Rob*_*Rob 2 linux files filesystems logging apache-2.2
问题:
I have several missing directories on an offsite Linux/Apache server. I've tracked down about when they went missing from the httpd error logs, and I have a list of SSL logins to the machine (complete with network addresses.)
There are several individuals who have access to my account on the machine, so I am trying to confirm whether the files were removed accidentally or intentionally. If I can determine that the session came from an external network address, then I can be sure it was intentional. Otherwise I will need additional information.
QUESTION:
Is there any way to determine what user account (mine vs. root), network session, or process removed the files? I'm not worried about restoring them as backups are recent.
RELATED QUESTION:
我已经尝试查看我自己帐户的 bash 历史记录(除了 root 之外唯一一个获得许可的帐户),它似乎只能追溯到我的 SSL 会话的开始。这是否意味着 bash 历史被篡改,或者这是正常行为?
默认情况下,这不会被记录(想象一下日志会有多大)。您可以使用 auditctl 或 inotify/iwatch 添加日志记录(有趣的选项,请查看它们),或者您的控制面板日志记录或 ftp 日志(通常都在 /var/log 的某个地方)或 bash 历史记录可能会帮助您稍微追踪一下。检查您的 HTTP 访问日志,以防某些 GET 请求设法执行此操作(不太可能,但可能)
如果您的历史记录不存在,则它已被清除。这可以手动完成,也可以通过 .bash_logout 或 .logout 文件中的命令完成。
此外,它是 SSH 而不是 SSL :)
| 归档时间: |
|
| 查看次数: |
6172 次 |
| 最近记录: |