SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot frosco's Avatar
    Join Date
    Jul 2003
    Location
    WA state
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Finding Who Deleted Files

    One of my sites had the entire public_html folder deleted. I can't figure (or remember) how to find the IP of the person or entity who deleted. FTP log doesn't look suspicious at all.

    I have shell access, but don't know bash commands all that well.

    Thank you!

  2. #2
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,521
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    It's most likely to be FTP, so I'd go over that in further detail. Worth checking your http logs for unusual behaviour targeting web applications that have the capability to modify files, and your /var/log/secure for shell access (though if somebody is using your shell illicitly chances are they could cover their tracks by altering logs)

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2008
    Location
    UK
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ask your web host, they should be able to tell you the location of he Logs which EastCoast referenced.

    Assuming you know the approximate time, you should be able to see the HTTP request the hacker used to delete your public_html folder (Assuming they have not altered the logs).
    My Blog/Site: Full On Design

  4. #4
    SitePoint Enthusiast
    Join Date
    Apr 2011
    Posts
    26
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Unless you have already been auditing object access, you may not be able to see who deleted this folder. You should implement it so you can trace future deletions.

    Also, if your server is running 2003, you should try to restore from Volume Shadow Services.

  5. #5
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I would go through /var/logs/auth.log if you have access to it. Not sure if all OS store their login logs there but Ubuntu and Debian sure do.

    It stores logins not just for FTP but for anything - including SSH, Telnet (if you have it), etc.

    If you don't have access to this kind of thing, then all this is really your host's responsibility I'd say...

    When I recently was investigating a site that got hacked (not my site) this at least allowed me to find out which user account they had logged in as in order to gain access, and which IP address they came from.

    If they logged in as you though, it's going to be virtually impossible to tell them and you apart unless you can figure it out from the dates and times.
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  6. #6
    SitePoint Enthusiast
    Join Date
    May 2005
    Posts
    78
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    /var/log/messages documents all ftp actions as far as I know.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •