0

I have a Joomla based website running on CentOS, Apache, PHP, MySQL. I am using plupload file uploader to upload the files. I'm uploading the files to /tmp/uploads directory where they are processed and then moved.

For some reason and for the life of me I can't figure out - the /tmp/uploads directory keeps getting deleted. I've checked all the relevant scripts and theres no way they could be deleting the directly (as far as I'm aware). I'm even checking to see if the target file is a directory before moving.

So I started using audit http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html - to try and find out what's causing the delete but as far as I can tell it doesn't really tell me what's deleting the folder.

I've omitted the correct paths and the username for security. You can see on the first audit line it appears to move the file successfully, then on the second audit line it's trying to move from (null) - then the folder cannot be accessed. It doesn't specifically tell me what caused the delete. The command for the audit was

auditctl -w /web/directory/tmp -p wrxa -k tmp-folder

Below is the audit.

----
type=PATH msg=audit(26/03/15 03:30:52.474:104290472) : item=3 name=/files/are/moved/to/1427355052-rainyway---walkin.mp3 inode=282198245 dev=08:11 mode=file,644 ouid=username ogid=username rdev=00:00 nametype=CREATE 
type=PATH msg=audit(26/03/15 03:30:52.474:104290472) : item=2 name=/web/directory/tmp/uploads/p19haf3bbi1ro21eip1s3ck0p1iaha.mp3 inode=282198245 dev=08:11 mode=file,644 ouid=username ogid=username rdev=00:00 nametype=DELETE 
type=PATH msg=audit(26/03/15 03:30:52.474:104290472) : item=1 name=/files/are/moved/to/ inode=6291457 dev=08:11 mode=dir,777 ouid=username ogid=username rdev=00:00 nametype=PARENT 
type=PATH msg=audit(26/03/15 03:30:52.474:104290472) : item=0 name=/web/directory/tmp/uploads/ inode=282198224 dev=08:11 mode=dir,755 ouid=username ogid=username rdev=00:00 nametype=PARENT 
type=CWD msg=audit(26/03/15 03:30:52.474:104290472) :  cwd=/web/directory 
type=SYSCALL msg=audit(26/03/15 03:30:52.474:104290472) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x3377ba0 a1=0x33748a0 a2=0x3 a3=0x7f204a0c5f98 items=4 ppid=1069 pid=1102 auid=root uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=694431 comm=php exe=/usr/bin/php key=tmp-folder 
----
type=PATH msg=audit(26/03/15 03:30:52.529:104290473) : item=4 name=/files/are/moved/to/1427355052-untitled-0.mp3 inode=282198224 dev=08:11 mode=dir,755 ouid=username ogid=username rdev=00:00 nametype=CREATE 
type=PATH msg=audit(26/03/15 03:30:52.529:104290473) : item=3 name=(null) inode=282198224 dev=08:11 mode=dir,755 ouid=username ogid=username rdev=00:00 nametype=DELETE 
type=PATH msg=audit(26/03/15 03:30:52.529:104290473) : item=2 name=(null) inode=239076972 dev=08:11 mode=dir,755 ouid=username ogid=username rdev=00:00 nametype=PARENT 
type=PATH msg=audit(26/03/15 03:30:52.529:104290473) : item=1 name=/files/are/moved/to/ inode=6291457 dev=08:11 mode=dir,777 ouid=username ogid=username rdev=00:00 nametype=PARENT 
type=PATH msg=audit(26/03/15 03:30:52.529:104290473) : item=0 name=/web/directory/tmp/ inode=239076972 dev=08:11 mode=dir,755 ouid=username ogid=username rdev=00:00 nametype=PARENT 
type=CWD msg=audit(26/03/15 03:30:52.529:104290473) :  cwd=/web/directory 
type=SYSCALL msg=audit(26/03/15 03:30:52.529:104290473) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x335bd90 a1=0x335d2e8 a2=0x3 a3=0x7f204a0c5f98 items=5 ppid=1069 pid=1102 auid=root uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=694431 comm=php exe=/usr/bin/php key=tmp-folder 
----
type=PATH msg=audit(26/03/15 03:32:01.540:104290526) : item=0 name=. inode=239076972 dev=08:11 mode=dir,755 ouid=username ogid=username rdev=00:00 nametype=NORMAL 
type=CWD msg=audit(26/03/15 03:32:01.540:104290526) :  cwd=/web/directory/tmp 
type=SYSCALL msg=audit(26/03/15 03:32:01.540:104290526) : arch=x86_64 syscall=open success=yes exit=3 a0=0x19b7930 a1=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a2=0x1 a3=0x7fffd2df7110 items=1 ppid=20744 pid=2023 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=960029 comm=ls exe=/bin/ls key=tmp-folder 
----
type=PATH msg=audit(26/03/15 03:32:01.541:104290527) : item=0 name=. inode=239076972 dev=08:11 mode=dir,755 ouid=username ogid=username rdev=00:00 nametype=NORMAL 
type=CWD msg=audit(26/03/15 03:32:01.541:104290527) :  cwd=/web/directory/tmp 
type=SYSCALL msg=audit(26/03/15 03:32:01.541:104290527) : arch=x86_64 syscall=lgetxattr success=no exit=-61(No data available) a0=0x7fffd2df6fc0 a1=0x7f538d7872fd a2=0x19bf990 a3=0xff items=1 ppid=20744 pid=2023 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=960029 comm=ls exe=/bin/ls key=tmp-folder 
----

If there's any other way I can monitor what's happening to this folder I would appreciate any suggestions.

Wasim
  • 145
  • 2
  • 9

0 Answers0