Finding Who Deleted Files

One of my sites had the entire public_html folder deleted. I can’t figure (or remember) how to find the IP of the person or entity who deleted. FTP log doesn’t look suspicious at all.

I have shell access, but don’t know bash commands all that well.

Thank you!

It’s most likely to be FTP, so I’d go over that in further detail. Worth checking your http logs for unusual behaviour targeting web applications that have the capability to modify files, and your /var/log/secure for shell access (though if somebody is using your shell illicitly chances are they could cover their tracks by altering logs)

Ask your web host, they should be able to tell you the location of he Logs which EastCoast referenced.

Assuming you know the approximate time, you should be able to see the HTTP request the hacker used to delete your public_html folder (Assuming they have not altered the logs).

Unless you have already been auditing object access, you may not be able to see who deleted this folder. You should implement it so you can trace future deletions.

Also, if your server is running 2003, you should try to restore from Volume Shadow Services.

I would go through /var/logs/auth.log if you have access to it. Not sure if all OS store their login logs there but Ubuntu and Debian sure do.

It stores logins not just for FTP but for anything - including SSH, Telnet (if you have it), etc.

If you don’t have access to this kind of thing, then all this is really your host’s responsibility I’d say…

When I recently was investigating a site that got hacked (not my site) this at least allowed me to find out which user account they had logged in as in order to gain access, and which IP address they came from.

If they logged in as you though, it’s going to be virtually impossible to tell them and you apart unless you can figure it out from the dates and times.

/var/log/messages documents all ftp actions as far as I know.