Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

File Logs - Where do I find the logs relating to deletion of database tables?

Discussion in 'Database Discussion' started by JesseLee, Feb 23, 2011.

  1. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Good Evening All,

    Our website/systems administrator recently decided to 'get us back' for his dismissal and consequently we found that he managed to drop one of our databases via an open (unknown to me) SSH account.

    Once I realized the database was dropped, I disabled the rouge SSH account and restored a database backup however I'm currently looking for is the logs relating to this directory "/var/lib/mysql/<mydatabase>".

    I'm aware that logs are kept for system access like SSH, but does it also keep record of deleted files? I would have normally posted this under the 'general' discussion area however since it's database specific I was hoping someone would be able to assist.

    Any information is appreciated
    Regards,
    J.
     
    #1 JesseLee, Feb 23, 2011
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,563
    Likes Received:
    42
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelKenneth, Feb 28, 2011
  3. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Thank you Kenneth,

    I'm actually looking for the logs pertaining to file deletions of the path to the SQL databases (File System)
    If I was unclear, please let me know - Newbie to WHM.

    Regards,
    J.
     
    #3 JesseLee, Mar 3, 2011
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If the file was deleted in SSH, then you'll have to check .bash_history for the users on the system, which doesn't normally even have time stamps:

    Code:
    grep databasename /root/.bash_history /home/*/.bash_history
    I'm uncertain how else it could be deleted other than SSH, MySQL command line or PhpMyAdmin, and if the person did an su - to root level, which is required to even get to /var/lib/mysql location for SSH, you aren't going to get much detail. You can always go through the .bash_history file where you find the entry to see what other commands were processed around that time, provided the person didn't clear the history to cover their tracks.

    For MySQL command line or PHPMyAdmin commands, you can check /root/.mysql_history file to see if there are any indications in the file for a table or database being dropped.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelTristan, Mar 3, 2011
  5. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Thanks for that Tristan,

    The 'user' did have root access, taking out the tables from the database via the File System appeared to be what happened. I can see the bash history (provided by your command) only lists the items post-deletion, I suppose it was wiped before he left as you mentioned.

    Code:
    
Private server.  All activity is being logged.
root@server [~]# grep mydatabasename /root/.bash_history /home/*/.bash_history
/root/.bash_history:cp -a mydatabasename.sql /home/useracc/public_html/
/root/.bash_history:chmod useracc:useracc mydatabasename.sql
/root/.bash_history:chown useracc:useracc mydatabasename.sql
/root/.bash_history:cp -a mydatabasename /home/
/root/.bash_history:cp -a mydatabasename.sql /home/useracc/
/root/.bash_history:grep /mydatabasename/ /etc/httpd/domlogs/useracctelectric.com >> sqllogs.txt
/root/.bash_history:cd mydatabasename
    Code:
    connect mydbname
connect database mydbname
open mydbname
open mydbname dir;
select database mydbname
select database mydbname
select database mydbname
use mydbname
source /home/useracc/mydbname.sql
    This was exactly what I required, thank you very much!

    Regards,
    Jesse-Lee Stringer
     
    #5 JesseLee, Mar 3, 2011
    Last edited: Mar 3, 2011
(You must log in or sign up to post here.)
Loading...
Similar Threads - File Logs Where
  1. Masimo

    Locating access logs for file on an account

    Masimo, Oct 14, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    540
    cPAusaf
    Oct 14, 2017
  2. martin MHC

    Can WHM Update Logs actually show Files that have been updated

    martin MHC, Aug 31, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    432
    cPanelMichael
    Aug 31, 2017
  3. Forcerdj

    Find out how file was uploaded? Which logs?

    Forcerdj, Oct 3, 2016, in forum: Security
    Replies:
    4
    Views:
    1,461
    hrace009
    Oct 24, 2016
  4. YanoLoL

    Hostname changed and cannot read license file

    YanoLoL, Sep 17, 2018 at 7:06 PM, in forum: General Discussion
    Replies:
    2
    Views:
    27
    cPanelLauren
    Sep 18, 2018 at 10:06 AM
  5. sido

    Entries in Log File Questions

    sido, Sep 16, 2018 at 6:00 AM, in forum: Security
    Replies:
    5
    Views:
    96
    cPanelMichael
    Sep 18, 2018 at 10:56 AM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice