Saturday, January 29, 2011

How can I recover my /root directory and find out who deleted it?

I have a centos 4 linux server; Three people have the root's password including me.

When I logged on the server and switched to root today, I found that the directory /root has gone...

How can I recover my /root directory and find out who deleted it ? Is there any way that I can know who logged on the server and the every changes they made ?

Really thanks for any response.

From serverfault bluesea007

  • recovery: I have no idea, sorry. You can assume I made some snippy comment about how you should have backups ;)

    who dun it: Assuming everyone is accessing the machine remotely (preferably via ssh) then last should tell you the IP address and username of the last people to log on.

    misc: When you say 3 people have the root password: could I recommend (if you aren't already doing so) that you set PermitRootLogin no in the sshd.conf file and just make sure these 'admins' ssh as their own account and then use su. This gives you both another layer of security as well as some more logging info (rather than just the IP address 'root' connected from, you'd see Jon ssh into the server and then take root privileges.

    bluesea007 : Thanks a lot for your advice. Another question is that: I found that two people logged on the server yesterday, however, how can I discover who deleted the directory and what commands they had run? Is there any log I can check for thant ? Thanks:)
    Kiwi : I don't think you can if they were logged on as root. If they were logged on as a regular user you could just check their .bash_history (home folder).
    Bart Silverstrim : If people were logged in as root, all you can trace it back to is "root did it". Unless you use lastlog and last to try narrowing down the time they were logged in, then cross-reference it with the logs in /var/log saying what IP people logged in from (if from SSH) to try narrowing it down from that to what domain they were logging in from. Generally if this if you're sharing admin privs with others, you should consider a secure secondary logging server to which logs are echoed, since an admin can easily doctor or alter records on the local machine once "owned".
    From MidnighToker

  • Ask them. If they can't be trusted to answer questions about what they've done on the machine, they can't be trusted with root access.

    MidnighToker : +1 -either that, or they are completely trustworthy, just incredibly inept.
    womble : If they're inept they can't be trusted with root, *either*.
    From womble

  • For recovery try Test Disk

    From adopilot

  • Just to be sure, check 'mount' and make sure someone didn't mount an empty directory over the real one.

    From gbarry

  • If there are more people knowing the root password, that still doesn't mean that it was one of them. If your server is exposed to the Internet and is not updated with security patches, it could have been owned.

    A good practice for debugging such issues is to set up remote logging. If an attacker gains control and does bad things, he can't wipe the logs to cover himself, because they aren't stored on the same computer.

    From Anonymous
Posted by Ku XI at 5:34 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)