2

there are two Linux Servers one is Ubuntu14 and the other is Centos7. when users connect with ssh and work, we found some files like below: enter image description here

I couldn't find any tools to find which process creates it. are my servers infected?

Improve this question
2
  • How about use this command : ls -l file_name.
    – OOOO
    Commented Sep 11, 2018 at 5:37
  • 1
    @oooo, did you read my question? the picture is the output of ls -l command.
    – Hossein Vatani
    Commented Sep 11, 2018 at 11:43

1 Answer 1

Reset to default
4

You can't retrospectively determine what process created a file... You have to monitor the system while the file is created.

Use auditd to help you out. Once it's installed and running, run the following as root from the directory listed above:

auditctl -w "$(pwd)/1"
auditctl -w "$(pwd)/=1"

Once you've seen that the file(s) have been created or modified, run the following:

ausearch -f "$(pwd)"

You should see output with records that are delimited by breaks (----).

I see the following having setup a watch on /home/attie/testing, and then using touch to create/update it:

time->Mon Sep 10 14:41:07 2018
type=PROCTITLE msg=audit(1536586867.166:1192): proctitle=746F7563680074657374696E67
type=PATH msg=audit(1536586867.166:1192): item=1 name="testing" inode=8442 dev=00:b8 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE
type=PATH msg=audit(1536586867.166:1192): item=0 name="/home/attie" inode=4 dev=00:b8 mode=040701 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT
type=CWD msg=audit(1536586867.166:1192):  cwd="/home/attie"
type=SYSCALL msg=audit(1536586867.166:1192): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc35557634 a1=941 a2=1b6 a3=69d items=2 ppid=25572 pid=31301 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=24669 comm="touch" exe="/bin/touch" key=(null)

Note the following key pieces of information:

  • type=PATH [...] item=1 name="testing"
  • type=CWD [...] cwd="/home/attie"
  • type=SYSCALL [...] exe="/bin/touch"

Once you've established what's going on, you'll want to remove the rule(s) - this will delete all rules:

auditctl -D
Improve this answer
7
  • thanks @attie, but I don't know in which folder their maybe created.is there any way to control all directory? and so, is it pressure System performance?
    – Hossein Vatani
    Commented Sep 11, 2018 at 6:09
  • Oh... do they appear randomly? What directory was listed above?
    – Attie
    Commented Sep 11, 2018 at 8:01
  • yes. the above is /root. as I got it appears sometimes in which folder we cd in it and working like ls vim , ...
    – Hossein Vatani
    Commented Sep 11, 2018 at 11:03
  • I would setup a watch on a directory you've seen the files before - e.g: on something like your home directory... then wait for the file(s) to be created, and check the log.
    – Attie
    Commented Sep 11, 2018 at 11:13
  • Are the files always named 1 and =1?
    – Attie
    Commented Sep 11, 2018 at 11:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .