Figuring out what is deleting folders or files on your VPS

By    John Garner on  Monday, May 2, 2011
Summary: If you're seeing folders or files getting deleted and can't figure out why then it may be time to monitor said folder(s) or file(s) with auditd.

I had a situation where a folder and all its files where being deleted and there were no signs in the VPS error log why this was happening nor what was doing it. As the setup was on a WordPress site I was obviously suspecting either a server rule of some sort or more likely a plugin. Notably I suspected the plugin that needed these specific files and folders.

Reaching out to the author of the plugin I was asked if the plugin was up to date and if I had the pre-requisites in terms of latest WP version and latest version of stable PHP. I tried switching from PHP version 5.3 to 5.4 and it didn't change anything.

The next step was looking at both normal and error logs but this didn't reveal anything.

So I started looking for a way to monitor folders and files, well I started out asking about to see what could tell me what was asking for a file or folder to be deleted and being granted the permission to delete it.

I started looking at ways to monitor what was going on behind the scenes with a server and mostly came across articles to monitor the security of a server which was way beyond what I needed.

I then came across a mention of auditd in this post on about using Auditd and how it can be set up to monitor in my case a folder being deleted. So I started using this approach to figure out what was going on. I logged in as root via SSH (you may need to use sudo to get to root level). Once in the uploads folder where the folder I needed kept getting deleted, I manually created it:

mkdir my_folder_name

I then gave it the correct permissions (but not really necessary for this manual test):

chmod -c 755 my_folder_name

I then set up the monitoring as per the above article indicates, where I created a flag/label that is appended to the command and I will then use to search for it in the logs 'monitoring_flag_name' in this case:

auditctl -w /var/www/ -k monitoring_flag_name

I got the path wrong first and needed to add the /var/ in front for it to work. You can use 'pwd' to get the correct path to the folder you are in.

Then to get the results and get read what auditd has logged you can use the following command, which also confirms that it works, so worth trying out, then running through the steps that allow you to replicate the context that leads to the folder or files getting deleted. This is where you use the flag/label that you set up previously and allows you to quickly sift through any logs created:

usearch -k monitoring_flag_name

I was then able to share these logs, similar to the article above, with the plugin author indicating to confirm that it was being deleted and the sequence of events to help pinpoint what is going on.

Note: I think I read in one of the many articles that a) if you change the rules you'll need to restart auditd and b) if you add rwa parameters they will be lost if you reboot (ie create/set rules that are picked up at reboot)

Hope this helps if you come across the same issues 🙂

Article written by  John Garner

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Check out the most recent posts from the blog: 
Sunday, September 24, 2023
The reliability & accuracy of GenAI

I question the reliability and accuracy of Generative AI (GenAI) in enterprise scenarios, particularly when faced with adversarial questions, highlighting that current Large Language Models (LLMs) may be data-rich but lack in reasoning and causality. I would call for a more balanced approach to AI adoption in cases of assisting users, requiring supervision, and the need for better LLM models that can be trusted, learn, and reason.

Read More
Saturday, September 23, 2023
From Chatbots to Reducing Society's Technical Debt

I discuss my experience with chatbots, contrasting older rules-based systems with newer GenAI (General Artificial Intelligence) chatbots. We cannot dismiss the creative capabilities of GenAI-based chatbots, but these systems lack reliability, especially in customer-facing applications, and improvements in the way AI is structured could lead to a "software renaissance," potentially reducing society's technical debt.

Read More
Friday, June 16, 2023
The imbalance of power in the AI game: in search of the common good

The article discusses the contrasting debate on how AI safety is and should be managed, its impact on technical debt, and its societal implications.
It notes the Center for AI Safety's call for a worldwide focus on the risks of AI, and Meredith Whittaker's criticism that such warnings preserve the status quo, strengthening tech giants' dominance. The piece also highlights AI's potential to decrease societal and technical debt by making software production cheaper, simpler, and resulting in far more innovation. It provides examples of cost-effective open-source models that perform well and emphasizes the rapid pace of AI innovation. Last, the article emphasises the need for adaptive legislation to match the pace of AI innovation, empowering suitable government entities for oversight, defining appropriate scopes for legislation and regulation, addressing ethical issues and biases in AI, and promoting public engagement in AI regulatory decisions.

Read More
Thursday, June 1, 2023
Japan revises copyright laws for AI

Japan has made its ruling on the situation between Content creators and Businesses. Japanese companies that use AI have the freedom to use content for training purposes without the burden of copyright laws. This news about the copyright laws in Japan reported over at Technomancers is seen as Businesses: 1 / Content Creators: 0 The […]

Read More