HPE Community
Operating System - HP-UX
1754020 Members
7584 Online
108811 Solutions
New Discussion юеВ

Re: Need to find out who deleted files

 
SOLVED
Go to solution
Arch1tect
New Member

тАО04-06-2006 05:40 AM

тАО04-06-2006 05:40 AM

Need to find out who deleted files

Let me preface with the fact that I am not a true HP-UX admin.

Came in this morning to discover that someone (or something) had deleted all of the binaries for a production environment here at the office.

We were able to restore them, but we cannot determine who removed them. So far, I have checked the syslog.log, and each users .sh_history and I have found nothing. Is there another way I can find this info?

Thanks in advance!

Phil
There are 10 types of people in the world. Those who understand Binary and those who don't.
0 Kudos
Reply
6 REPLIES 6
John Dvorchak
Honored Contributor

тАО04-06-2006 05:44 AM

тАО04-06-2006 05:44 AM

Solution

Re: Need to find out who deleted files

I think the best you can do is look issue the last command and see who was logged on at that time. Hopefully that will narrow the list of suspects. If you don't know about when it happened you can look at the directory, if it still exists, for the last modification time.
If it has wheels or a skirt, you can't afford it.
Reply
Torsten.
Acclaimed Contributor

тАО04-06-2006 05:46 AM

тАО04-06-2006 05:46 AM

Re: Need to find out who deleted files

Normally the file owner and root only are able to delete the files. I guess not so many people can have root access to your server.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Reply
Pete Randall
Outstanding Contributor

тАО04-06-2006 05:47 AM

тАО04-06-2006 05:47 AM

Re: Need to find out who deleted files

If permissions were set correctly it would have taken someone with root authority to remove the files. Someone in that position who was bent on being so disruptive/destructive would most likely plan on coverning their tracks by editing .sh_history and syslog as well.

I would first take a look at who has root access, starting by changing the password and making sure that only those who truly need to have root access know the new password.


Pete

Pete
Reply
Arch1tect
New Member

тАО04-06-2006 06:15 AM

тАО04-06-2006 06:15 AM

Re: Need to find out who deleted files

Thanks for the help. I was able to figure it out using "last" and some further investigation.
There are 10 types of people in the world. Those who understand Binary and those who don't.
0 Kudos
Reply
John Dvorchak
Honored Contributor

тАО04-06-2006 09:18 AM

тАО04-06-2006 09:18 AM

Re: Need to find out who deleted files

You are welcome and welcome to the forums. I see that you are new to the HP ITRC forums and I want to remind you to assign points for correct/helpful answers. That way some one in the future can search for a similar problem and seeing points assigned knows that it was helpful.

Please don't assign points for this response.
Good luck!
If it has wheels or a skirt, you can't afford it.
Reply
Ivan Ferreira
Honored Contributor

тАО04-06-2006 09:24 AM

тАО04-06-2006 09:24 AM

Re: Need to find out who deleted files

The last command may not help too much, if there where a lot of users loging at that time, or no users logged in at that time.

You may check also the /home//.sh_history if there is an rm command that deleted your file.

For the future, you may need to enable auditing.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.