Here's an odd problem I've had for a while. Every so often, I find that I have several jpeg images sitting in my home directory that I didn't put there. I'm fairly sure this isn't a security breach but rather, there's something writing these files in there that I've forgotten about.
Here's what I'm looking at today:
oli@bert:~$ ls -l *.jpg
-rw------- 1 oli oli 8061 2010-11-19 18:30 An-alien-from-Mars-Attack-002.jpg
-rw------- 1 oli oli 24362 2010-11-19 18:30 An-alien-from-Mars-Attack-006.jpg
-rw------- 1 oli oli 8147 2010-11-05 18:08 Avatar-Film---2009-002.jpg
-rw------- 1 oli oli 35602 2010-11-05 18:08 Avatar-Film---2009-006.jpg
-rw------- 1 oli oli 6058 2010-12-03 18:42 Britney-Spears-victim-of--002.jpg
-rw------- 1 oli oli 28330 2010-12-03 18:42 Britney-Spears-victim-of--006.jpg
-rw------- 1 oli oli 8135 2010-11-12 19:19 charlie-brooker-twitter-p-002.jpg
-rw------- 1 oli oli 22115 2010-11-12 19:19 charlie-brooker-twitter-p-006.jpg
-rw------- 1 oli oli 8059 2010-10-29 18:47 Leonardo-DiCaprio-002.jpg
-rw------- 1 oli oli 29988 2010-10-29 18:47 Leonardo-DiCaprio-006.jpg
-rw------- 1 oli oli 8064 2010-10-22 16:41 Spot-the-difference-.-.-.-002.jpg
-rw------- 1 oli oli 29188 2010-10-22 16:41 Spot-the-difference-.-.-.-006.jpg
They all seem like they're TV or film related... But I honestly don't have a clue what could be writing them. They don't bother me enough to go on a full-scale witch hunt but if anybody knows of something that writes images in the home directory like this, please let me know.
No amount of investigation actually solved this but I did stop using Liferea and started using Lightread for reading my RSS feeds. The images stopped popping up.
You can try running fatrace (see this answer) and when those images appear again, search for them in fatrace's log file. That hopefully will reveal the program that's acting up. :)
I don't think this is possible at the moment. I had a look into inotify and back in 2008 a developer wanted to put the PID of the process that created the file event into the cookie information. This would have solved it as you could have created a python program to grab the name of the process with that PID... in fact I created just a script to test the idea.
But the patch was thrown out for security reasons and a second patch may or may not have been submitted which needs some kind of options flag which isn't in pyinofity anyway.
So then I looked at lsof, it's a one shot deal so it's likely to miss the perp most of the time, but you might get lucky with or with the additional
-r 1to repeat every 1 second.At any rate this is a bit of a missing functionality in the workings of Linux and should probably be fixed. Report a bug to the Linux kernel and/or inotify explaining that a command line tool to watch for which processes are writing files would be most welcome.