Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm currently looking into a problem where files are missing on a server. This is a shared system with four users and after a couple months of operation, it was discovered that files were missing.
The files in particular are the database files for postgresql and the files for a Java SDK. They're owned by the postgres user and root respectively. Though that may not be as important as I'm just wondering how I can pinpoint what happened.
Besides reviewing history for all the users, including root, and checking the system messages /var/log/messages, I don't know where else to determine what happened to the missing files. What complicates this investigation further is that the system messages do not go far back enough.
So my question is really, are there any other places that I can look to find out what happened to these files? Any suggestions would be very grateful.
Well, if the logs don't reach back far enough, and the
users history files aren't conclusive there's not much
you can do unless you have tripwire or some other
file-system monitor set-up and are actually monitoring
the disappearance of given files.
If you know the names of the missing files you could always use slocate to build a file database and then search for them. I don't know why they would change their location but it's worth a shot.
Thnaks but I already tried that However I used locate, not slocate. Do you think slocate will reveal anything that locate wouldnt?
The question is how did these files get moved or delete (seems more like the later)? After spending a couple hours taking look at all the logs, I can't find anything suspicious either. Of course there was no audio system so who knows if someone just did a really good job covering their tracks.
I don't think I'm going to be able to figure this one out since the back-up was not set up properly and so I don't have that either. This is certainly a lesson learned.
slocate has no more functionality in terms of locating files
than locate, the main difference is that slocate will only
report files back to a user that he has permissions to :}
If you're worried that the machine might have been exploited
you definitely want to run "rootkit hunter" and "chkrootkit"
on the box, preferably from a live CD. If you want to you
could report your own thread and have it moved to Linux-
Security rather than General, you may get other opinions
there in regards to the exploit
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.