HPE Community
Operating System - HP-UX
1826347 Members
3943 Online
109692 Solutions
New Discussion

Deleted Files

 
SOLVED
Go to solution
Amiel Tutolo
Frequent Advisor

‎10-07-2004 02:29 AM

‎10-07-2004 02:29 AM

Deleted Files

I have some files that were deleted 2 days ago and I am trying to track down who or what did it. Is this logged somewhere on the system? This is on an 11i system. Thanks for your help in advance.
Live, love and laugh
0 Kudos
8 REPLIES 8
RAC_1
Honored Contributor

‎10-07-2004 02:34 AM

‎10-07-2004 02:34 AM

Re: Deleted Files

You may get what you want?? Have you set the auditing?? (setting auditing will require the system to be in trusted mode)

If you have not, then you may look at at the $HOME/.sh_history files of all users. (that too if .sh_history has been set)

Anil
There is no substitute to HARDWORK
0 Kudos
John Payne_2
Honored Contributor

‎10-07-2004 02:36 AM

‎10-07-2004 02:36 AM

Solution

Re: Deleted Files

probably not. Where these files only writable by root? If so, do you have a policy that people have to 'su' to root to become root? If so, then you can go to the sulog to see who became root.

If you know when this happened, you 'may' be able to go see who logged into the system near that time. (Depending on your system, of course) try typing 'last' to see if you get a list of people logged in then. (May not get it if lots of people log in here.)

/var/adm/syslog/syslog.log would give you logs with users if you have logging enabled for inetd. (inetd -l) Then you should get a host or IP adress that the user came from.

Good Luck

John
Spoon!!!!
0 Kudos
Amiel Tutolo
Frequent Advisor

‎10-07-2004 02:39 AM

‎10-07-2004 02:39 AM

Re: Deleted Files

This system is not a trusted system. Also I think the delete was done by a windows user through a CIFS share.
Live, love and laugh
0 Kudos
Rick Garland
Honored Contributor

‎10-07-2004 02:40 AM

‎10-07-2004 02:40 AM

Re: Deleted Files

In checking the .sh_history files of users, hope that it is setup and working. Also hope that the user (whoever it might be) has not more commands than the HISTORY is setup to save. Usually I see this as 500.

As an aid that might help narrow the search or prevent future occurrances, how are the perms and owners set for these files/directory?

If the perms are set then who has the access to do this function in this area?

0 Kudos
Gerhard Roets
Esteemed Contributor

‎10-07-2004 04:56 PM

‎10-07-2004 04:56 PM

Re: Deleted Files

Hi Amiel

If it was through a CIFS share the odds is the process who deleted it would only show the cifs user. So if this user was attached as guest it would most propably just show the guest user account.

If you do not ave auditing turned on the odds is you will nto find it except for the chance of the history file as stated above, but CIFS does not have a history file.


Regards
Gerhard
0 Kudos
Yogeeraj_1
Honored Contributor

‎10-07-2004 07:01 PM

‎10-07-2004 07:01 PM

Re: Deleted Files

hi,

as a last recourse, if you have little number of users, you can use the "last -R" command to check the last logins of users...

good luck!

regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Darren Prior
Honored Contributor

‎10-07-2004 09:23 PM

‎10-07-2004 09:23 PM

Re: Deleted Files

Hi,

If it was deleted through CIFS and you have set the CIFS logging at a high enough level, then I'd suggest you grep the files in /var/opt/samba for the deleted filename.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Amiel Tutolo
Frequent Advisor

‎10-08-2004 01:44 AM

‎10-08-2004 01:44 AM

Re: Deleted Files

Thanks for your help. This was deleted by a CIFS user and the logging was not high enough to catch. They finally admitted to it.
Live, love and laugh
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.