In article <j9g5i9Fatb3U1@mid.individual.net>,
Josef Moellers <josef.moellers@invalid.invalid> wrote:
>
>On 16.03.22 18:55, anthony example wrote:
>> I am a user at an institution with a small, essentially hobbyist linux server
>which I access by ssh for email and some other work. Some hobbyist programming I
>do has generated a ton of files. Recently I noticed that every single one of my
>files (there are tens of thousands, in a spaghetti-like folder structure that has
>accumulated over the years) had an access time (viewed using ls -lau) of the
>night before, within a span of a couple of hours, at a time when I wasn't logged
>in.
>
>Do you have mlocate installed?
>It runs the "updatedb" program in regular intervals which may account
>for the access (I haven't checked this, though).

Yes, I mentioned this earlier, but the issue is still "Why only OP?".

That question seems to invalidate any possibility of it being some known
system process (e.g., backups or (m)locate).

--
This is the GOP's problem. When you're at the beginning of the year
and you've got nine Democrats running for the nomination, maybe one or
two of them are Dennis Kucinich. When you have nine Republicans, seven
or eight of them are Michelle Bachmann.

Josef Moellers <josef.moellers@invalid.invalid> writes:

> On 16.03.22 18:55, anthony example wrote:
>> I am a user at an institution with a small, essentially hobbyist
>> linux server which I access by ssh for email and some other
>> work. Some hobbyist programming I do has generated a ton of
>> files. Recently I noticed that every single one of my files (there
>> are tens of thousands, in a spaghetti-like folder structure that has
>> accumulated over the years) had an access time (viewed using ls -lau)
>> of the night before, within a span of a couple of hours, at a time
>> when I wasn't logged in.
>
> Do you have mlocate installed?
> It runs the "updatedb" program in regular intervals which may account
> for the access (I haven't checked this, though).

I don't think updatedb reads files since all it needs to know is the
content of directories. I can "locate" files that have access dates
years in the past (so I know they are in the database).

--
Ben.

On Wed, 2022-03-16, David W. Hodgins wrote:
> On Wed, 16 Mar 2022 15:48:21 -0400, anthony example <anthony974412@gmail.com> wrote:
>
>> On Wednesday, March 16, 2022 at 2:57:04 PM UTC-4, David W. Hodgins wrote:

>>> Is any indexing software installed such as Gnome's tracker2? Was
>>> the host system rebooted shortly before the files were accessed?
>>
>> I'll find out. But it seems hard to reconcile something like that
>> with the fact that other users' files were not accessed.
>>
>> Would the "strain" of transferring tens of thousands of files,
>> experienced by a server that typically handles very little traffic,
>> have to show up in any default logs?

If there's logging of network traffic and the server isn't doing much,
it would show up as a big download bump on the graph. Either the
sysadmin knows about the logging (because he set it up) or it's
sysstat which might, if you're lucky, be enabled "by accident".

> Another indexing system is kde's akonadi.

Not to mention locate/updatedb, which is widely deployed[1]. But that
one runs every night, doesn't access /files/, and either crawls all
home directories, or none of them.

/Jorgen

[1] I once found a porn collection at a workplace by typing "locate
pussy". The actual porn was gone, but the file names were still,
for whatever reason, in the index.

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

On Friday, March 18, 2022 at 4:09:00 AM UTC-4, Jorgen Grahn wrote:

> If there's logging of network traffic and the server isn't doing much,
> it would show up as a big download bump on the graph. Either the
> sysadmin knows about the logging (because he set it up) or it's
> sysstat which might, if you're lucky, be enabled "by accident".
> > Another indexing system is kde's akonadi.
> Not to mention locate/updatedb, which is widely deployed[1]. But that
> one runs every night, doesn't access /files/, and either crawls all
> home directories, or none of them.

Here's another question, though it's probably hard to answer: if someone knew enough to break in and download files without leaving traces of a login, isn't it also likely that they would know enough to leave access times untouched? I imagine it would be simple to automate checking the last access time before downloading, then copying the file, then restoring the previous access time by using 'touch'? Wouldn't that be "hacking 101"? I'm grasping at straws, trying to find a way to believe I haven't had everything copied by a malicious actor.

On Friday, March 18, 2022 at 4:09:00 AM UTC-4, Jorgen Grahn wrote:

> > Another indexing system is kde's akonadi.
> Not to mention locate/updatedb, which is widely deployed[1]. But that
> one runs every night, doesn't access /files/, and either crawls all
> home directories, or none of them.

Hi again everyone in this thread. I managed to get some more time with the sysadmin today after his other work, and he looked in some other users' directories -- people who hadn't logged in or modified any files for years and years -- and found that their files had all also been accessed in narrow time windows, similar to mine. Not all users though! And some at different times of day. Then he realised some users' files are stored on different servers and that might account for it -- his own user directory is on a different server than mine is. It still strikes him as very odd and he's going to try to find out what process could be doing it in this irregular way, but I'm starting to feel some relief that perhaps -- just perhaps -- I *wasn't* the victim of an elite international hacking squad.

It also made him realise that he should turn on some sort of sftp command logging and perhaps require a VPN for webmail access as he finds thousands of failed dovecot auth attempts for many users, from IP addresses all over the world.

Thanks everyone for weighing in.