[CentOS] Random files in homedir gets deleted

Thu Jan 3 14:09:08 UTC 2008
Fajar Priyanto <fajarpri at cbn.net.id>

On Thursday 03 January 2008 19:09:11 Christopher Thorjussen wrote:
> On one of my systems I seem to loose a file or two from time to time.
> Last night, one of my files (/home/online/sh/NattjobbPrivat.sh) was
> deleted/removed/vanished. Another time it was /home/online/sh/daemon
> that was deleted.
>
> But I can't seem to find anything strange in the logs or in the history,
> nor would any of my scripts running in crontab mess with those files.
>
> Where can I look for clues? And how do I enable audit for file
> operations in my home folder?

Hi, this really sounds weird. In order to audit it, the following checklist 
might help:
1. If the system was administered by an admin other than you and he got 
fired/dismissed with hard feeling on him, he might put a crontab that would 
do nasty thing randomly. Audit all the files in:
/var/spool/cron
/var/spool/at
Also all the script in /etc/cron.{d,daily,weekly,monthly}, /etc/crontab

2, Audit all RPM files installed using:
rpm -Va, looks for a difference in md5sum for binary files such 
as /bin/ls,/bin/ps, etc. You might want to use cracker detection script such 
as rkhunter.

3. Looks for the word "error" in log files:
grep -r error /var/log
See for related error such as filesystem corruption, etc

4. It's a long shot, but could be a misconfigured rsync script?

HTH, pls let us know the result.
-- 
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 
http://linux2.arinet.org
21:09:01 up 1:02, 2.6.22-14-generic GNU/Linux 
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20080103/a0e1bcf3/attachment-0005.sig>