Rastrear edições no meu arquivo / etc / hosts

A cada hora em: 49, meu arquivo hosts está sendo substituído pelo seguinte:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

# *********<D2><D4><CF><C2><C4><DA><C8><DD>Ϊ360<B0><B2>ȫ<CE><C0>ʿΪ<C3><E2><D2><U+07FB><FA><C6><F7><B9><B7>ľ<C2><U+DCA1><B6><BE><CB><F9><CC><ED><BC><D3>******************
127.0.0.1  yu.8s7.net
127.0.0.1  1.jopanqc.com
127.0.0.1  2.joppnqq.com
127.0.0.1  wg.47255.com
127.0.0.1  1.joppnqq.com
127.0.0.1  xxx.m111.biz
127.0.0.1  1.jopenqc.com
127.0.0.1  1.jopenkk.com
127.0.0.1  xxx.vh7.biz
127.0.0.1  xxx.j41m.com
127.0.0.1  3.joppnqq.com
127.0.0.1  d.93se.com
127.0.0.1  www.868wg.com
127.0.0.1  xxx.mmma.biz
127.0.0.1  ilove.com
127.0.0.1  tp.shpzhan.cn
127.0.0.1  www.tomwg.com
127.0.0.1  www.cike007.cn
127.0.0.1  www.22aaa.com
127.0.0.1  xx.exiao01.com
127.0.0.1  www.exiao01.com
127.0.0.1  www.exiao01.com
127.0.0.1  new.749571.com
127.0.0.1  xtx.kv8.info
127.0.0.1  cao.kv8.info
127.0.0.1  1.jopmmqq.com
127.0.0.1  171817.171817.com
127.0.0.1  d2.llsging.com
127.0.0.1  down.malasc.cn
127.0.0.1  llboss.com
127.0.0.1  nx.51ylb.cn
127.0.0.1  my.531jx.cn
127.0.0.1  qqq.dzydhx.com
127.0.0.1  qqq.hao1658.com
127.0.0.1  www.333292.com
127.0.0.1  down.18dd.net
127.0.0.1  up.22x44.com
# *********<BD><E1><CA><F8>******************
# *********<D2><D4><CF><C2><C4><DA><C8><DD>Ϊ360<B0><B2>ȫ<CE><C0>ʿΪ<C3><E2><D2>ߴŵ<FA><BB><FA>dummycom<B2><A1><B6><BE><CB><F9><CC><ED><BC><D3>******************
127.0.0.1  gxgxy.net^M
# *********<C3><E2><D2>ߴŵ<FA><BB><FA>dummycom<BD><E1><CA><F8>******************

Eu tentei usar auditctl para acompanhar as alterações da seguinte forma:

# /sbin/auditctl -w /etc/hosts -p wa -k hosts-file

Mas a cada hora, ele é substituído e a execução de /sbin/ausearch -f /etc/hosts não mostra nada. Quando edito manualmente o arquivo, ausearch mostra minha alteração.

Eu olhei tanto para o crontab do meu usuário quanto para o crontab do root, e não vejo nada rodando em: 49 que possa ser o culpado.

O que pode estar fazendo isso e como posso pará-lo? Estou executando o Debian jessie / testing.