[CLUE-Tech] Disappearing files
Nate Duehr
nate at natetech.com
Thu Jun 10 18:10:06 MDT 2004
Angelo Bertolli wrote:
>
>> Sorry I can't provide more info but libfam may be of interest to you.
>> <snip from http://packages.debian.org/stable/admin/libfam-dev >
>> --------------------
>> FAM monitors files and directories, notifying interested applications
>> of changes.
>>
>> This package provides header files and static libraries to allow the
>> development of programs that interface FAM for file monitoring.
>> ---------------------
>> </snip>
>>
>>
>>
> Thanks, I'm going to take the suggestions provided from the list. I
> did check the history file for root, but found nothing. Only a few
> people have shell access, and no one hardly logs in except myself. So
> I didn't find anything there. I am going to check out tripwire first,
> and maybe resort to this if needed.
You may also want to run something like chkrootkit to make sure someone
isn't already "in" the system and hiding their actions... Google a bit
on it and read up first... most RedHat systems do throw some false
positive indications when using that tool.
If someone managed to get into the machine and modify the running kernel
(not super likely, but have seen it done) via loading a kernel module or
worse, managed to reboot the machines with a trojan'ed kernel installed
they could hide filesystem activity very well, even from root.
(Depending on the quality of the rootkit/kernel.)
Most of the time it's an errant program(er) doing it, though. Or a
network mount to some other machine or vice-versa deleting files it
shouldn't be. Most of the time you can eventually attribute stuff like
this to stupidity instead of maliciousness.
Other thoughts: You might consider making sure all network file system
and remote file access protocols are turned OFF if you're not using them
for the time being. FTP, NFS, rsync, etc... off. If they have to be on
for a service, make darn sure they're configured such that no one can
remove files through them. (TEST IT.)
If you know your applications VERY well and know there are no
production-required scripts that run commands like "rm" on the machine,
you could move "rm" from it's normal location and replace rm with a
shell script that writes a log and does nothing, e-mails you
immediately, whatever you like... but you have to be very careful doing
this as a lot of other things can break. It's a last-ditch-effort hack.
And direct filesystem access not using shell commands wouldn't get
caught doing this anyway.
Someone else's comment about using Tripwire is probably the best way to
go... but it's not perfect.
Good luck with it.
Nate
More information about the clue-tech
mailing list