Purpose of .index file? 2

[RodKnowlton]

Does anyone know what process uses .index files?

The file is heavy on control codes, and seems to be made up of records that start with Mod_date and Path_name, then go on to list the files found in Path_name in the form "Files..filename".

This file may be helpful in a post-mortem I'm performing, but only if I can determine how it's created and updated.

Anyone?

BTW, ".index" is not a very useful keyword for Google.



Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[hirschaj]

If the apps are up and running have you tried running an fuser on the index files? You might get lucky with some output.

Another option for a running system would be to use the trace facility. I am sure it it is capable of telling you what processes touch that file. I have no idea what flags will give you the right output, but I know trace can tell you just about everything the server is doing.

Obviously I have never seen the files you are referring to


Jim Hirschauer

http://www.aixexpert.com

 

[RodKnowlton]

From the time spread between Mod_date values and the scarcity of .index files, I don't think it's a continuously running process that's updating them.

More puzzlingly, most of our IS users have an .index file in their home directory that was last updated 12/29/2003 (no, we didn't upgrade over New Years), but I found one in a backwater directory that was just updated Friday, about twenty seconds before an instance of grep core dumped. The programmer that was working in the directory didn't use anything in it besides cp and rm.

I created an uncompressed boot image and used "strings" to search for Mod_date, but no hits.

The only thing I can think of that I haven't done is a search of the strings of every executable on the system (over 12K just below /usr).

All of this has been done on my production box. The machine I'm performing forensics on does not run anything in common with it besides AIX, so it has to be an AIX process.



Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[stefanhei]

Those files are created by the executeable e. When you start it, it claims to be IBMs "INTERACTIVE TEN/PLUS File Manager" - once started it by accident...
Never found any documentation or man-page about it.

Stefan

 

[p5wizard]

Part of INed editor (e) that is still around in AIX. It contains another view of a directory. As I recall it from my PCRT days, when you zoom out of a file, you get a directory view, two columns: first is name of file/subdir, second is free form text - you can put in a short description of a file/dir. No harm in deleting 'em, unless you use the INed editor/file manager.


HTH,

p5wizard

 

[RodKnowlton]

Thanks stefanhel and p5wizard.

Now if you'd only been around yesterday (probably the middle of your nights)...

I found it myself late yesterday by searching the strings of every executable and library under /usr. The string "Mod_date" was in two INed templates, and the bos.INed package contained "e", which looked like a likely fat finger command. When I found it, it made perfect sense because the incident I'm investigating involves mysterious renaming of files.

No complaints, though.

I love sleuthing, at least when I'm able to solve the case.
When I can't, I love Tek-Tips.

Two for two this time.

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+