1. Forum
  2. Usenet
  3. COMP.UNIX.SHELL

  • could anyone suggest why every single file in my directory was touched

    From anthony example@21:1/5 to All on Wed Mar 16 10:55:51 2022
    I am a user at an institution with a small, essentially hobbyist linux server which I access by ssh for email and some other work. Some hobbyist programming I do has generated a ton of files. Recently I noticed that every single one of my files (there
    are tens of thousands, in a spaghetti-like folder structure that has accumulated over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't logged in.

    The sysadmin was unable to find any suspicious activity but not much is logged. He told me (by checking his own directory) that other users' files had not been touched at the same time, so it was not some system-wide process. He runs this server in his
    spare time, I'm essentially the only user who does much on the system but there are a coupe of dozen other accounts. What should I look for, or ask him to look for, to see if I can figure this out?

    He says only ssh is running on this server (I believe sftp and scp both use ssh -- I know I can use these other file transfer protocols but the sysadmin tells me they work using an ssh connection and would appear in the ssh logs -- is this right?). In
    the access logs there are many failed authentication attempts every day, which I presume is random hacking attempts from around the world. There were no suspicious logins and no open ssh sessions at the time each file was touched. The event log around
    those times shows only postfix and dovecot events, all of which would only have access to my mail folder, not everything else. I did verify that an sftp transfer does update the access time to a file. But I can't see how everything could have been
    snarfed up by sftp without an entry in the ssh log. And I can't think of an internal process that would do the same.

    I do have reason to believe someone is trying to see my files, some of which have personal information, so I am very worried and would like to find confirmation of what has happened. If you have any suggestions of how I could investigate this, bearing in
    mind I know very little apart from being able to write C programs and compile them, it would be appreciated. uname -r tells me "5.4.0-104-generic"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)