HPE Community
Operating System - HP-UX
1753500 Members
4501 Online
108794 Solutions
New Discussion юеВ

Re: Files deleted,need to know who deleted????

 
ln_unix
Frequent Advisor

тАО05-05-2010 03:00 AM

тАО05-05-2010 03:00 AM

Files deleted,need to know who deleted????

Hello All,

Some files has been deleted on hp-ux box .

I want to know that who is the culprit behind this.

So,need to know from where i start findings that who deleted the file.

Need your support and help on this as always?

and thanks in advance....

Best Regards,
LN
0 Kudos
Reply
15 REPLIES 15
S-M-S
Valued Contributor

тАО05-05-2010 03:07 AM

тАО05-05-2010 03:07 AM

Re: Files deleted,need to know who deleted????

check the syslog (/var/adm/syslog/syslog.log) , you will get the entries like below

here in example root user deleted the file

May 5 09:24:25 sapbiprd ftpd[20568]: root of 172.16.23.2 [172.16.23.2] deleted /tmp/sapinst_instdir/NW04S/SYSTEM/ORA/DISTRIBUTED/AS-ABAP/PREPARE/sapinst_dev.log
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО05-05-2010 03:17 AM

тАО05-05-2010 03:17 AM

Re: Files deleted,need to know who deleted????

SMS,

I don't think that's a standard message... you may hve some customisations in place...

LN,

It will be dfficiult if you don't have a tool in place to do this... did you have auditing configured... what's the output of:

audsys

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Michal Kapalka (mikap)
Honored Contributor

тАО05-05-2010 03:19 AM

тАО05-05-2010 03:19 AM

Re: Files deleted,need to know who deleted????

hi,

ho have the right to access the server ???

what abiut the privileges ???

last will show you ho was loged to the server.

i think that will be very difficult to find out ho deleted the files.


mikap
0 Kudos
Reply
R.O.
Esteemed Contributor

тАО05-05-2010 03:21 AM

тАО05-05-2010 03:21 AM

Re: Files deleted,need to know who deleted????

Did those files have permissions to be deleted by anyone or is root the only who could delete them? You can search the name of the files in the $HOME/.sh_history of the users to find the culprit, provided you have set the ".sh_history" log for your users.

Regards,
"When you look into an abyss, the abyss also looks into you"
0 Kudos
Reply
Hakki Aydin Ucar
Honored Contributor

тАО05-05-2010 03:31 AM

тАО05-05-2010 03:31 AM

Re: Files deleted,need to know who deleted????

This is everytime contreversial issue , and hard to manage, I recommend you to use HIDS by HP. It is really worthwhile software thast will catch who deleted OR touched your files. HIDS is free of charge (at least for HP-UX 11i v1 it was free)
0 Kudos
Reply
Hakki Aydin Ucar
Honored Contributor

тАО05-05-2010 03:40 AM

тАО05-05-2010 03:40 AM

Re: Files deleted,need to know who deleted????

Hi again,
maybe you can use a perl script to check who touched your file , check it out:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980
0 Kudos
Reply
S.N.S
Valued Contributor

тАО05-05-2010 05:40 AM

тАО05-05-2010 05:40 AM

Re: Files deleted,need to know who deleted????

Yes, as others opined - its hard to find unless the auditing was set before this happened.

Try the script and let us know; and from the lesson learnt, give access permission only to those responsible. You can use ACLs (from next time onwards)..Check the CIS Internet Security Standards of HP

HTH
SNS
"Genius is 1% inspiration, 99% Perspiration" - Edison
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО05-05-2010 05:50 AM

тАО05-05-2010 05:50 AM

Re: Files deleted,need to know who deleted????

There are so many ways that a file can be removed (cron job, script with errors, untrained users or worse, untrained root users) that tracking this is almost impossible. You can always look at each user's shell history file (.sh_history) looking for rm commands. Also look for find commands with exec rm actions.

I would first look at the file's directory permission. If the directory is 777 (-rwxrwxrwx) then that is a huge sysadmin error. Nothing in a 777 directory is safe. If the files are in a properly protected directory such as /etc (which is 555 owned by bin:bin) then only a root user can remove the files. If untrained people know the root password, change it immediately and do not give the root password to anyone that is not properly trained. You can use sudo to restrict people that help with sysadmin tasks.


Bill Hassell, sysadmin
0 Kudos
Reply
madhuchakkaravarthy
Trusted Contributor

тАО05-05-2010 05:51 AM

тАО05-05-2010 05:51 AM

Re: Files deleted,need to know who deleted????

hi


if that file is accessed only by root or non root users.if so

check in syslog who have logged in that particular server.

if they had switched as root user u can find entry in syslog.

check with last -R -5 username to fine the date time and from which ip address one has logged in .

regards

MC
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.