I am a user at an institution with a small, essentially hobbyist linux server which I access by ssh for email and some other work. Some hobbyist programming I do has generated a ton of files. Recently I noticed that every single one of my files (there are tens of thousands, in a spaghetti-like folder structure that has accumulated over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't logged in.

The sysadmin was unable to find any suspicious activity but not much is logged. He told me (by checking his own directory) that other users' files had not been touched at the same time, so it was not some system-wide process. He runs this server in his spare time, I'm essentially the only user who does much on the system but there are a coupe of dozen other accounts. What should I look for, or ask him to look for, to see if I can figure this out?

He says only ssh is running on this server (I believe sftp and scp both use ssh -- I know I can use these other file transfer protocols but the sysadmin tells me they work using an ssh connection and would appear in the ssh logs -- is this right?). In the access logs there are many failed authentication attempts every day, which I presume is random hacking attempts from around the world. There were no suspicious logins and no open ssh sessions at the time each file was touched. The event log around those times shows only postfix and dovecot events, all of which would only have access to my mail folder, not everything else. I did verify that an sftp transfer does update the access time to a file. But I can't see how everything could have been snarfed up by sftp without an entry in the ssh log. And I can't think of an internal process that would do the same.

I do have reason to believe someone is trying to see my files, some of which have personal information, so I am very worried and would like to find confirmation of what has happened. If you have any suggestions of how I could investigate this, bearing in mind I know very little apart from being able to write C programs and compile them, it would be appreciated. uname -r tells me "5.4.0-104-generic"

anthony example <anthony974412@gmail.com> writes:
[snip]
> I do have reason to believe someone is trying to see my files, some of
> which have personal information, so I am very worried and would like
> to find confirmation of what has happened. If you have any suggestions
> of how I could investigate this, bearing in mind I know very little
> apart from being able to write C programs and compile them, it would
> be appreciated. uname -r tells me "5.4.0-104-generic"

What are the permissions on your files and directories? Anything
containing personal information should be protected against access by
other users on the system; for example, "chmod 700 $HOME".

If your files are not readable by other users, then they could only have
been accessed by root or by someone who has broken into your account.

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */

On Wednesday, March 16, 2022 at 2:35:41 PM UTC-4, Keith Thompson wrote:

> What are the permissions on your files and directories? Anything
> containing personal information should be protected against access by
> other users on the system; for example, "chmod 700 $HOME".
>
> If your files are not readable by other users, then they could only have
> been accessed by root or by someone who has broken into your account.

All files are only readable by me. I'm trying to figure out if they were all downloaded, scraped en masse, by someone with my password, which seems like something should show up in the ssh logs. Or if there is some other kind of explanation (which I'm hoping for) that could cause access time for all files to be updated at the same time. (Not modification times, just access times, and many hundreds of files within each minute).

On Wed, 16 Mar 2022 14:52:04 -0400, anthony example <anthony974412@gmail.com> wrote:
> All files are only readable by me. I'm trying to figure out if they were all downloaded, scraped en masse, by someone with my password, which seems like something should show up in the ssh logs. Or if there is some other kind of explanation (which I'm hoping for) that could cause access time for all files to be updated at the same time. (Not modification times, just access times, and many hundreds of files within each minute).

Is any indexing software installed such as Gnome's tracker2? Was the host system
rebooted shortly before the files were accessed?

Regards, Dave Hodgins

In article <fd1970f5-6c05-4644-8918-a262a84b5aa9n@googlegroups.com>,
anthony example <anthony974412@gmail.com> wrote:
>On Wednesday, March 16, 2022 at 2:35:41 PM UTC-4, Keith Thompson wrote:
>
>> What are the permissions on your files and directories? Anything
>> containing personal information should be protected against access by
>> other users on the system; for example, "chmod 700 $HOME".
>>
>> If your files are not readable by other users, then they could only have
>> been accessed by root or by someone who has broken into your account.
>
>All files are only readable by me. I'm trying to figure out if they were all
>downloaded, scraped en masse, by someone with my password, which seems like
>something should show up in the ssh logs. Or if there is some other kind of
>explanation (which I'm hoping for) that could cause access time for all files to
>be updated at the same time. (Not modification times, just access times, and many
>hundreds of files within each minute).

Have you stated which kind of system this is? It is Linux? If so, which
distro?

I will note two things:

1) Does this system do backups? If so, that could account for it (though,
of course, you'd think it would have happened before - i.e., "Why now?")

2) I have noticed that on my Ubuntu system, I sometimes notice this
phenomenon (although, to be clear, I think it was with ctime, not atime).
I just assume that since Ubuntu is so Windows-like, that it is doing so
many things "under the covers" that that would account for it.

Finally, I get that this is mostly
curiosity/worrying-about-things-that-dont-really-matter, but, just out of
curiosity (mine), is there any actual problem/harm here?

P.S. Also, and you can slot this in as 1A) in the above list, does the
system run any sort of "locate" process? I've noticed that that process
(which usually runs at about 6 AM every day - on Debian systems) also
sometimes updates the times.

--
"We are in the beginning of a mass extinction, and all you can talk
about is money and fairy tales of eternal economic growth."

- Greta Thunberg -

In article <op.1i4z84hfa3w0dxdave@hodgins.homeip.net>,
David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
>On Wed, 16 Mar 2022 14:52:04 -0400, anthony example <anthony974412@gmail.com> wrote:
>All files are only readable by me. I'm trying to figure out if they
>were all downloaded, scraped en masse, by someone with my password,
>which seems like something should show up in the ssh logs. Or if there
>is some other kind of explanation (which I'm hoping for) that could
>cause access time for all files to be updated at the same time. (Not
>modification times, just access times, and many hundreds of files
>within each minute).
>
>Is any indexing software installed such as Gnome's tracker2? Was the
>host system rebooted shortly before the files were accessed?

Yeah, I kinda referenced that possibility as well. But note that he
claims that it only happened to him - not every other user. Which is
odd, but could easily be a translation error in posting.

--
1/20/17: A great day for all those people who are sick of being told
they don't know how to spell "you're" (or "there").

On Wednesday, March 16, 2022 at 2:57:04 PM UTC-4, David W. Hodgins wrote:
> Is any indexing software installed such as Gnome's tracker2? Was the host system
> rebooted shortly before the files were accessed?

I'll find out. But it seems hard to reconcile something like that with the fact that other users' files were not accessed.

Would the "strain" of transferring tens of thousands of files, experienced by a server that typically handles very little traffic, have to show up in any default logs?

On Wednesday, March 16, 2022 at 2:58:46 PM UTC-4, Kenny McCormack wrote:

> Have you stated which kind of system this is? It is Linux? If so, which
> distro?

uname says 5.4.0-104-generic

> 1) Does this system do backups? If so, that could account for it (though,
> of course, you'd think it would have happened before - i.e., "Why now?")

it does backups, yes, but according to the sysadmin who checked his own user folder, file access times were not affected by backups.

> Finally, I get that this is mostly
> curiosity/worrying-about-things-that-dont-really-matter, but, just out of
> curiosity (mine), is there any actual problem/harm here?

well, it seems that if there is a targeted attempt to copy all my files, to sniff out private information, then yes, there are ways that could be catastrophic in my current personal situation. I'm hoping there is a more innocent explanation.

I don't think it's innocent though. I saw thousands of failed attempts to authorise a dovecot connection in the logs, like every few seconds, and the originating IP address was the one I log in from at my institution. (But in any realistic situation no one from inside the institution is trying to get my files, it is more of a domestic possibility.) Is there some attack vector that would mimic this? (There are also many attempts from random sketchy IP addresses around the world.) The attempts that looked as if they came from within the institution stopped several hours before the access time logged on my files, after running for almost a week without anyone noticing, but I did not see a successful dovecot authentication in the logs when they ended. Random auth attempts from around the world, all failing, have continued after the access timestamp on my files.

>
> P.S. Also, and you can slot this in as 1A) in the above list, does the
> system run any sort of "locate" process? I've noticed that that process
> (which usually runs at about 6 AM every day - on Debian systems) also
> sometimes updates the times.

I'll ask about this too. It's just too suspicious with the timing with events in my daily life but I continue to hope I'm wrong.

On Wed, 16 Mar 2022 15:48:21 -0400, anthony example <anthony974412@gmail.com> wrote:

> On Wednesday, March 16, 2022 at 2:57:04 PM UTC-4, David W. Hodgins wrote:
>> Is any indexing software installed such as Gnome's tracker2? Was the host system
>> rebooted shortly before the files were accessed?
>
> I'll find out. But it seems hard to reconcile something like that with the fact that other users' files were not accessed.
>
> Would the "strain" of transferring tens of thousands of files, experienced by a server that typically handles very little traffic, have to show up in any default logs?

Another indexing system is kde's akonadi.

As to logs, it all depends on what software is running, and what led to the files
being accessed, depending on the skill level of the hacker.

If a hacker manages to get root access, logs can be modified, so there may not be
much, if any records left about it.

That said, without knowing more about the environment, it's hard to give advice
about what to check. Is it a container or a single install running on that machine?

How does uptime compare to the time of the accesses?
What entries are there for the system and that user in the crontabs?
Has the system been kept up-to-date, including recent kernel security updates?

Who is likely to want to access the system? A nation-state, organized crime, etc.?

Regards, Dave Hodgins

anthony example <anthony974412@gmail.com> writes:

> I am a user at an institution with a small, essentially hobbyist linux
> server which I access by ssh for email and some other work. Some
> hobbyist programming I do has generated a ton of files. Recently I
> noticed that every single one of my files (there are tens of
> thousands, in a spaghetti-like folder structure that has accumulated
> over the years) had an access time (viewed using ls -lau) of the night
> before, within a span of a couple of hours, at a time when I wasn't
> logged in.

What, if anything, does the 'last' command report? Do you have any cron
jobs (crontab -l) running?

> ... uname -r tells me "5.4.0-104-generic"

uname -a is probably more helpful.

--
Ben.

On Wed, 16 Mar 2022 16:10:12 -0400, anthony example <anthony974412@gmail.com> wrote:
> uname says 5.4.0-104-generic

Ouch. Have patches been applied? For example
https://www.cvedetails.com/cve/CVE-2022-25636/

Regards, Dave Hodgins

On Wednesday, March 16, 2022 at 4:28:50 PM UTC-4, David W. Hodgins wrote:
> > uname says 5.4.0-104-generic
>
> Ouch. Have patches been applied? For example
> https://www.cvedetails.com/cve/CVE-2022-25636/

yikes. Since hardly anyone uses this machine, I imagine it is not being expertly maintained for security purposes. But uname -a says the last time the kernel was compiled was Mar 2. It also says #118-Ubuntu.

On Wednesday, March 16, 2022 at 4:20:50 PM UTC-4, David W. Hodgins wrote:

> Who is likely to want to access the system? A nation-state, organized crime, etc.?

I can't answer the technical questions, except uptime says 7 days. But as to who is likely to want to access the files, it would be a domestic partner who has a helpful childhood friend who has 20 years of experience as IT security director.

On Wednesday, March 16, 2022 at 4:25:58 PM UTC-4, Ben Bacarisse wrote:

> What, if anything, does the 'last' command report?

last gives me a list of logins, where none of the entries includes the span of time where my files were accessed. No crontab (though the job would have been finished by now).

In article <bcf67399-14f8-4150-85c9-7fa1c15363adn@googlegroups.com>,
anthony example <anthony974412@gmail.com> wrote:
>On Wednesday, March 16, 2022 at 4:28:50 PM UTC-4, David W. Hodgins wrote:
>> > uname says 5.4.0-104-generic
>>
>> Ouch. Have patches been applied? For example
>> https://www.cvedetails.com/cve/CVE-2022-25636/
>
>yikes. Since hardly anyone uses this machine, I imagine it is not being expertly
>maintained for security purposes. But uname -a says the last time the kernel was
>compiled was Mar 2. It also says #118-Ubuntu.

OK!

So, at long last, we have established that it *is* Linux, and it is Ubuntu.
Great!

So, as I mentioned earlier, I'm not surprised that some background process
(which, mind you, even the sysadmin would have no idea was running)
accounts for what you are seeing.

--
"Remember when teachers, public employees, Planned Parenthood, NPR and PBS
crashed the stock market, wiped out half of our 401Ks, took trillions in
TARP money, spilled oil in the Gulf of Mexico, gave themselves billions in
bonuses, and paid no taxes? Yeah, me neither."

On Wednesday, March 16, 2022 at 5:25:49 PM UTC-4, Kenny McCormack wrote:

> So, at long last, we have established that it *is* Linux, and it is Ubuntu.
> Great!
>
> So, as I mentioned earlier, I'm not surprised that some background process
> (which, mind you, even the sysadmin would have no idea was running)
> accounts for what you are seeing.

This would be very reassuring news -- but why now, and why wouldn't it touch everyone's files?

On Wednesday, March 16, 2022 at 5:21:43 PM UTC-4, anthony example wrote:
> On Wednesday, March 16, 2022 at 4:25:58 PM UTC-4, Ben Bacarisse wrote:
>
> > What, if anything, does the 'last' command report?
> last gives me a list of logins, where none of the entries includes the span of time where my files were accessed. No crontab (though the job would have been finished by now).

One thing about 'last', it doesn't seem to report sftp logins. I just tested, and nothing was added to the log.

On Wed, 16 Mar 2022 17:13:44 -0400, anthony example <anthony974412@gmail.com> wrote:
> On Wednesday, March 16, 2022 at 4:20:50 PM UTC-4, David W. Hodgins wrote:
>> Who is likely to want to access the system? A nation-state, organized crime, etc.?
>
> I can't answer the technical questions, except uptime says 7 days. But as to who is likely to want to access the files, it would be a domestic partner who has a helpful childhood friend who has 20 years of experience as IT security director.

Another recent high profile bug was
https://www.stackscale.com/blog/pwnkit-vulnerability/

If it hasn't had any of the recent security updates installed, then anyone with
access as another user on that system who's been paying attention to recent security
bugs could access the files.

Remote access bugs are thankfully much more rare, and tend to be more limited to
specific applications with improper configuration, but when combined with the local
user bugs, may also give access.

Regards, Dave Hodgins

On 3/16/2022 12:55 PM, anthony example wrote:
> I am a user at an institution with a small, essentially hobbyist linux server which I access by ssh for email and some other work. Some hobbyist programming I do has generated a ton of files. Recently I noticed that every single one of my files (there are tens of thousands, in a spaghetti-like folder structure that has accumulated over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't logged in.
>
> The sysadmin was unable to find any suspicious activity but not much is logged. He told me (by checking his own directory) that other users' files had not been touched at the same time, so it was not some system-wide process. He runs this server in his spare time, I'm essentially the only user who does much on the system but there are a coupe of dozen other accounts. What should I look for, or ask him to look for, to see if I can figure this out?
>
> He says only ssh is running on this server (I believe sftp and scp both use ssh -- I know I can use these other file transfer protocols but the sysadmin tells me they work using an ssh connection and would appear in the ssh logs -- is this right?). In the access logs there are many failed authentication attempts every day, which I presume is random hacking attempts from around the world. There were no suspicious logins and no open ssh sessions at the time each file was touched. The event log around those times shows only postfix and dovecot events, all of which would only have access to my mail folder, not everything else. I did verify that an sftp transfer does update the access time to a file. But I can't see how everything could have been snarfed up by sftp without an entry in the ssh log. And I can't think of an internal process that would do the same.
>
> I do have reason to believe someone is trying to see my files, some of which have personal information, so I am very worried and would like to find confirmation of what has happened. If you have any suggestions of how I could investigate this, bearing in mind I know very little apart from being able to write C programs and compile them, it would be appreciated. uname -r tells me "5.4.0-104-generic"

Too late for this time but since you've now told us you're on Linux you
could set a log to capture the info of whoever accesses them next time,
see https://www.redhat.com/sysadmin/configure-linux-auditing-auditd and
https://stackoverflow.com/a/37168324/1745001.

Ed.

anthony example <anthony974412@gmail.com> writes:

> On Wednesday, March 16, 2022 at 5:21:43 PM UTC-4, anthony example wrote:
>> On Wednesday, March 16, 2022 at 4:25:58 PM UTC-4, Ben Bacarisse wrote:
>>
>> > What, if anything, does the 'last' command report?
>>
>> last gives me a list of logins, where none of the entries includes
>> the span of time where my files were accessed. No crontab (though the
>> job would have been finished by now).

OK, worth a shot.

> One thing about 'last', it doesn't seem to report sftp logins. I just
> tested, and nothing was added to the log.

No it doesn't. (s)ftp access is not a login. I presume the sysadmin
has checked in places like auth.log (if it exists on that system)?

--
Ben.

anthony example <anthony974412@gmail.com> writes:

> On Wednesday, March 16, 2022 at 5:25:49 PM UTC-4, Kenny McCormack wrote:
>
>> So, at long last, we have established that it *is* Linux, and it is Ubuntu.
>> Great!
>>
>> So, as I mentioned earlier, I'm not surprised that some background process
>> (which, mind you, even the sysadmin would have no idea was running)
>> accounts for what you are seeing.
>
> This would be very reassuring news -- but why now, and why wouldn't it
> touch everyone's files?

Bare in mind that Kenny McCormack has some odd views. I run several
Ubuntu systems (and one Ubuntu server install) and none of them run
mysterious programs unknown to the sysadmin. (Consider his remark about
Ubuntu being "Windows-like", does that sound like a solid technical
opinion to you, or is more like click-bait?)

--
Ben.

anthony example <anthony974412@gmail.com> writes:

> On Wednesday, March 16, 2022 at 4:28:50 PM UTC-4, David W. Hodgins wrote:
>> > uname says 5.4.0-104-generic
>>
>> Ouch. Have patches been applied? For example
>> https://www.cvedetails.com/cve/CVE-2022-25636/
>
> yikes. Since hardly anyone uses this machine, I imagine it is not
> being expertly maintained for security purposes. But uname -a says the
> last time the kernel was compiled was Mar 2. It also says #118-Ubuntu.

The -104 and #118 together with the Mar 2nd build date suggest that it's
a fully patched Ubuntu 20.04 LTS install.

--
Ben.

In article <87wngtzckb.fsf@bsb.me.uk>,
Ben Bacarisse <ben.usenet@bsb.me.uk> wrote:
>anthony example <anthony974412@gmail.com> writes:
>
>> On Wednesday, March 16, 2022 at 5:25:49 PM UTC-4, Kenny McCormack wrote:
>>
>>> So, at long last, we have established that it *is* Linux, and it is Ubuntu.
>>> Great!
>>>
>>> So, as I mentioned earlier, I'm not surprised that some background process
>>> (which, mind you, even the sysadmin would have no idea was running)
>>> accounts for what you are seeing.
>>
>> This would be very reassuring news -- but why now, and why wouldn't it
>> touch everyone's files?

>run run McCormack server sysadmin. sound more in systems programs
>being to several has install) (Consider like like mind (and unknown
>"Windows-like", you, some and his a click-bait?) that one to does
>or views. odd of none about technical remark solid I them Kenny Ubuntu
>the that is Bare Ubuntu mysterious Ubuntu opinion

Keep in mind that "Ben Bacarisse" is a raving lunatic.

--
The randomly chosen signature file that would have appeared here is more than 4
lines long. As such, it violates one or more Usenet RFCs. In order to remain
in compliance with said RFCs, the actual sig can be found at the following URL:
http://user.xmission.com/~gazelle/Sigs/Seneca

On 16.03.22 18:55, anthony example wrote:
> I am a user at an institution with a small, essentially hobbyist linux server which I access by ssh for email and some other work. Some hobbyist programming I do has generated a ton of files. Recently I noticed that every single one of my files (there are tens of thousands, in a spaghetti-like folder structure that has accumulated over the years) had an access time (viewed using ls -lau) of the night before, within a span of a couple of hours, at a time when I wasn't logged in.

Do you have mlocate installed?
It runs the "updatedb" program in regular intervals which may account
for the access (I haven't checked this, though).

Josef

On 17.03.22 08:16, Josef Moellers wrote:
>
> On 16.03.22 18:55, anthony example wrote:
>> I am a user at an institution with a small, essentially hobbyist linux
>> server which I access by ssh for email and some other work. Some
>> hobbyist programming I do has generated a ton of files. Recently I
>> noticed that every single one of my files (there are tens of
>> thousands, in a spaghetti-like folder structure that has accumulated
>> over the years) had an access time (viewed using ls -lau) of the night
>> before, within a span of a couple of hours, at a time when I wasn't
>> logged in.
>
> Do you have mlocate installed?
> It runs the "updatedb" program in regular intervals which may account
> for the access (I haven't checked this, though).

Ah ... forgot: check /etc/cron.daily if it has an "mlocate" entry.

Josef