System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Files deleted,need to know who deleted????

ln_unix
Frequent Advisor

Files deleted,need to know who deleted????

Hello All,

Some files has been deleted on hp-ux box .

I want to know that who is the culprit behind this.

So,need to know from where i start findings that who deleted the file.

Need your support and help on this as always?

and thanks in advance....

Best Regards,
LN
15 REPLIES
S-M-S
Valued Contributor

Re: Files deleted,need to know who deleted????

check the syslog (/var/adm/syslog/syslog.log) , you will get the entries like below

here in example root user deleted the file

May 5 09:24:25 sapbiprd ftpd[20568]: root of 172.16.23.2 [172.16.23.2] deleted /tmp/sapinst_instdir/NW04S/SYSTEM/ORA/DISTRIBUTED/AS-ABAP/PREPARE/sapinst_dev.log
Duncan Edmonstone
Honored Contributor

Re: Files deleted,need to know who deleted????

SMS,

I don't think that's a standard message... you may hve some customisations in place...

LN,

It will be dfficiult if you don't have a tool in place to do this... did you have auditing configured... what's the output of:

audsys

HTH

Duncan

HTH

Duncan
Michal Kapalka (mikap)
Honored Contributor

Re: Files deleted,need to know who deleted????

hi,

ho have the right to access the server ???

what abiut the privileges ???

last will show you ho was loged to the server.

i think that will be very difficult to find out ho deleted the files.


mikap
R.O.
Esteemed Contributor

Re: Files deleted,need to know who deleted????

Did those files have permissions to be deleted by anyone or is root the only who could delete them? You can search the name of the files in the $HOME/.sh_history of the users to find the culprit, provided you have set the ".sh_history" log for your users.

Regards,
"When you look into an abyss, the abyss also looks into you"
Hakki Aydin Ucar
Honored Contributor

Re: Files deleted,need to know who deleted????

This is everytime contreversial issue , and hard to manage, I recommend you to use HIDS by HP. It is really worthwhile software thast will catch who deleted OR touched your files. HIDS is free of charge (at least for HP-UX 11i v1 it was free)
Hakki Aydin Ucar
Honored Contributor

Re: Files deleted,need to know who deleted????

Hi again,
maybe you can use a perl script to check who touched your file , check it out:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980
S.N.S
Valued Contributor

Re: Files deleted,need to know who deleted????

Yes, as others opined - its hard to find unless the auditing was set before this happened.

Try the script and let us know; and from the lesson learnt, give access permission only to those responsible. You can use ACLs (from next time onwards)..Check the CIS Internet Security Standards of HP

HTH
SNS
"Genius is 1% inspiration, 99% Perspiration" - Edison
Bill Hassell
Honored Contributor

Re: Files deleted,need to know who deleted????

There are so many ways that a file can be removed (cron job, script with errors, untrained users or worse, untrained root users) that tracking this is almost impossible. You can always look at each user's shell history file (.sh_history) looking for rm commands. Also look for find commands with exec rm actions.

I would first look at the file's directory permission. If the directory is 777 (-rwxrwxrwx) then that is a huge sysadmin error. Nothing in a 777 directory is safe. If the files are in a properly protected directory such as /etc (which is 555 owned by bin:bin) then only a root user can remove the files. If untrained people know the root password, change it immediately and do not give the root password to anyone that is not properly trained. You can use sudo to restrict people that help with sysadmin tasks.


Bill Hassell, sysadmin
madhuchakkaravarthy
Trusted Contributor

Re: Files deleted,need to know who deleted????

hi


if that file is accessed only by root or non root users.if so

check in syslog who have logged in that particular server.

if they had switched as root user u can find entry in syslog.

check with last -R -5 username to fine the date time and from which ip address one has logged in .

regards

MC
S.N.S
Valued Contributor

Re: Files deleted,need to know who deleted????

Yes, as others opined - its hard to find unless the auditing was set before this happened.

Try the script and let us know; and from the lesson learnt, give access permission only to those responsible. You can use ACLs etc(from next time onwards)..
Have a check at the CIS Internet Security Standards of HP for future implementation

http://cisecurity.org/en-us/?route=downloads.show.single.hpux.150

HTH
SNS
"Genius is 1% inspiration, 99% Perspiration" - Edison
Rita C Workman
Honored Contributor

Re: Files deleted,need to know who deleted????

AS others have mentioned, if you don't have some kind of software that logs keystrokes, you're going to have a problem finding this.

What R.O. suggested is likely your only open option. The only issue with it is that most user keystroke history files, are just that, a single file that only maintains so many lines of history.
So by the time you realize the files have been removed, the evidence is likely gone out of "whoever's" .sh_history file.

Now you could get logging software, turn on auditing, or you could change everyone's .profile so their .sh_history file becomes a directory with multiple history files, so you don't lose the keystroke data so fast. Try something like this:

HISTFILE=//.hist/HIST$$
export HISTFILE
HISTSIZE=100
export HISTSIZE

Advantage - you didn't turn on auditing and you get more keystroke history; you didn't have to get some thirdparty software installed and configured.
Disadvantage - You have to implement on (how many users) .profile; you now get alot more files you need to keep cleaned up. Likely using some quickie script in cron to just go clean these up.

Just a thought,
Rita

Prasanth V Aravind
Trusted Contributor

Re: Files deleted,need to know who deleted????

Its very simple....

if you want to know who culprit did this.. you should have the activity history log... do you have it ????

else configure it, so you can avoid these type of issues in future

Steps:--


Pre-implementation steps:-
===============================
1. cp /etc/profile /etc/profile.old




Implementation steps:-
=========================

1. Login to server & run below commands.

cp /etc/profile /etc/profile.old
mkdir /var/adm/commandlog/
chmod 733 /var/adm/commandlog/

2. vi /etc/profile & remove old history definitions if exists.

3. Add below entry to the last for profile file.

export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')
HISTFILESIZE=5000
HISTSIZE=5000
export HISTFILE HISTSIZE HISTFILESIZE


Verification plan:-
============
1. Login to server againg & check can you able to see history file for you new session in /var/adm/commandlog/

Backup plan:-
=====================
cp /etc/profile.old.bhe /etc/profile


THIS IS TESTED & WORKING IN MY SITE, WHERE I AM HAVING 600+ SERVERS

GUDLUCK
Peasanth
Prasanth V Aravind
Trusted Contributor

Re: Files deleted,need to know who deleted????

Make sure that this history file definition comes is in single line when you edit profile.

export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')

Taifur
Respected Contributor

Re: Files deleted,need to know who deleted????

HI,

Check the syslog and history file.

Cheers//
taifur
Steven Schweda
Honored Contributor

Re: Files deleted,need to know who deleted????

> THIS IS TESTED & WORKING IN MY SITE, [...]

Where everyone uses the right shell, and
all commands are run interactively, and no
"culprit" is smart enough to find and destroy
the evidence, and ...


> I want to know that who is the culprit
> behind this.

Why do these threads always involve setting
up the security surveillance cameras _after_
the robbery?