It appears someone got in our server and modified some file permissions. I’d like to know if there’s a way for me to determine what was changed. I’ve been through /var/log/*.log and am not seeing any evidence of anything changing. A random js file was changed and starting throwing a permission denied error. I’m trying to find where that was changed, and by whom. the individual server logs for users are not showing any changes to that file that would’ve caused the error.
Unless you had something like AIDE or [url=http://www.tripwire.com/]Tripwire that monitors filesystem activity it’s unlikely you’re going to be able to find out.
Are you able to see any activity from Apache error logs for the user hosting that JS file?
Everything is owned by root. When we edit files on the server we stick with strictly sudoing things. Is this a bad practice? Is there a better route to take?
Are logs kept for what root does?
/root/.bash_history is the log for commands issued as root.