On Wednesday, March 16, 2022 at 2:35:41 PM UTC-4, Keith Thompson wrote:

What are the permissions on your files and directories? Anything
containing personal information should be protected against access by
other users on the system; for example, "chmod 700 $HOME".

If your files are not readable by other users, then they could only have been accessed by root or by someone who has broken into your account.

All files are only readable by me. I'm trying to figure out if they were all downloaded, scraped en masse, by someone with my password, which seems like something should show up in the ssh logs. Or if there is some other kind of explanation (which I'm
hoping for) that could cause access time for all files to be updated at the same time. (Not modification times, just access times, and many hundreds of files within each minute).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

anthony example <anthony974412@gmail.com> writes:
[snip]

I do have reason to believe someone is trying to see my files, some of
which have personal information, so I am very worried and would like
to find confirmation of what has happened. If you have any suggestions
of how I could investigate this, bearing in mind I know very little
apart from being able to write C programs and compile them, it would
be appreciated. uname -r tells me "5.4.0-104-generic"

What are the permissions on your files and directories? Anything
containing personal information should be protected against access by
other users on the system; for example, "chmod 700 $HOME".

If your files are not readable by other users, then they could only have
been accessed by root or by someone who has broken into your account.

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 16 Mar 2022 14:52:04 -0400, anthony example <anthony974412@gmail.com> wrote:

All files are only readable by me. I'm trying to figure out if they were all downloaded, scraped en masse, by someone with my password, which seems like something should show up in the ssh logs. Or if there is some other kind of explanation (which I'm

hoping for) that could cause access time for all files to be updated at the same time. (Not modification times, just access times, and many hundreds of files within each minute).

Is any indexing software installed such as Gnome's tracker2? Was the host system
rebooted shortly before the files were accessed?

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <fd1970f5-6c05-4644-8918-a262a84b5aa9n@googlegroups.com>,
anthony example <anthony974412@gmail.com> wrote:

On Wednesday, March 16, 2022 at 2:35:41 PM UTC-4, Keith Thompson wrote:

What are the permissions on your files and directories? Anything
containing personal information should be protected against access by
other users on the system; for example, "chmod 700 $HOME".

If your files are not readable by other users, then they could only have
been accessed by root or by someone who has broken into your account.

All files are only readable by me. I'm trying to figure out if they were all >downloaded, scraped en masse, by someone with my password, which seems like >something should show up in the ssh logs. Or if there is some other kind of >explanation (which I'm hoping for) that could cause access time for all files to
be updated at the same time. (Not modification times, just access times, and many
hundreds of files within each minute).

Have you stated which kind of system this is? It is Linux? If so, which distro?

I will note two things:

1) Does this system do backups? If so, that could account for it (though,
of course, you'd think it would have happened before - i.e., "Why now?")

2) I have noticed that on my Ubuntu system, I sometimes notice this
phenomenon (although, to be clear, I think it was with ctime, not atime).
I just assume that since Ubuntu is so Windows-like, that it is doing so
many things "under the covers" that that would account for it.

Finally, I get that this is mostly curiosity/worrying-about-things-that-dont-really-matter, but, just out of curiosity (mine), is there any actual problem/harm here?

P.S. Also, and you can slot this in as 1A) in the above list, does the
system run any sort of "locate" process? I've noticed that that process
(which usually runs at about 6 AM every day - on Debian systems) also
sometimes updates the times.

--
"We are in the beginning of a mass extinction, and all you can talk
about is money and fairy tales of eternal economic growth."

- Greta Thunberg -

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <op.1i4z84hfa3w0dxdave@hodgins.homeip.net>,
David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Wed, 16 Mar 2022 14:52:04 -0400, anthony example <anthony974412@gmail.com> wrote:
All files are only readable by me. I'm trying to figure out if they
were all downloaded, scraped en masse, by someone with my password,
which seems like something should show up in the ssh logs. Or if there
is some other kind of explanation (which I'm hoping for) that could
cause access time for all files to be updated at the same time. (Not >modification times, just access times, and many hundreds of files
within each minute).

Is any indexing software installed such as Gnome's tracker2? Was the
host system rebooted shortly before the files were accessed?

Yeah, I kinda referenced that possibility as well. But note that he
claims that it only happened to him - not every other user. Which is
odd, but could easily be a translation error in posting.

--
1/20/17: A great day for all those people who are sick of being told
they don't know how to spell "you're" (or "there").

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, March 16, 2022 at 2:58:46 PM UTC-4, Kenny McCormack wrote:

Have you stated which kind of system this is? It is Linux? If so, which distro?

uname says 5.4.0-104-generic

1) Does this system do backups? If so, that could account for it (though,
of course, you'd think it would have happened before - i.e., "Why now?")

it does backups, yes, but according to the sysadmin who checked his own user folder, file access times were not affected by backups.

Finally, I get that this is mostly curiosity/worrying-about-things-that-dont-really-matter, but, just out of curiosity (mine), is there any actual problem/harm here?

well, it seems that if there is a targeted attempt to copy all my files, to sniff out private information, then yes, there are ways that could be catastrophic in my current personal situation. I'm hoping there is a more innocent explanation.

I don't think it's innocent though. I saw thousands of failed attempts to authorise a dovecot connection in the logs, like every few seconds, and the originating IP address was the one I log in from at my institution. (But in any realistic situation no
one from inside the institution is trying to get my files, it is more of a domestic possibility.) Is there some attack vector that would mimic this? (There are also many attempts from random sketchy IP addresses around the world.) The attempts that
looked as if they came from within the institution stopped several hours before the access time logged on my files, after running for almost a week without anyone noticing, but I did not see a successful dovecot authentication in the logs when they ended.
Random auth attempts from around the world, all failing, have continued after the access timestamp on my files.

P.S. Also, and you can slot this in as 1A) in the above list, does the system run any sort of "locate" process? I've noticed that that process (which usually runs at about 6 AM every day - on Debian systems) also sometimes updates the times.

I'll ask about this too. It's just too suspicious with the timing with events in my daily life but I continue to hope I'm wrong.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, March 16, 2022 at 2:57:04 PM UTC-4, David W. Hodgins wrote:

Is any indexing software installed such as Gnome's tracker2? Was the host system
rebooted shortly before the files were accessed?

I'll find out. But it seems hard to reconcile something like that with the fact that other users' files were not accessed.

Would the "strain" of transferring tens of thousands of files, experienced by a server that typically handles very little traffic, have to show up in any default logs?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 16 Mar 2022 15:48:21 -0400, anthony example <anthony974412@gmail.com> wrote:

On Wednesday, March 16, 2022 at 2:57:04 PM UTC-4, David W. Hodgins wrote:

Is any indexing software installed such as Gnome's tracker2? Was the host system
rebooted shortly before the files were accessed?

I'll find out. But it seems hard to reconcile something like that with the fact that other users' files were not accessed.

Would the "strain" of transferring tens of thousands of files, experienced by a server that typically handles very little traffic, have to show up in any default logs?

Another indexing system is kde's akonadi.

As to logs, it all depends on what software is running, and what led to the files
being accessed, depending on the skill level of the hacker.

If a hacker manages to get root access, logs can be modified, so there may not be
much, if any records left about it.

That said, without knowing more about the environment, it's hard to give advice about what to check. Is it a container or a single install running on that machine?

How does uptime compare to the time of the accesses?
What entries are there for the system and that user in the crontabs?
Has the system been kept up-to-date, including recent kernel security updates?

Who is likely to want to access the system? A nation-state, organized crime, etc.?

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

anthony example <anthony974412@gmail.com> writes:

I am a user at an institution with a small, essentially hobbyist linux
server which I access by ssh for email and some other work. Some
hobbyist programming I do has generated a ton of files. Recently I
noticed that every single one of my files (there are tens of
thousands, in a spaghetti-like folder structure that has accumulated
over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't
logged in.

What, if anything, does the 'last' command report? Do you have any cron
jobs (crontab -l) running?

... uname -r tells me "5.4.0-104-generic"

uname -a is probably more helpful.

--
Ben.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, March 16, 2022 at 4:28:50 PM UTC-4, David W. Hodgins wrote:

uname says 5.4.0-104-generic

Ouch. Have patches been applied? For example https://www.cvedetails.com/cve/CVE-2022-25636/

yikes. Since hardly anyone uses this machine, I imagine it is not being expertly maintained for security purposes. But uname -a says the last time the kernel was compiled was Mar 2. It also says #118-Ubuntu.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, March 16, 2022 at 4:20:50 PM UTC-4, David W. Hodgins wrote:

Who is likely to want to access the system? A nation-state, organized crime, etc.?

I can't answer the technical questions, except uptime says 7 days. But as to who is likely to want to access the files, it would be a domestic partner who has a helpful childhood friend who has 20 years of experience as IT security director.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 16 Mar 2022 16:10:12 -0400, anthony example <anthony974412@gmail.com> wrote:

uname says 5.4.0-104-generic

Ouch. Have patches been applied? For example https://www.cvedetails.com/cve/CVE-2022-25636/

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <bcf67399-14f8-4150-85c9-7fa1c15363adn@googlegroups.com>,
anthony example <anthony974412@gmail.com> wrote:

On Wednesday, March 16, 2022 at 4:28:50 PM UTC-4, David W. Hodgins wrote:

uname says 5.4.0-104-generic

Ouch. Have patches been applied? For example
https://www.cvedetails.com/cve/CVE-2022-25636/

yikes. Since hardly anyone uses this machine, I imagine it is not being expertly
maintained for security purposes. But uname -a says the last time the kernel was
compiled was Mar 2. It also says #118-Ubuntu.

OK!

So, at long last, we have established that it *is* Linux, and it is Ubuntu. Great!

So, as I mentioned earlier, I'm not surprised that some background process (which, mind you, even the sysadmin would have no idea was running)
accounts for what you are seeing.

--
"Remember when teachers, public employees, Planned Parenthood, NPR and PBS crashed the stock market, wiped out half of our 401Ks, took trillions in
TARP money, spilled oil in the Gulf of Mexico, gave themselves billions in bonuses, and paid no taxes? Yeah, me neither."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, March 16, 2022 at 4:25:58 PM UTC-4, Ben Bacarisse wrote:

What, if anything, does the 'last' command report?

last gives me a list of logins, where none of the entries includes the span of time where my files were accessed. No crontab (though the job would have been finished by now).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, March 16, 2022 at 5:25:49 PM UTC-4, Kenny McCormack wrote:

So, at long last, we have established that it *is* Linux, and it is Ubuntu. Great!

So, as I mentioned earlier, I'm not surprised that some background process (which, mind you, even the sysadmin would have no idea was running)
accounts for what you are seeing.

This would be very reassuring news -- but why now, and why wouldn't it touch everyone's files?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, March 16, 2022 at 5:21:43 PM UTC-4, anthony example wrote:

On Wednesday, March 16, 2022 at 4:25:58 PM UTC-4, Ben Bacarisse wrote:

What, if anything, does the 'last' command report?

last gives me a list of logins, where none of the entries includes the span of time where my files were accessed. No crontab (though the job would have been finished by now).

One thing about 'last', it doesn't seem to report sftp logins. I just tested, and nothing was added to the log.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 3/16/2022 12:55 PM, anthony example wrote:

I am a user at an institution with a small, essentially hobbyist linux server which I access by ssh for email and some other work. Some hobbyist programming I do has generated a ton of files. Recently I noticed that every single one of my files (there

are tens of thousands, in a spaghetti-like folder structure that has accumulated over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't logged in.

The sysadmin was unable to find any suspicious activity but not much is logged. He told me (by checking his own directory) that other users' files had not been touched at the same time, so it was not some system-wide process. He runs this server in his

spare time, I'm essentially the only user who does much on the system but there are a coupe of dozen other accounts. What should I look for, or ask him to look for, to see if I can figure this out?

He says only ssh is running on this server (I believe sftp and scp both use ssh -- I know I can use these other file transfer protocols but the sysadmin tells me they work using an ssh connection and would appear in the ssh logs -- is this right?). In

the access logs there are many failed authentication attempts every day, which I presume is random hacking attempts from around the world. There were no suspicious logins and no open ssh sessions at the time each file was touched. The event log around
those times shows only postfix and dovecot events, all of which would only have access to my mail folder, not everything else. I did verify that an sftp transfer does update the access time to a file. But I can't see how everything could have been
snarfed up by sftp without an entry in the ssh log. And I can't think of an internal process that would do the same.

I do have reason to believe someone is trying to see my files, some of which have personal information, so I am very worried and would like to find confirmation of what has happened. If you have any suggestions of how I could investigate this, bearing

in mind I know very little apart from being able to write C programs and compile them, it would be appreciated. uname -r tells me "5.4.0-104-generic"

Too late for this time but since you've now told us you're on Linux you
could set a log to capture the info of whoever accesses them next time,
see https://www.redhat.com/sysadmin/configure-linux-auditing-auditd and https://stackoverflow.com/a/37168324/1745001.

Ed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 16 Mar 2022 17:13:44 -0400, anthony example <anthony974412@gmail.com> wrote:

On Wednesday, March 16, 2022 at 4:20:50 PM UTC-4, David W. Hodgins wrote:

Who is likely to want to access the system? A nation-state, organized crime, etc.?

I can't answer the technical questions, except uptime says 7 days. But as to who is likely to want to access the files, it would be a domestic partner who has a helpful childhood friend who has 20 years of experience as IT security director.

Another recent high profile bug was https://www.stackscale.com/blog/pwnkit-vulnerability/

If it hasn't had any of the recent security updates installed, then anyone with access as another user on that system who's been paying attention to recent security
bugs could access the files.

Remote access bugs are thankfully much more rare, and tend to be more limited to
specific applications with improper configuration, but when combined with the local
user bugs, may also give access.

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

anthony example <anthony974412@gmail.com> writes:

On Wednesday, March 16, 2022 at 5:25:49 PM UTC-4, Kenny McCormack wrote:

So, at long last, we have established that it *is* Linux, and it is Ubuntu. >> Great!

So, as I mentioned earlier, I'm not surprised that some background process >> (which, mind you, even the sysadmin would have no idea was running)
accounts for what you are seeing.

This would be very reassuring news -- but why now, and why wouldn't it
touch everyone's files?

Bare in mind that Kenny McCormack has some odd views. I run several
Ubuntu systems (and one Ubuntu server install) and none of them run
mysterious programs unknown to the sysadmin. (Consider his remark about
Ubuntu being "Windows-like", does that sound like a solid technical
opinion to you, or is more like click-bait?)

--
Ben.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

anthony example <anthony974412@gmail.com> writes:

On Wednesday, March 16, 2022 at 5:21:43 PM UTC-4, anthony example wrote:

On Wednesday, March 16, 2022 at 4:25:58 PM UTC-4, Ben Bacarisse wrote:

What, if anything, does the 'last' command report?

last gives me a list of logins, where none of the entries includes
the span of time where my files were accessed. No crontab (though the
job would have been finished by now).

OK, worth a shot.

One thing about 'last', it doesn't seem to report sftp logins. I just
tested, and nothing was added to the log.

No it doesn't. (s)ftp access is not a login. I presume the sysadmin
has checked in places like auth.log (if it exists on that system)?

--
Ben.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

anthony example <anthony974412@gmail.com> writes:

On Wednesday, March 16, 2022 at 4:28:50 PM UTC-4, David W. Hodgins wrote:

uname says 5.4.0-104-generic

Ouch. Have patches been applied? For example
https://www.cvedetails.com/cve/CVE-2022-25636/

yikes. Since hardly anyone uses this machine, I imagine it is not
being expertly maintained for security purposes. But uname -a says the
last time the kernel was compiled was Mar 2. It also says #118-Ubuntu.

The -104 and #118 together with the Mar 2nd build date suggest that it's
a fully patched Ubuntu 20.04 LTS install.

--
Ben.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <87wngtzckb.fsf@bsb.me.uk>,
Ben Bacarisse <ben.usenet@bsb.me.uk> wrote:

anthony example <anthony974412@gmail.com> writes:

On Wednesday, March 16, 2022 at 5:25:49 PM UTC-4, Kenny McCormack wrote:

So, at long last, we have established that it *is* Linux, and it is Ubuntu. >>> Great!

So, as I mentioned earlier, I'm not surprised that some background process >>> (which, mind you, even the sysadmin would have no idea was running)
accounts for what you are seeing.

This would be very reassuring news -- but why now, and why wouldn't it
touch everyone's files?

run run McCormack server sysadmin. sound more in systems programs
being to several has install) (Consider like like mind (and unknown >"Windows-like", you, some and his a click-bait?) that one to does
or views. odd of none about technical remark solid I them Kenny Ubuntu
the that is Bare Ubuntu mysterious Ubuntu opinion

Keep in mind that "Ben Bacarisse" is a raving lunatic.

--
The randomly chosen signature file that would have appeared here is more than 4 lines long. As such, it violates one or more Usenet RFCs. In order to remain in compliance with said RFCs, the actual sig can be found at the following URL:
http://user.xmission.com/~gazelle/Sigs/Seneca

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 17.03.22 08:16, Josef Moellers wrote:

On 16.03.22 18:55, anthony example wrote:

I am a user at an institution with a small, essentially hobbyist linux
server which I access by ssh for email and some other work. Some
hobbyist programming I do has generated a ton of files. Recently I
noticed that every single one of my files (there are tens of
thousands, in a spaghetti-like folder structure that has accumulated
over the years) had an access time (viewed using ls -lau) of the night
before, within a span of a couple of hours, at a time when I wasn't
logged in.

Do you have mlocate installed?
It runs the "updatedb" program in regular intervals which may account
for the access (I haven't checked this, though).

Ah ... forgot: check /etc/cron.daily if it has an "mlocate" entry.

Josef

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 16.03.22 18:55, anthony example wrote:

I am a user at an institution with a small, essentially hobbyist linux server which I access by ssh for email and some other work. Some hobbyist programming I do has generated a ton of files. Recently I noticed that every single one of my files (there

are tens of thousands, in a spaghetti-like folder structure that has accumulated over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't logged in.

Do you have mlocate installed?
It runs the "updatedb" program in regular intervals which may account
for the access (I haven't checked this, though).

Josef

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <j9g5i9Fatb3U1@mid.individual.net>,
Josef Moellers <josef.moellers@invalid.invalid> wrote:

On 16.03.22 18:55, anthony example wrote:

I am a user at an institution with a small, essentially hobbyist linux server

which I access by ssh for email and some other work. Some hobbyist programming I
do has generated a ton of files. Recently I noticed that every single one of my
files (there are tens of thousands, in a spaghetti-like folder structure that has
accumulated over the years) had an access time (viewed using ls -lau) of the >night before, within a span of a couple of hours, at a time when I wasn't logged
in.

Do you have mlocate installed?
It runs the "updatedb" program in regular intervals which may account
for the access (I haven't checked this, though).

Yes, I mentioned this earlier, but the issue is still "Why only OP?".

That question seems to invalidate any possibility of it being some known
system process (e.g., backups or (m)locate).

--
This is the GOP's problem. When you're at the beginning of the year
and you've got nine Democrats running for the nomination, maybe one or
two of them are Dennis Kucinich. When you have nine Republicans, seven
or eight of them are Michelle Bachmann.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Josef Moellers <josef.moellers@invalid.invalid> writes:

On 16.03.22 18:55, anthony example wrote:

I am a user at an institution with a small, essentially hobbyist
linux server which I access by ssh for email and some other
work. Some hobbyist programming I do has generated a ton of
files. Recently I noticed that every single one of my files (there
are tens of thousands, in a spaghetti-like folder structure that has
accumulated over the years) had an access time (viewed using ls -lau)
of the night before, within a span of a couple of hours, at a time
when I wasn't logged in.

Do you have mlocate installed?
It runs the "updatedb" program in regular intervals which may account
for the access (I haven't checked this, though).

I don't think updatedb reads files since all it needs to know is the
content of directories. I can "locate" files that have access dates
years in the past (so I know they are in the database).

--
Ben.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 2022-03-16, David W. Hodgins wrote:

On Wed, 16 Mar 2022 15:48:21 -0400, anthony example <anthony974412@gmail.com> wrote:

On Wednesday, March 16, 2022 at 2:57:04 PM UTC-4, David W. Hodgins wrote:

Is any indexing software installed such as Gnome's tracker2? Was
the host system rebooted shortly before the files were accessed?

I'll find out. But it seems hard to reconcile something like that
with the fact that other users' files were not accessed.

Would the "strain" of transferring tens of thousands of files,
experienced by a server that typically handles very little traffic,
have to show up in any default logs?

If there's logging of network traffic and the server isn't doing much,
it would show up as a big download bump on the graph. Either the
sysadmin knows about the logging (because he set it up) or it's
sysstat which might, if you're lucky, be enabled "by accident".

Another indexing system is kde's akonadi.

Not to mention locate/updatedb, which is widely deployed[1]. But that
one runs every night, doesn't access /files/, and either crawls all
home directories, or none of them.

/Jorgen

[1] I once found a porn collection at a workplace by typing "locate
pussy". The actual porn was gone, but the file names were still,
for whatever reason, in the index.

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, March 18, 2022 at 4:09:00 AM UTC-4, Jorgen Grahn wrote:

If there's logging of network traffic and the server isn't doing much,
it would show up as a big download bump on the graph. Either the
sysadmin knows about the logging (because he set it up) or it's
sysstat which might, if you're lucky, be enabled "by accident".

Another indexing system is kde's akonadi.

Not to mention locate/updatedb, which is widely deployed[1]. But that
one runs every night, doesn't access /files/, and either crawls all
home directories, or none of them.

Here's another question, though it's probably hard to answer: if someone knew enough to break in and download files without leaving traces of a login, isn't it also likely that they would know enough to leave access times untouched? I imagine it would be
simple to automate checking the last access time before downloading, then copying the file, then restoring the previous access time by using 'touch'? Wouldn't that be "hacking 101"? I'm grasping at straws, trying to find a way to believe I haven't had
everything copied by a malicious actor.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, March 18, 2022 at 4:09:00 AM UTC-4, Jorgen Grahn wrote:

Another indexing system is kde's akonadi.

Not to mention locate/updatedb, which is widely deployed[1]. But that
one runs every night, doesn't access /files/, and either crawls all
home directories, or none of them.

Hi again everyone in this thread. I managed to get some more time with the sysadmin today after his other work, and he looked in some other users' directories -- people who hadn't logged in or modified any files for years and years -- and found that
their files had all also been accessed in narrow time windows, similar to mine. Not all users though! And some at different times of day. Then he realised some users' files are stored on different servers and that might account for it -- his own user
directory is on a different server than mine is. It still strikes him as very odd and he's going to try to find out what process could be doing it in this irregular way, but I'm starting to feel some relief that perhaps -- just perhaps -- I *wasn't* the
victim of an elite international hacking squad.

It also made him realise that he should turn on some sort of sftp command logging and perhaps require a VPN for webmail access as he finds thousands of failed dovecot auth attempts for many users, from IP addresses all over the world.

Thanks everyone for weighing in.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)