Who deleted my files Post: 302564763

Sponsored Content

Operating Systems AIX Who deleted my files Post 302564763 by juredd1 on Friday 14th of October 2011 02:17:40 PM

10-14-2011

Registered User

Who deleted my files

Just looking for some guidance on how to figure out who might have deleted some files off one of my systems.

These files are not root owned files so could be deleted by a handful of folks in the group responsible for these files besides the root users.

Anyway I have been tasked with trying to figure out where they went. I can see from our backup server they were there on Sept. 26th and gone on Sept. 27th. I have tried reviewing the .sh_history file for each user but have just performed a copy of the .sh_history file of each user to a tmp location and then review the files with vi.

I have done this for the root user as well but notice after the copy that the last timestamp in the file is from yesterday. None of the commands I have run today are there. However if I use the fc command they are shown. My concern is that will be the case for the copy of the other users history file but don't have a way to properly format the history file with fc unless I log in as each user. The other issue I have is some uses history file does not appear to go back that far so I am having to restore from the previously mentioned time frame.

Just looking for any thoughts on how to better come up with an answer. Something had to happen to those files but thus far I am coming up empty.

I think I understand that if someone wanted to delete these files and not be found they could edit their own history file. I don't think it's the case of an on purpose delete as the files are still on the source server which they can delete as well. I can get them back from the source server or from backup but just would like to figure out how they got deleted to avoid this questioning from the customer in the future.

Thanks.

juredd1

View Public Profile for juredd1

Find all posts by juredd1

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Retrieval of deleted files

We have a situation in a large dept of programmers where critical accounting data files were deleted. Is there any way in UNIX to trace deletions and or possibly retrieve the deleted file?

2. UNIX for Dummies Questions & Answers

restoring deleted files

I had a user run, by accident, the following line command on our UNIX server: rm -f /usr/* This apparently deleted some needed files on your system. Having very limited knowledge in UNIX, I thought I would ask the group if anyone knows how I can recover these file? The version of UNIX is...

3. AIX

recover deleted files

How to recover deleted files in AIX ?

4. Shell Programming and Scripting

Finding deleted files

One of the files got deleted and i want to find who deleted that file. I think we can get the list using history command. Could you please let me know how to get the list of rm commands from history and who previously logged in and did that? Any other suggestions other than history also...

5. UNIX for Dummies Questions & Answers

Retrieving deleted files

I mistakenly deleted a script from the UNIX server. Is there any command i can type that i will retrieve my script?

6. Shell Programming and Scripting

how to restore the deleted files

hi, if i delete a file from /home/san/abc.cpp in linux/unix and i want to restore it back how to do that ?

7. UNIX for Dummies Questions & Answers

Any way to retrieve deleted files?

:eek: I accidently removed some files using 'rm'. Is there any way to retrieve these files if they were deleted through 'rm'?

8. UNIX for Advanced & Expert Users

deleted all files - rm *

Hi All, I am using Fedora Core and Windows Xp. I deleted all the files from root directory. When i am trying to restart the computer it showing some grub > prompt. What i will do ? I have lots of data in XP OS. Please help me i used # rm *

9. Linux

Need help with deleted files

Hello. I am having a problem and I was wondering if I could get some help from here. I changed into a directory with the cd command and I wanted to delete a folder and all of its subdirectories, so I went ahead and did a rm --recursive * in my current directory to realize that I was in the wrong...

LEARN ABOUT DEBIAN

checkrestart

checkrestart(1) 						  debian-goodies						   checkrestart(1)

NAME

       checkrestart - check which processes need to be restarted after an upgrade

SYNOPSIS

       checkrestart [ -hvpa ] [ -b blacklist_file ] [ -i package_name ]

DESCRIPTION

       The  checkrestart program tries to determine if there are processes in the system that need to be restarted after a system upgrade. This is
       necessary since an upgrade will usually bring new system libraries and running processes will be  still	using  the  old  versions  of  the
       libraries.  In  stable Debian GNU/Linux systems this is typically needed to eliminate a system exposure to a vulnerability which might have
       been fixed by upgrading a library which that process makes use of.

       Consequently, checkrestart is sometimes used as an audit tool to find outdated versions of libraries in use,  particularly  after  security
       upgrades. Administrators should not, however, rely on its output completely (see BUGS below).

       This script needs to run as root in order to obtain the information it needs for analysis.

OPTIONS

       -h,--help
	      Show the program help and exit.

       -v,--verbose
	      Generate	detailed  output.  This  output includes the list of all processes found using deleted files or descriptors as well as the
	      deleted files and descriptors found.

       -p,--package
	      Only process deleted files that belong to a package, ignoring deleted files which do not have an associated package in  the  package
	      system.

       -a,--all
	      Process  all  deleted  files  regardless	of  location. This makes the program analyse deleted files even if they would be discarded
	      because they are located in locations, such as /tmp , which are known to produce false positives. It  will  take	preceded  if  used
	      simultaneously with the -p option.

       -b file,--blacklist=file
	      Read a blacklist of regular expressions from file.  Any files matching the patterns will be ignored.

       -i name,--ignore=name
	      Ignore services that are associated to the package name provided in name.

EXIT STATUS

       The program will exit with error (1) if a non-root user tries to run it. Otherwise, it will always exit with error status 0.

BUGS

       This  program  might  fail  if the output of the lsof utility changes since it depends on it to detect which deleted files are used by pro-
       cesses. It might also output some false positives depending on the processes' behaviour since it does not check yet if the (deleted)  files
       in use are really libraries.

       If you find a false positive in checkrestart please provide the following information when submitting a bug report:

       --     The output of checkrestart using the -v (verbose) option.

       --     The output of running the following command as root:

	       lsof | egrep 'delete|DEL|path inode'

       Checkrestart is also sensitive to the kernel version in use. And might fail to work with newer (or older) versions.

       A rewrite to make it less dependent on lsof could improve this, however.

SEE ALSO

       lsof(8)

AUTHOR

       checkrestart was written by Matt Zimmerman for the Debian GNU/Linux distribution.

COPYRIGHT AND LICENCE

       Copyright (C) 2001 Matt Zimmerman <mdz@debian.org> Copyright (C) 2007,2010-2011 Javier Fernandez-Sanguino <jfs@debian.org>

       This  program  is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2, or (at your option) any later version.

       On Debian systems, a copy of the GNU General Public License may be found in /usr/share/common-licenses/GPL.

debian-goodies							 December 19 2006						   checkrestart(1)