The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

File Logs - Where do I find the logs relating to deletion of database tables?

Discussion in 'Database Discussions' started by JesseLee, Feb 23, 2011.

  1. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Good Evening All,

    Our website/systems administrator recently decided to 'get us back' for his dismissal and consequently we found that he managed to drop one of our databases via an open (unknown to me) SSH account.

    Once I realized the database was dropped, I disabled the rouge SSH account and restored a database backup however I'm currently looking for is the logs relating to this directory "/var/lib/mysql/<mydatabase>".

    I'm aware that logs are kept for system access like SSH, but does it also keep record of deleted files? I would have normally posted this under the 'general' discussion area however since it's database specific I was hoping someone would be able to assist.

    Any information is appreciated
    Regards,
    J.
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  3. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Thank you Kenneth,

    I'm actually looking for the logs pertaining to file deletions of the path to the SQL databases (File System)
    If I was unclear, please let me know - Newbie to WHM.

    Regards,
    J.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If the file was deleted in SSH, then you'll have to check .bash_history for the users on the system, which doesn't normally even have time stamps:

    Code:
    grep databasename /root/.bash_history /home/*/.bash_history
    I'm uncertain how else it could be deleted other than SSH, MySQL command line or PhpMyAdmin, and if the person did an su - to root level, which is required to even get to /var/lib/mysql location for SSH, you aren't going to get much detail. You can always go through the .bash_history file where you find the entry to see what other commands were processed around that time, provided the person didn't clear the history to cover their tracks.

    For MySQL command line or PHPMyAdmin commands, you can check /root/.mysql_history file to see if there are any indications in the file for a table or database being dropped.
     
  5. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for that Tristan,

    The 'user' did have root access, taking out the tables from the database via the File System appeared to be what happened. I can see the bash history (provided by your command) only lists the items post-deletion, I suppose it was wiped before he left as you mentioned.

    Code:
    
    Private server.  All activity is being logged.
    root@server [~]# grep mydatabasename /root/.bash_history /home/*/.bash_history
    /root/.bash_history:cp -a mydatabasename.sql /home/useracc/public_html/
    /root/.bash_history:chmod useracc:useracc mydatabasename.sql
    /root/.bash_history:chown useracc:useracc mydatabasename.sql
    /root/.bash_history:cp -a mydatabasename /home/
    /root/.bash_history:cp -a mydatabasename.sql /home/useracc/
    /root/.bash_history:grep /mydatabasename/ /etc/httpd/domlogs/useracctelectric.com >> sqllogs.txt
    /root/.bash_history:cd mydatabasename
    
    Code:
    connect mydbname
    connect database mydbname
    open mydbname
    open mydbname dir;
    select database mydbname
    select database mydbname
    select database mydbname
    use mydbname
    source /home/useracc/mydbname.sql
    
    
    This was exactly what I required, thank you very much!

    Regards,
    Jesse-Lee Stringer
     
    #5 JesseLee, Mar 3, 2011
    Last edited: Mar 3, 2011
Loading...

Share This Page