How to understand who deletes files?

N

Nikolai2015-01-11 11:04:01

linux

Nikolai, 2015-01-11 11:04:01

All the best
The situation is as follows:
the files from the /var/www/html directory (all) in which FreePBX 12.0 is installed are
deleted According to the access logs, no one except me logged into the system (last)
There is nothing in the cron except for freepbx-cron-scheduler.php ( runs every hour)
I did not notice anything suspicious in top.
How to track who deletes files and for what reason? I suppose 2 options:
1) FreePBX itself is updated but somehow crookedly and deletes everything
2) malware has settled in the system
Where to dig to track ...

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

3

3vi1_0n3, 2015-01-11
@3vi1_0n3

Try auditd

N

Nikolay, 2015-01-11
@KolyaniuS

While crawling - the files were deleted again I
looked at lsof what was happening there and caught a bunch of events like this
httpd 11538 asterisk DEL REG 252.3 3015321 /var/www/html/admin/modules/asteriskinfo/i18n/ru_RU/LC_MESSAGES/asteriskinfo.mo
How now through / proc or lsof to track which process initiated these actions?

E

Ergil Osin, 2015-01-11
@Ernillew

en.wikipedia.org/wiki/Inotify

I

Ingtar, 2015-01-11
@Ingtar

habrahabr.ru/post/92020
I used this, for debugging the very thing

I

Igor, 2015-01-13
@merryjane

Either configure auditd, which is not very easy:
linoxide.com/how-tos/auditd-tool-security-auditing
or snoopy, which is much easier:
https://debian.pro/1142