Linux file is automatically recreated after I remove/edit it

Server Config
1

A process seems to have gained control of my system and it has edited a couple of files.

I have tried to restore these files, but the uninvited process has changed the permissions to “read-only”

I have tried the following:

  1. Change owner/permissions and then try editing the file.
    Result: Both owner and permissions are changed back automatically

  2. Change owner/permissions and then try deleting the file
    Result: The file appears to be deleted but is recreated again with the same edited content a millisecond later

Also experimented with auditctl to monitor the file, but without success as it only logs my commands on the file and nothing from the other process

So my questions are how do I get control of the file and how can I detect the process causing this so I can shut it down? Any suggestions on what I can try to do?

Take care

2

When you say you experimented with auditctl, did you tell auditctl to monitor for file deletions as well as chown? The process may be deleting the file instead of taking ownership (or vice versa).

Also, are you running auditctl as root?

1 Like
6

If permissions change back automatically I’d say whatever malicious script you have is still running. Step one would be to stop it and get rid of it before it decides to attack more files. At least that would be my step one :slightly_smiling_face:

1 Like
7

Yes ofcourse, but I need to identify that script/process, and I dont know how :slight_smile:

8

One option would be to kill all non-essential processes, but I dont know which ones are essential

9

I’d start with the process with the highest PID and work my way down. Essential programs are started first so have the lowest PIDs.

1 Like
10

Thanks bro

11

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.