Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

File Logs - Where do I find the logs relating to deletion of database tables?

Discussion in 'Database Discussions' started by JesseLee, Feb 23, 2011.

  1. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Good Evening All,

    Our website/systems administrator recently decided to 'get us back' for his dismissal and consequently we found that he managed to drop one of our databases via an open (unknown to me) SSH account.

    Once I realized the database was dropped, I disabled the rouge SSH account and restored a database backup however I'm currently looking for is the logs relating to this directory "/var/lib/mysql/<mydatabase>".

    I'm aware that logs are kept for system access like SSH, but does it also keep record of deleted files? I would have normally posted this under the 'general' discussion area however since it's database specific I was hoping someone would be able to assist.

    Any information is appreciated
    Regards,
    J.
     
    #1 JesseLee, Feb 23, 2011
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,515
    Likes Received:
    33
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    #2 cPanelKenneth, Feb 28, 2011
  3. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Thank you Kenneth,

    I'm actually looking for the logs pertaining to file deletions of the path to the SQL databases (File System)
    If I was unclear, please let me know - Newbie to WHM.

    Regards,
    J.
     
    #3 JesseLee, Mar 3, 2011
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    26
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If the file was deleted in SSH, then you'll have to check .bash_history for the users on the system, which doesn't normally even have time stamps:

    Code:
    grep databasename /root/.bash_history /home/*/.bash_history
    I'm uncertain how else it could be deleted other than SSH, MySQL command line or PhpMyAdmin, and if the person did an su - to root level, which is required to even get to /var/lib/mysql location for SSH, you aren't going to get much detail. You can always go through the .bash_history file where you find the entry to see what other commands were processed around that time, provided the person didn't clear the history to cover their tracks.

    For MySQL command line or PHPMyAdmin commands, you can check /root/.mysql_history file to see if there are any indications in the file for a table or database being dropped.
     
    #4 cPanelTristan, Mar 3, 2011
  5. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Thanks for that Tristan,

    The 'user' did have root access, taking out the tables from the database via the File System appeared to be what happened. I can see the bash history (provided by your command) only lists the items post-deletion, I suppose it was wiped before he left as you mentioned.

    Code:
    
Private server.  All activity is being logged.
root@server [~]# grep mydatabasename /root/.bash_history /home/*/.bash_history
/root/.bash_history:cp -a mydatabasename.sql /home/useracc/public_html/
/root/.bash_history:chmod useracc:useracc mydatabasename.sql
/root/.bash_history:chown useracc:useracc mydatabasename.sql
/root/.bash_history:cp -a mydatabasename /home/
/root/.bash_history:cp -a mydatabasename.sql /home/useracc/
/root/.bash_history:grep /mydatabasename/ /etc/httpd/domlogs/useracctelectric.com >> sqllogs.txt
/root/.bash_history:cd mydatabasename
    Code:
    connect mydbname
connect database mydbname
open mydbname
open mydbname dir;
select database mydbname
select database mydbname
select database mydbname
use mydbname
source /home/useracc/mydbname.sql
    This was exactly what I required, thank you very much!

    Regards,
    Jesse-Lee Stringer
     
    #5 JesseLee, Mar 3, 2011
    Last edited: Mar 3, 2011
(You must log in or sign up to post here.)
Loading...
Similar Threads - File Logs Where
  1. Masimo

    In Progress Locating access logs for file on an account

    Masimo, Oct 14, 2017 at 2:29 AM, in forum: General Discussion
    Replies:
    1
    Views:
    54
    cPAusaf
    Oct 14, 2017 at 2:56 PM
  2. martin MHC

    Can WHM Update Logs actually show Files that have been updated

    martin MHC, Aug 31, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    108
    cPanelMichael
    Aug 31, 2017
  3. Forcerdj

    Find out how file was uploaded? Which logs?

    Forcerdj, Oct 3, 2016, in forum: Security
    Replies:
    4
    Views:
    714
    hrace009
    Oct 24, 2016
  4. Paul Kato

    File Manager Logs

    Paul Kato, Aug 20, 2016, in forum: General Discussion
    Replies:
    2
    Views:
    594
    cPanelMichael
    Aug 23, 2016
  5. Spork Schivago

    Very large /usr/local/cpanel/logs/access_log files

    Spork Schivago, Feb 15, 2016, in forum: General Discussion
    Replies:
    5
    Views:
    754
    Spork Schivago
    Feb 15, 2016

Share This Page