Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Is it possible to find out how/when/who deleted particular dierectory on UNIX Aix3
Top Forums UNIX for Dummies Questions & Answers Is it possible to find out how/when/who deleted particular dierectory on UNIX Aix3 Post 51186 by Perderabo on Wednesday 12th of May 2004 10:29:18 PM
Old 05-12-2004
Yow! First of all, you can do "ps -fu <uid>" to get a list of process for a certain user. But even with that revision, I would certainly not run that script. Especially for root. I don't know AIX, but there are processes like swapper and init that are special. I wouldn't try a ptrace() on them without a lot of research.

Can you briefly unplug the system from the network? If the directory disappears while the box is unplugged from the network, you know that it's a local process. If the directory is exported via NFS or a similiar service the local box may be invoking a rmdir() or unlink(). Even without NFS, a cronjob on another system could use a remote shell. Unplugging the system for a a few carefully timed seconds will tell you if another box is involved.

Deleting a directory requires write permission to the parent directory. By varying the permissions on that parent, you should be able to nail down the uid involved.

I would do a "ps -fu <uid>" in a loop around 4:00, sending the results to a file. Then I would study the file looking for any commands that could delete the directory.


Most directories are deleted by program like rm or rmdir. Or maybe perl. For that to happen, the program must run. To run a program, you must read it. This updates atime in the inode. Run "ls -lu /usr/bin/rm" at 3:59 and 4:01. If the time doesn't change, that was not the program used.

With a little detective work, you can usually zero in on the culprit.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

lost or deleted data in Unix?

Quote: "Until the space is used for another file, it is not deleted and the data can be recovered (although it may require jumping through hoops)." Unquote I know this is true in the Windows world, but I didn't think it was true of Unix. I had always been told once it was deleted in Unix, it... (1 Reply)
Discussion started by: wmosley2
1 Replies

2. UNIX for Dummies Questions & Answers

Help comparing 2 files to find deleted records

Hi, I need to compare todays file to yesterdays file to find deletes. I cannot use comm -23 file.old file.new. Because each record may have a small change in it but is not really a delete. I have two delimited files. the first field in each file is static. All other fields may change. I... (2 Replies)
Discussion started by: eja
2 Replies

3. UNIX for Dummies Questions & Answers

is it possible to check logs in UNIX who deleted the files?

Hello, is it possible to check logs in UNIX who deleted the files? Is there logs in UNIX besides .sh_history? (1 Reply)
Discussion started by: james_falco
1 Replies

4. UNIX for Advanced & Expert Users

Unix ID deleted - What happen to process

I have an unix id (AIX system) which is used to run a couple of processes. They also write some log files into a file system (that is not in the home directory of the user id, but in different location). One bad day, the id was deleted accidentally. But the home directory, files and everything... (1 Reply)
Discussion started by: cmgreat
1 Replies

5. UNIX for Dummies Questions & Answers

recover deleted file in unix

hi after using rm command how to recover the deleted file (7 Replies)
Discussion started by: arulkumar
7 Replies

6. UNIX for Dummies Questions & Answers

how to recover deleted files in unix

Hi Experts, by mistake i deleted some files that are very important to the project. is there any way that i can recover those files,there is no backup for that but the details of the file we know. This will be a great help. Thanks (5 Replies)
Discussion started by: namishtiwari
5 Replies

7. UNIX for Dummies Questions & Answers

Restoring back a deleted file in unix.

Hi, Can any one tell me how to restore back the deleted file in unix? I know the file name. If i know the inode number of the file does help more to restore back the file? (1 Reply)
Discussion started by: siba.s.nayak
1 Replies

8. AIX

AIX emgr -l -u VUID command and differences from AIX3 to 6?

Hey, I currently only have access to an AIX 6.1 system with no interim fix information I.E. any emgr -l -u command results in the following: 'There is no efix data on this system' Could anyone provide me with valid output of a emgr -l -u VUID command when there IS efix data on a system for the... (0 Replies)
Discussion started by: bstullkid
0 Replies

9. UNIX for Dummies Questions & Answers

To find the Ip address of the user who deleted files

Hi, There were a few files deleted from a server by user xyz. The file names are:- /oraextME4/oradata/ME11G22/TEST_IMPORT_01.dbf /oraextME4/oradata/ME11G22/RKVITR1_03.dbf /oraextME4/oradata/ME11G22/TEST_IMPORT_02.dbf need to know the ip address of the terminal from which that... (10 Replies)
Discussion started by: Abhinav Jaiswal
10 Replies

10. UNIX for Advanced & Expert Users

How to list deleted files in UNIX?

Hi All, Its an interview question. I just want to know the answer of below question. 1) How to list deleted files in unix (13 Replies)
Discussion started by: pspriyanka
13 Replies

LEARN ABOUT HPUX

cdc

cdc(1)							      General Commands Manual							    cdc(1)

NAME

       cdc - change the delta commentary of an SCCS delta

SYNOPSIS

       SID [mrlist]] [comment]] files

DESCRIPTION

       The command changes the for the SID specified by the option, of each named SCCS file.

       is defined to be the Modification Request (MR) and comment information normally specified via the delta(1) command and options).

       If  a  directory is named, behaves as if each file in the directory were specified as a named file, except that non-SCCS files (last compo-
       nent of the path name does not begin with and unreadable files are silently ignored.  If a name of is given, the  standard  input  is  read
       (see each line of the standard input is taken to be the name of an SCCS file to be processed.

   Options
       Arguments to which can appear in any order, consist of option arguments and file names.

       All of the described option arguments apply independently to each named file:

	      Used to specify the
			     SCCS IDentification (SID) string of a delta for which the delta commentary is to be changed.

	      If the	     SCCS  file has the option set (see admin(1)), a list of MR numbers to be added and/or deleted in the delta commentary
			     of the SID specified by the option may be supplied.  A null MR list has no effect.

			     MR entries are added to the list of MRs in the same manner as that of delta(1).  To delete an MR, precede the MR num-
			     ber with the character (see If the MR to be deleted is currently in the list of MRs, it is removed and changed into a
			     "comment" line.  A list of all deleted MRs is placed in the comment section of the delta commentary and preceded by a
			     comment line stating that they were deleted.

			     If  is not used and the standard input is a terminal, the prompt is issued on the standard output before the standard
			     input is read; if the standard input is not a terminal, no prompt is issued.  The prompt always precedes  the  prompt
			     (see option).

			     MRs  in  a  list  are  separated by blanks and/or tab characters.	An unescaped new-line character terminates the MRs
			     list.

			     Note that if the option has a value (see admin(1)), it is treated as the name of a program (or shell procedure)  that
			     validates	the  correctness  of  the MR numbers.  If a non-zero exit status is returned from the MR number validation
			     program, terminates and the delta commentary remains unchanged.

	      Arbitrary text used to replace the
			     comment or comments already existing for the delta specified by the option.  Previous comments are kept and  preceded
			     by a comment line stating that they were changed.	A null comment has no effect.

			     If is not specified and the standard input is a terminal, the prompt is issued on the standard output before standard
			     input is read; if standard input is not a terminal, no prompt is issued.  An unescaped new-line character	terminates
			     the comment text.

       The exact permissions necessary to modify the SCCS file are documented in get(1).  Simply stated, they are either:

	      o  If you made the delta, you can change its delta commentary, or

	      o  If you own the file and directory, you can modify the delta commentary.

EXTERNAL INFLUENCES

   Environment Variables
       determines the language in which messages are displayed.

   International Code Set Support
       Single- and multi-byte character code sets are supported.

DIAGNOSTICS

       Use sccshelp(1) for explanations.

EXAMPLES

       Add and to the MR list, remove from the MR list, and add the comment to delta 1.6 of

       The following does the same thing:

WARNINGS

       If SCCS file names are supplied to the command via the standard input on the command line), the and options must also be used.

FILES

       x-file	 See delta(1).
       z-file	 See delta(1).

SEE ALSO

       admin(1), delta(1), get(1), sccshelp(1), prs(1), sccsfile(4), rcsfile(4), acl(5), rcsintro(5).

																	    cdc(1)
All times are GMT -4. The time now is 11:45 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy