monitors files and directories, notifying interested applications 
>> of changes.
>>
>> This package provides header files and static libraries to allow the 
>> development of programs that interface FAM for file monitoring. 
>> ---------------------
>> </snip>
>>
>>  
>>
> Thanks, I'm going to take the suggestions provided from the list.  I 
> did check the history file for root, but found nothing.  Only a few 
> people have shell access, and no one hardly logs in except myself.  So 
> I didn't find anything there.  I am going to check out tripwire first, 
> and maybe resort to this if needed.

You may also want to run something like chkrootkit to make sure someone 
isn't already "in" the system and hiding their actions... Google a bit 
on it and read up first... most RedHat systems do throw some false 
positive indications when using that tool.

If someone managed to get into the machine and modify the running kernel 
(not super likely, but have seen it done) via loading a kernel module or 
worse, managed to reboot the machines with a trojan'ed kernel installed 
they could hide filesystem activity very well, even from root. 

(Depending on the quality of the rootkit/kernel.)

Most of the time it's an errant program(er) doing it, though.  Or a 
network mount to some other machine or vice-versa deleting files it 
shouldn't be.  Most of the time you can eventually attribute stuff like 
this to stupidity instead of maliciousness.

Other thoughts:  You might consider making sure all network file system 
and remote file access protocols are turned OFF if you're not using them 
for the time being.  FTP, NFS, rsync, etc... off.  If they have to be on 
for a service, make darn sure they're configured such that no one can 
remove files through them.  (TEST IT.)

If you know your applications VERY well and know there are no 
production-required scripts that run commands like "rm" on the machine, 
you could move "rm" from it's normal location and replace rm with a 
shell script that writes a log and does nothing, e-mails you 
immediately, whatever you like... but you have to be very careful doing 
this as a lot of other things can break.  It's a last-ditch-effort hack. 

And direct filesystem access not using shell commands wouldn't get 
caught doing this anyway.

Someone else's comment about using Tripwire is probably the best way to 
go... but it's not perfect.

Good luck with it.

Nate