Hello list,

Bit of an emergency here. My rules.v4 are being overwritten every ten
minutes by an unknown program. I have tried

#chmod 400 /etc/iptables/rules.v4
and

root crontab
* * * * * /usr/sbin/iptables-restore < /etc/iptables/rules.v4
and
root crontab
* * * * * /root/iptables.sh

where
# cat /root/iptables.sh

#!/bin/bash
/usr/sbin/iptables-restore < /etc/iptables/rules.v4
/usr/sbin/ip6tables-restore < /etc/iptables/rules.v6
sync
exit

but nothing stops it happening. the first cronjob doesn't restore the
rules, but the script does.

How can I find out what program is doing this? This surely counts as
malicious activity. The only difference between this host and
several others (all running daedalus) is that it is running some debian
edu packages.

At the moment I am 'watching' iptables -L and trying to see it using
top, but I'd prefer a log output so I can post it here as this must be
of general interest.

Thanks