Re: Files deleted,need to know who deleted????

ln_unix · ‎05-05-2010

Hello All,

Some files has been deleted on hp-ux box .

I want to know that who is the culprit behind this.

So,need to know from where i start findings that who deleted the file.

Need your support and help on this as always?

and thanks in advance....

Best Regards,
LN

S-M-S · ‎05-05-2010

check the syslog (/var/adm/syslog/syslog.log) , you will get the entries like below

here in example root user deleted the file

May 5 09:24:25 sapbiprd ftpd[20568]: root of 172.16.23.2 [172.16.23.2] deleted /tmp/sapinst_instdir/NW04S/SYSTEM/ORA/DISTRIBUTED/AS-ABAP/PREPARE/sapinst_dev.log

Duncan Edmonstone · ‎05-05-2010

SMS,

I don't think that's a standard message... you may hve some customisations in place...

LN,

It will be dfficiult if you don't have a tool in place to do this... did you have auditing configured... what's the output of:

audsys

HTH

Duncan

I am an HPE Employee

Michal Kapalka (mikap) · ‎05-05-2010

hi,

ho have the right to access the server ???

what abiut the privileges ???

last will show you ho was loged to the server.

i think that will be very difficult to find out ho deleted the files.

mikap

R.O. · ‎05-05-2010

Did those files have permissions to be deleted by anyone or is root the only who could delete them? You can search the name of the files in the $HOME/.sh_history of the users to find the culprit, provided you have set the ".sh_history" log for your users.

Regards,

"When you look into an abyss, the abyss also looks into you"

Hakki Aydin Ucar · ‎05-05-2010

This is everytime contreversial issue , and hard to manage, I recommend you to use HIDS by HP. It is really worthwhile software thast will catch who deleted OR touched your files. HIDS is free of charge (at least for HP-UX 11i v1 it was free)

Hakki Aydin Ucar · ‎05-05-2010

Hi again,
maybe you can use a perl script to check who touched your file , check it out:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980

S.N.S · ‎05-05-2010

Yes, as others opined - its hard to find unless the auditing was set before this happened.

Try the script and let us know; and from the lesson learnt, give access permission only to those responsible. You can use ACLs (from next time onwards)..Check the CIS Internet Security Standards of HP

HTH
SNS

"Genius is 1% inspiration, 99% Perspiration" - Edison

Bill Hassell · ‎05-05-2010

There are so many ways that a file can be removed (cron job, script with errors, untrained users or worse, untrained root users) that tracking this is almost impossible. You can always look at each user's shell history file (.sh_history) looking for rm commands. Also look for find commands with exec rm actions.

I would first look at the file's directory permission. If the directory is 777 (-rwxrwxrwx) then that is a huge sysadmin error. Nothing in a 777 directory is safe. If the files are in a properly protected directory such as /etc (which is 555 owned by bin:bin) then only a root user can remove the files. If untrained people know the root password, change it immediately and do not give the root password to anyone that is not properly trained. You can use sudo to restrict people that help with sysadmin tasks.

Bill Hassell, sysadmin

madhuchakkaravarthy · ‎05-05-2010

hi

if that file is accessed only by root or non root users.if so

check in syslog who have logged in that particular server.

if they had switched as root user u can find entry in syslog.

check with last -R -5 username to fine the date time and from which ip address one has logged in .

regards

MC

S.N.S · ‎05-05-2010

Yes, as others opined - its hard to find unless the auditing was set before this happened.

Try the script and let us know; and from the lesson learnt, give access permission only to those responsible. You can use ACLs etc(from next time onwards)..
Have a check at the CIS Internet Security Standards of HP for future implementation

http://cisecurity.org/en-us/?route=downloads.show.single.hpux.150

HTH
SNS

"Genius is 1% inspiration, 99% Perspiration" - Edison

Rita C Workman · ‎05-05-2010

AS others have mentioned, if you don't have some kind of software that logs keystrokes, you're going to have a problem finding this.

What R.O. suggested is likely your only open option. The only issue with it is that most user keystroke history files, are just that, a single file that only maintains so many lines of history.
So by the time you realize the files have been removed, the evidence is likely gone out of "whoever's" .sh_history file.

Now you could get logging software, turn on auditing, or you could change everyone's .profile so their .sh_history file becomes a directory with multiple history files, so you don't lose the keystroke data so fast. Try something like this:

HISTFILE=//.hist/HIST$$
export HISTFILE
HISTSIZE=100
export HISTSIZE

Advantage - you didn't turn on auditing and you get more keystroke history; you didn't have to get some thirdparty software installed and configured.
Disadvantage - You have to implement on (how many users) .profile; you now get alot more files you need to keep cleaned up. Likely using some quickie script in cron to just go clean these up.

Just a thought,
Rita

Prasanth V Aravind · ‎05-05-2010

Its very simple....

if you want to know who culprit did this.. you should have the activity history log... do you have it ????

else configure it, so you can avoid these type of issues in future

Steps:--

Pre-implementation steps:-
===============================
1. cp /etc/profile /etc/profile.old

Implementation steps:-
=========================

1. Login to server & run below commands.

cp /etc/profile /etc/profile.old
mkdir /var/adm/commandlog/
chmod 733 /var/adm/commandlog/

2. vi /etc/profile & remove old history definitions if exists.

3. Add below entry to the last for profile file.

export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')
HISTFILESIZE=5000
HISTSIZE=5000
export HISTFILE HISTSIZE HISTFILESIZE

Verification plan:-
============
1. Login to server againg & check can you able to see history file for you new session in /var/adm/commandlog/

Backup plan:-
=====================
cp /etc/profile.old.bhe /etc/profile

THIS IS TESTED & WORKING IN MY SITE, WHERE I AM HAVING 600+ SERVERS

GUDLUCK
Peasanth

Prasanth V Aravind · ‎05-05-2010

Make sure that this history file definition comes is in single line when you edit profile.

export HISTFILE=/var/adm/commandlog/history_$(uname -n)_$( date +%Y_%b_%d_%H.%M.%S)_$(whoami)_from_$(who am i | awk '{print $1}')_$( who am i -u | awk '{print $8}')

Taifur · ‎05-05-2010

HI,

Check the syslog and history file.

Cheers//
taifur

Steven Schweda · ‎05-06-2010

> THIS IS TESTED & WORKING IN MY SITE, [...]

Where everyone uses the right shell, and
all commands are run interactively, and no
"culprit" is smart enough to find and destroy
the evidence, and ...

> I want to know that who is the culprit
> behind this.

Why do these threads always involve setting
up the security surveillance cameras _after_
the robbery?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Files deleted,need to know who deleted????

Files deleted,need to know who deleted????