Show Which Remote File is Writing My File

5

I know it sounds funny. I wrote a shell script and executed on a remote machine to ssh back to my local machine to write some files. I executed the script on various remote machines and I can't remember where they are. Now I can't kill one or more of them because I forgot which machine(s) it/they are on and they are continuously creating new files on my local machine. So is there any way to see which remote machine is accessing my local file? I'm running a Debian OS and I do NOT have root access.

EDIT: I tried remove the affected files but as soon as I remove them new files are created by the script running on the remote machine(s). I also tried chmod 000 to make the directory un-writable in hope of crashing the scripts. None of them works.

YankeeWhiskey

Posted 2013-02-05T02:17:46.343

Reputation: 259

Answers

2

All ssh login attempts should be logged in /var/log/auth.log, examining that file may help you find those remote machines.

Nykakin

Posted 2013-02-05T02:17:46.343

Reputation: 291

Finally I managed to kill all the scripts running on all the machines. Thanks. – YankeeWhiskey – 2013-02-05T20:11:47.910

0

You could do 

$ while true; do netstat -an | grep \:22 |  cut -b45-90 | grep -v \:22 | grep ESTABLISHED >> watch22.txt; sleep 5; done

So this will put any port 22 connections into a file that originated off the box, which will get pretty big pretty quick as it will keep adding the same connections when nothing is happening. But if you run it for a long enough duration you'll catch the culprits:

$ cat watch22.txt

146.148.41.2:44996      ESTABLISHED
10.2.1.25:52414         ESTABLISHED
146.148.41.2:44996      ESTABLISHED
10.1.1.25:52414         ESTABLISHED
146.148.41.2:44996      ESTABLISHED

And you can filter this down pretty easily to a list of unique IPs:

$ cat watch22.txt | cut -d\: -f1 | sort -u
10.1.1.25
146.178.41.2

Paul

Posted 2013-02-05T02:17:46.343

Reputation: 52 173

0

I would like to recommend the simple utility whowatch. It will show you the users logged on to the system(which it is executed on). From there you can select the user (will say "sshd" if using ssh) and kill/interrupt the main process in the tree (disconnecting the session)-but this requires root.

With whowatch however you will be able to easily see who is logged on to who and using what.

u8sand

Posted 2013-02-05T02:17:46.343

Reputation: 367

Asked: 2013-02-05T02:17:46.343

Viewed: 70 times

Active: 2014-08-06T19:33:40.127