PDA

View Full Version : How to find out who delete files?



armadillo
5th April 2006, 03:01 PM
Dear Expert,

I'm using Fedora Core 4 with OS version 2.6.15-1.1833_FC4smp #1 SMP Wed Mar 1 23:56:51 EST 2006 i686.

Yesterday find out 1 user delete few folder consist of more than 1000 files :eek:
Any way to find out who is the user who delete the files?
Any way for me to recover those files?
Also any way to find out who is open the files in the server?

Thanks a million for your kind assistance.

Best regards,
Armadillo

armadillo
6th April 2006, 12:41 AM
Any one can help? Please :)

u-noneinc-s
6th April 2006, 02:01 AM
You can try #system-logviewer. Maybe the secure log will show something.
How did you find out over 1000 files got deleted? Do you know which files and folders?

armadillo
6th April 2006, 02:14 AM
Thanks u-noneinc-s,

How do u view #system-logviewer?
I know over 1000 files because I have backup, so have restore from the backup.
But I need to find out who is the culprit.

Sorry ask so many question, I'm newbie here :)

u-noneinc-s
6th April 2006, 02:21 AM
In a terminal, type system-logviewer and hit enter (If it's not installed, you can read the logs in /var/log).
I don't know if you'll find anything unless some of the files needed root permission to delet. You can check the secure log
and look for any sudo or su entries.

u-noneinc-s
6th April 2006, 02:22 AM
There should also be a logviewr listed in either KDE or Gnome menu.

armadillo
6th April 2006, 02:38 AM
ok, found something fishy:
looks like a hacker attack

************************************************** ***********************
Apr 2 09:02:11 fcsvr sshd[25740]: Invalid user test from 200.123.163.201
Apr 2 09:02:11 fcsvr sshd[25740]: reverse mapping checking getaddrinfo for customer123-163-201.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
Apr 2 09:02:11 fcsvr sshd[25740]: nss_ldap: could not search LDAP server - Operations error
Apr 2 09:02:13 fcsvr sshd[25740]: Failed password for invalid user test from 200.123.163.201 port 3784 ssh2
Apr 2 09:02:17 fcsvr sshd[25742]: nss_ldap: could not search LDAP server - Operations error
Apr 2 09:02:17 fcsvr sshd[25742]: Invalid user test from 200.123.163.201
Apr 2 09:02:17 fcsvr sshd[25742]: reverse mapping checking getaddrinfo for customer123-163-201.iplannetworks.net failed - POSSIBLE BREAKIN ATTEMPT!
Apr 2 09:02:17 fcsvr sshd[25742]: nss_ldap: could not search LDAP server - Operations error
Apr 2 09:02:19 fcsvr sshd[25742]: Failed password for invalid user test from 200.123.163.201 port 4028 ssh2
Apr 2 09:02:23 fcsvr sshd[25745]: nss_ldap: could not search LDAP server - Operations error
Apr 2 09:02:23 fcsvr sshd[25745]: Invalid user test from 200.123.163.201

u-noneinc-s
6th April 2006, 02:48 AM
Invalid user and Failed password are an indication that this person did NOT break in. These breakin attempts are not
uncommon, If you see "Accepted password for username" then you need to investigate.

If you are using the logviewer, at the bottom is a search box. enter sudo, and click the filter button (or ok button) and then
look through the sudo entries for any commands for removed files

armadillo
6th April 2006, 03:05 AM
hmmm can't seem to find anything.
Any way to denied user from delete file, but still allow to access, create, read/write?
TIA

u-noneinc-s
6th April 2006, 03:12 AM
If they can read/write, thay can delete