Sneaky Web

June 15th, 2003 | by Tony Steidler-Dennison |

I’m not sure how to take this. Out of the blue, my / directory is filling with folders. These folders are named after web sites (www.kxan.com, www.csmonitor.com, etc). They also appear to contain nearly the full contents of each site. I thought it was possible that my feed reader had gone awry, but that doesn’t appear to be the problem. I also ran chkrootkit for signs of an intrusion, but everything checked out. For now, I’m running a shell script hourly to delete any new folders in /, but I’d sure like to get to the heart of the problem.

Any similar experience or thoughts?

  1. 6 Responses to “Sneaky Web”

  2. By Rob Schneider on Jun 15, 2003 | Reply

    weird. what user owns the files and folders? this a clue? sounds like what wget does, but unless you turned it on ..

  3. By MasterRa on Jun 16, 2003 | Reply

    yeah, definatly wget.. although i guess it could be anything else (curl?) that supports mirroring of a whole site.. very odd though. Doesn’t really sound like a break in - more like you’ve got a script gone crazy ;)
    Is it a personal system? or a rented server where it could be someone elses script gone awry?

    Of course, i’m sure you’ll have thought of everything i would think of - you’re far more experienced than me ;)

  4. By Mary on Jun 16, 2003 | Reply

    The same thing happens to me when I save a web page as a document for later viewing…it appears the graphic files are saved seperately…this also used to happen to me when I used to use (cringe) Windoze…when I deleted the folders, the document just displayed the text…fine with me…as to why this happens, haven’t a clue…
    *-m-*

  5. By Jack Townley on Jun 17, 2003 | Reply

    Tony, did you figure out what caused your problem or are you still trying to solve it?

  6. By Tony on Jun 17, 2003 | Reply

    I’m still not sure that it’s not one of my news aggregators gone wild. I’m using NewsMonster and AmphetaDesk (no particular reason to use both, really). When AD isn’t running, I don’t see the accumulation of sites in the / directory. The hourly script wipes them out and they don’t return. I can’t say for certain what the connection is (other than wget), but I’m beginning to see one.

  7. By Tony on Jun 21, 2003 | Reply

    A quick update - this has all stopped as unexpectedly as it started. Now I’m really baffled. I’ve had AmphetaDesk running in a tty of its own for several days with no problems at all. In fact, I took the cleanup script out of cron and my / directory is still clean as a whistle.

    I just wish I could believe it was only weird little gremlins.

Sorry, comments for this entry are closed at this time.