A process seems to have gained control of my system and it has edited a couple of files.
I have tried to restore these files, but the uninvited process has changed the permissions to “read-only”
I have tried the following:
Change owner/permissions and then try editing the file.
Result: Both owner and permissions are changed back automatically
Change owner/permissions and then try deleting the file
Result: The file appears to be deleted but is recreated again with the same edited content a millisecond later
Also experimented with auditctl to monitor the file, but without success as it only logs my commands on the file and nothing from the other process
So my questions are how do I get control of the file and how can I detect the process causing this so I can shut it down? Any suggestions on what I can try to do?
When you say you experimented with auditctl, did you tell auditctl to monitor for file deletions as well as chown? The process may be deleting the file instead of taking ownership (or vice versa).
If permissions change back automatically I’d say whatever malicious script you have is still running. Step one would be to stop it and get rid of it before it decides to attack more files. At least that would be my step one