I have a folder on server, which has a website in it. the server has been cutoff from the internet, but after some time, few folders are automatically created in it with some suspicious files inside each of them.
I have checked Cron jobs for all users, nothing is running through the Crons. After i tried to check the system calls to folder using Inotify tools, i got this result:
./Lq1Lbs/ MODIFY index.html
./Lq1Lbs/ CLOSE_WRITE,CLOSE index.html
./nmt08u/ MODIFY index.html
./nmt08u/ OPEN index.html
./nmt08u/ ATTRIB index.html
./nmt08u/ ATTRIB index.html
./nmt08u/ MODIFY index.html
./nmt08u/ CLOSE_WRITE,CLOSE index.html
But i need to know that which Exact utility, Script, User or what created the folders and files in it. I have already tried tripwire, ossec, AIDE, all of them Just notify of the creation/delection or modification of file, but does not tell me that Which exact script, file, script or utility did this action. Is it possible to know it?
In short, which process changed or created which file/folder, thats what i want to know. Thanks
The only sane approach to implement that is to use the Liunx Audit Framework (LAF). Check this quick start document on how to approach your problem.
I don't know of a way to do it after the fact, but the audit daemon can trap this information.
Configure auditd to watch
/etc/passwd
:Check to see who has modified
/etc/passwd
:It's very powerful and there's a lot more to it than just the above.
Linux audit files to see who made changes to a file
One way, proposed by this Q&A on the Unix/Linux site, is to combine Linux's inotify subsystem with the
lsof
command. The latter lists all open file handles. If you triggerlsof
as soon as the interesting file creation or modification occurs you stand a good chance of catching the culprit. There is no guarantee, however—if the process writes the file as quickly as possible and exits immediately afterward, this method won't work.