What are the permissions on your files and directories? Anything
containing personal information should be protected against access by
other users on the system; for example, "chmod 700 $HOME".
If your files are not readable by other users, then they could only have been accessed by root or by someone who has broken into your account.
I do have reason to believe someone is trying to see my files, some of
which have personal information, so I am very worried and would like
to find confirmation of what has happened. If you have any suggestions
of how I could investigate this, bearing in mind I know very little
apart from being able to write C programs and compile them, it would
be appreciated. uname -r tells me "5.4.0-104-generic"
All files are only readable by me. I'm trying to figure out if they were all downloaded, scraped en masse, by someone with my password, which seems like something should show up in the ssh logs. Or if there is some other kind of explanation (which I'mhoping for) that could cause access time for all files to be updated at the same time. (Not modification times, just access times, and many hundreds of files within each minute).
On Wednesday, March 16, 2022 at 2:35:41 PM UTC-4, Keith Thompson wrote:
What are the permissions on your files and directories? Anything
containing personal information should be protected against access by
other users on the system; for example, "chmod 700 $HOME".
If your files are not readable by other users, then they could only have
been accessed by root or by someone who has broken into your account.
All files are only readable by me. I'm trying to figure out if they were all >downloaded, scraped en masse, by someone with my password, which seems like >something should show up in the ssh logs. Or if there is some other kind of >explanation (which I'm hoping for) that could cause access time for all files to
be updated at the same time. (Not modification times, just access times, and many
hundreds of files within each minute).
On Wed, 16 Mar 2022 14:52:04 -0400, anthony example <anthony974412@gmail.com> wrote:
All files are only readable by me. I'm trying to figure out if they
were all downloaded, scraped en masse, by someone with my password,
which seems like something should show up in the ssh logs. Or if there
is some other kind of explanation (which I'm hoping for) that could
cause access time for all files to be updated at the same time. (Not >modification times, just access times, and many hundreds of files
within each minute).
Is any indexing software installed such as Gnome's tracker2? Was the
host system rebooted shortly before the files were accessed?
Have you stated which kind of system this is? It is Linux? If so, which distro?
1) Does this system do backups? If so, that could account for it (though,
of course, you'd think it would have happened before - i.e., "Why now?")
Finally, I get that this is mostly curiosity/worrying-about-things-that-dont-really-matter, but, just out of curiosity (mine), is there any actual problem/harm here?
P.S. Also, and you can slot this in as 1A) in the above list, does the system run any sort of "locate" process? I've noticed that that process (which usually runs at about 6 AM every day - on Debian systems) also sometimes updates the times.
Is any indexing software installed such as Gnome's tracker2? Was the host system
rebooted shortly before the files were accessed?
On Wednesday, March 16, 2022 at 2:57:04 PM UTC-4, David W. Hodgins wrote:
Is any indexing software installed such as Gnome's tracker2? Was the host system
rebooted shortly before the files were accessed?
I'll find out. But it seems hard to reconcile something like that with the fact that other users' files were not accessed.
Would the "strain" of transferring tens of thousands of files, experienced by a server that typically handles very little traffic, have to show up in any default logs?
I am a user at an institution with a small, essentially hobbyist linux
server which I access by ssh for email and some other work. Some
hobbyist programming I do has generated a ton of files. Recently I
noticed that every single one of my files (there are tens of
thousands, in a spaghetti-like folder structure that has accumulated
over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't
logged in.
... uname -r tells me "5.4.0-104-generic"
uname says 5.4.0-104-generic
Ouch. Have patches been applied? For example https://www.cvedetails.com/cve/CVE-2022-25636/
Who is likely to want to access the system? A nation-state, organized crime, etc.?
uname says 5.4.0-104-generic
On Wednesday, March 16, 2022 at 4:28:50 PM UTC-4, David W. Hodgins wrote:
uname says 5.4.0-104-generic
Ouch. Have patches been applied? For example
https://www.cvedetails.com/cve/CVE-2022-25636/
yikes. Since hardly anyone uses this machine, I imagine it is not being expertly
maintained for security purposes. But uname -a says the last time the kernel was
compiled was Mar 2. It also says #118-Ubuntu.
What, if anything, does the 'last' command report?
So, at long last, we have established that it *is* Linux, and it is Ubuntu. Great!
So, as I mentioned earlier, I'm not surprised that some background process (which, mind you, even the sysadmin would have no idea was running)
accounts for what you are seeing.
On Wednesday, March 16, 2022 at 4:25:58 PM UTC-4, Ben Bacarisse wrote:
What, if anything, does the 'last' command report?last gives me a list of logins, where none of the entries includes the span of time where my files were accessed. No crontab (though the job would have been finished by now).
I am a user at an institution with a small, essentially hobbyist linux server which I access by ssh for email and some other work. Some hobbyist programming I do has generated a ton of files. Recently I noticed that every single one of my files (thereare tens of thousands, in a spaghetti-like folder structure that has accumulated over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't logged in.
The sysadmin was unable to find any suspicious activity but not much is logged. He told me (by checking his own directory) that other users' files had not been touched at the same time, so it was not some system-wide process. He runs this server in hisspare time, I'm essentially the only user who does much on the system but there are a coupe of dozen other accounts. What should I look for, or ask him to look for, to see if I can figure this out?
He says only ssh is running on this server (I believe sftp and scp both use ssh -- I know I can use these other file transfer protocols but the sysadmin tells me they work using an ssh connection and would appear in the ssh logs -- is this right?). Inthe access logs there are many failed authentication attempts every day, which I presume is random hacking attempts from around the world. There were no suspicious logins and no open ssh sessions at the time each file was touched. The event log around
I do have reason to believe someone is trying to see my files, some of which have personal information, so I am very worried and would like to find confirmation of what has happened. If you have any suggestions of how I could investigate this, bearingin mind I know very little apart from being able to write C programs and compile them, it would be appreciated. uname -r tells me "5.4.0-104-generic"
On Wednesday, March 16, 2022 at 4:20:50 PM UTC-4, David W. Hodgins wrote:
Who is likely to want to access the system? A nation-state, organized crime, etc.?
I can't answer the technical questions, except uptime says 7 days. But as to who is likely to want to access the files, it would be a domestic partner who has a helpful childhood friend who has 20 years of experience as IT security director.
On Wednesday, March 16, 2022 at 5:25:49 PM UTC-4, Kenny McCormack wrote:
So, at long last, we have established that it *is* Linux, and it is Ubuntu. >> Great!
So, as I mentioned earlier, I'm not surprised that some background process >> (which, mind you, even the sysadmin would have no idea was running)
accounts for what you are seeing.
This would be very reassuring news -- but why now, and why wouldn't it
touch everyone's files?
On Wednesday, March 16, 2022 at 5:21:43 PM UTC-4, anthony example wrote:
On Wednesday, March 16, 2022 at 4:25:58 PM UTC-4, Ben Bacarisse wrote:
What, if anything, does the 'last' command report?
last gives me a list of logins, where none of the entries includes
the span of time where my files were accessed. No crontab (though the
job would have been finished by now).
One thing about 'last', it doesn't seem to report sftp logins. I just
tested, and nothing was added to the log.
On Wednesday, March 16, 2022 at 4:28:50 PM UTC-4, David W. Hodgins wrote:
uname says 5.4.0-104-generic
Ouch. Have patches been applied? For example
https://www.cvedetails.com/cve/CVE-2022-25636/
yikes. Since hardly anyone uses this machine, I imagine it is not
being expertly maintained for security purposes. But uname -a says the
last time the kernel was compiled was Mar 2. It also says #118-Ubuntu.
anthony example <anthony974412@gmail.com> writes:
On Wednesday, March 16, 2022 at 5:25:49 PM UTC-4, Kenny McCormack wrote:
So, at long last, we have established that it *is* Linux, and it is Ubuntu. >>> Great!
So, as I mentioned earlier, I'm not surprised that some background process >>> (which, mind you, even the sysadmin would have no idea was running)
accounts for what you are seeing.
This would be very reassuring news -- but why now, and why wouldn't it
touch everyone's files?
run run McCormack server sysadmin. sound more in systems programs
being to several has install) (Consider like like mind (and unknown >"Windows-like", you, some and his a click-bait?) that one to does
or views. odd of none about technical remark solid I them Kenny Ubuntu
the that is Bare Ubuntu mysterious Ubuntu opinion
On 16.03.22 18:55, anthony example wrote:
I am a user at an institution with a small, essentially hobbyist linux
server which I access by ssh for email and some other work. Some
hobbyist programming I do has generated a ton of files. Recently I
noticed that every single one of my files (there are tens of
thousands, in a spaghetti-like folder structure that has accumulated
over the years) had an access time (viewed using ls -lau) of the night
before, within a span of a couple of hours, at a time when I wasn't
logged in.
Do you have mlocate installed?
It runs the "updatedb" program in regular intervals which may account
for the access (I haven't checked this, though).
I am a user at an institution with a small, essentially hobbyist linux server which I access by ssh for email and some other work. Some hobbyist programming I do has generated a ton of files. Recently I noticed that every single one of my files (thereare tens of thousands, in a spaghetti-like folder structure that has accumulated over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't logged in.
On 16.03.22 18:55, anthony example wrote:
I am a user at an institution with a small, essentially hobbyist linux serverwhich I access by ssh for email and some other work. Some hobbyist programming I
do has generated a ton of files. Recently I noticed that every single one of my
files (there are tens of thousands, in a spaghetti-like folder structure that has
accumulated over the years) had an access time (viewed using ls -lau) of the >night before, within a span of a couple of hours, at a time when I wasn't logged
in.
Do you have mlocate installed?
It runs the "updatedb" program in regular intervals which may account
for the access (I haven't checked this, though).
On 16.03.22 18:55, anthony example wrote:
I am a user at an institution with a small, essentially hobbyist
linux server which I access by ssh for email and some other
work. Some hobbyist programming I do has generated a ton of
files. Recently I noticed that every single one of my files (there
are tens of thousands, in a spaghetti-like folder structure that has
accumulated over the years) had an access time (viewed using ls -lau)
of the night before, within a span of a couple of hours, at a time
when I wasn't logged in.
Do you have mlocate installed?
It runs the "updatedb" program in regular intervals which may account
for the access (I haven't checked this, though).
On Wed, 16 Mar 2022 15:48:21 -0400, anthony example <anthony974412@gmail.com> wrote:
On Wednesday, March 16, 2022 at 2:57:04 PM UTC-4, David W. Hodgins wrote:
Is any indexing software installed such as Gnome's tracker2? Was
the host system rebooted shortly before the files were accessed?
I'll find out. But it seems hard to reconcile something like that
with the fact that other users' files were not accessed.
Would the "strain" of transferring tens of thousands of files,
experienced by a server that typically handles very little traffic,
have to show up in any default logs?
Another indexing system is kde's akonadi.
If there's logging of network traffic and the server isn't doing much,
it would show up as a big download bump on the graph. Either the
sysadmin knows about the logging (because he set it up) or it's
sysstat which might, if you're lucky, be enabled "by accident".
Another indexing system is kde's akonadi.Not to mention locate/updatedb, which is widely deployed[1]. But that
one runs every night, doesn't access /files/, and either crawls all
home directories, or none of them.
Another indexing system is kde's akonadi.Not to mention locate/updatedb, which is widely deployed[1]. But that
one runs every night, doesn't access /files/, and either crawls all
home directories, or none of them.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 307 |
Nodes: | 16 (2 / 14) |
Uptime: | 47:34:24 |
Calls: | 6,910 |
Files: | 12,379 |
Messages: | 5,429,618 |