Home / server / Questions / 615111
In Process
Amit
Asked: 2014-07-25 02:34:23 +0800 CST

How to know which SSH user deleted my folder?

  • 772

We have a linux server in our lab which is shared among a number of developers. Server credentials (NOT root) are known to all and they log in using SSH. Now, when I logged in today I just realized that someone has deleted the folder I working on. It was there till yesterday EOD but has gone now. How can I know who deleted my folder ?

**EDIT :- ** I have just discovered the last command with some greps it gives a list of IPs from where a user logged in, that is great information, however it doesn't solve my purpose completely. I just want to know who deleted my folder. I just want to know if someone is willingly doing it since it has happened before also and restoring everything every time is just frustrating.

ssh

3 Answers

  1. You can't. If you are the administrator of the machine, you could enable auditing functionality, but this doesn't help for past events.

    Get your backups. And talk to your admin to get a good permission system and/or auditing in place.

    • 6

  2. I'm not sure if it is 100% possible, but I would try to recover the deletion time from the filesystem journal or even the whole folder from the filesystem (especially if the filesystem is ext4). Then you could compare the deletion time with the output of 'last'. Unfortunately, I have only a very basic idea how to do it, so please check the possibility by yourself. The good start could be:

    http://spin.atomicobject.com/2012/06/29/restoring-deleted-files-from-the-ext3-journal/ http://www.linuxjournal.com/content/hack-and-forensics-ext4

    Maybe it could be possible to see the exact time of file deletion from the journal.

    However, no matter if such forensics is possible or not, the whole situation seems strage to me. I would recommend following:

    1. keep calm. It's seems to be quite hard to recover files or deletion timestamp, and you should be 100% sure before claiming someone. Maybe someone did it non-intentionally, then there is no need to overreact on it.
    2. try to talk with your collegues. Why do you need a heavy forensics instead of just talking with other people?
    3. have a backup. Just always have a backup.
    4. use different credentials for different users. As you see now, It's not a good practive to use one account collaboratively. Just create more accounts. If there are many servers - use LDAP to manage them.
    5. fix filesystem permissions. Since you will have different accounts for different users, you could manage file permissions, so that such situations will not be possible anymore.
    • 1

  3. There's no completely foolproof way of figuring this out, since there are many mechanisms by which files can be deleted, and there is no log of all file operations.

    Assuming he deleted the folder from the shell, you may be able to grep through the history files (/home/*/.*history) and see if you find anything. This will contain a list of commands issued through the shell.

    • -1