[CentOS] Random files in homedir gets deleted

Fri Jan 4 09:23:41 UTC 2008
Christopher Thorjussen <Christopher.Thorjussen at carrot.no>

> On Thursday 03 January 2008 19:09:11 Christopher Thorjussen wrote:
> > On one of my systems I seem to loose a file or two from time to
time.
> > Last night, one of my files (/home/online/sh/NattjobbPrivat.sh) was
> > deleted/removed/vanished. Another time it was /home/online/sh/daemon
> > that was deleted.
> >
> > But I can't seem to find anything strange in the logs or in the
history,
> > nor would any of my scripts running in crontab mess with those
files.
> >
> > Where can I look for clues? And how do I enable audit for file
> > operations in my home folder?
> 
> Hi, this really sounds weird. In order to audit it, the following
> checklist
> might help:
> 1. If the system was administered by an admin other than you and he
got
> fired/dismissed with hard feeling on him, he might put a crontab that
> would
> do nasty thing randomly. Audit all the files in:
> /var/spool/cron
> /var/spool/at
> Also all the script in /etc/cron.{d,daily,weekly,monthly},
/etc/crontab

No admin or anyone else with access have quit or been fired. The files
and folders looks fine.

> 2, Audit all RPM files installed using:
> rpm -Va, looks for a difference in md5sum for binary files such
> as /bin/ls,/bin/ps, etc. You might want to use cracker detection
script
> such as rkhunter.
The files look fine. Some files are marked as MD5 mismatch but it's
mostly config files I've changed. The only files I'm not sure of is:

SM5....T    /usr/share/rhn/rhn_applet/rhn_applet.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_animation.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_apt.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_dialogs.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_model.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_protocols.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_rpc.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_rpm.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_version.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_applet_yum.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_sources.pyc
SM5....T    /usr/share/rhn/rhn_applet/rhn_utils.pyc

But I'm not running X so the applet isn't running.

> 
> 3. Looks for the word "error" in log files:
> grep -r error /var/log
> See for related error such as filesystem corruption, etc
[root at ora01 tmp]# grep -r error /var/log
/var/log/Xorg.0.log:    (WW) warning, (EE) error, (NI) not implemented,
(??) unknown.
/var/log/anaconda.log:* getting rpm error class
/var/log/prelink.log:/usr/lib64/libgpg-error.so.0.1.3
0000003c50e00000-0000003c50f02878
/var/log/rpmpkgs.4:libgpg-error-1.0-1.x86_64.rpm
/var/log/rpmpkgs.1:libgpg-error-1.0-1.x86_64.rpm
/var/log/messages.2:Dec 17 08:13:10 ora01 kernel: daemon[1562]: segfault
at 0000007fc0000000 rip 0000002a957af4b2 rsp 0000007fbfffe730 error 6
/var/log/scrollkeeper.log:I/O error : Attempt to load network entity
http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep
er-omf.dtd
/var/log/scrollkeeper.log:I/O error : Attempt to load network entity
http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep
er-omf.dtd
/var/log/scrollkeeper.log:I/O error : Attempt to load network entity
http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep
er-omf.dtd
/var/log/scrollkeeper.log:I/O error : Attempt to load network entity
http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep
er-omf.dtd
/var/log/scrollkeeper.log:I/O error : Attempt to load network entity
http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep
er-omf.dtd
/var/log/scrollkeeper.log:I/O error : Attempt to load network entity
http://scrollkeeper.sourceforge.net/dtds/scrollkeeper-omf-1.0/scrollkeep
er-omf.dtd
/var/log/rpmpkgs.2:libgpg-error-1.0-1.x86_64.rpm
/var/log/Xorg.0.log.old:        (WW) warning, (EE) error, (NI) not
implemented, (??) unknown.
/var/log/rpmpkgs.3:libgpg-error-1.0-1.x86_64.rpm
/var/log/rpmpkgs:libgpg-error-1.0-1.x86_64.rpm
/var/log/anaconda.xlog: (WW) warning, (EE) error, (NI) not implemented,
(??) unknown.
/var/log/anaconda.xlog:error opening security policy file
/etc/X11/xserver/SecurityPolicy

 
> 4. It's a long shot, but could be a misconfigured rsync script?
Rsync is not running/used, but some custom scripts are running cleaning
up some folders. I'm trying to battle through them to see if somethings
wrong in them, but so far I've found nothing.

> HTH, pls let us know the result.
Will do.

/Christopher