Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

File Logs - Where do I find the logs relating to deletion of database tables?

Discussion in 'Database Discussion' started by JesseLee, Feb 23, 2011.

  1. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Good Evening All,

    Our website/systems administrator recently decided to 'get us back' for his dismissal and consequently we found that he managed to drop one of our databases via an open (unknown to me) SSH account.

    Once I realized the database was dropped, I disabled the rouge SSH account and restored a database backup however I'm currently looking for is the logs relating to this directory "/var/lib/mysql/<mydatabase>".

    I'm aware that logs are kept for system access like SSH, but does it also keep record of deleted files? I would have normally posted this under the 'general' discussion area however since it's database specific I was hoping someone would be able to assist.

    Any information is appreciated
    Regards,
    J.
     
    #1 JesseLee, Feb 23, 2011
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,565
    Likes Received:
    43
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelKenneth, Feb 28, 2011
  3. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Thank you Kenneth,

    I'm actually looking for the logs pertaining to file deletions of the path to the SQL databases (File System)
    If I was unclear, please let me know - Newbie to WHM.

    Regards,
    J.
     
    #3 JesseLee, Mar 3, 2011
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If the file was deleted in SSH, then you'll have to check .bash_history for the users on the system, which doesn't normally even have time stamps:

    Code:
    grep databasename /root/.bash_history /home/*/.bash_history
    I'm uncertain how else it could be deleted other than SSH, MySQL command line or PhpMyAdmin, and if the person did an su - to root level, which is required to even get to /var/lib/mysql location for SSH, you aren't going to get much detail. You can always go through the .bash_history file where you find the entry to see what other commands were processed around that time, provided the person didn't clear the history to cover their tracks.

    For MySQL command line or PHPMyAdmin commands, you can check /root/.mysql_history file to see if there are any indications in the file for a table or database being dropped.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelTristan, Mar 3, 2011
  5. JesseLee

    JesseLee Registered

    Joined:
    Feb 23, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Thanks for that Tristan,

    The 'user' did have root access, taking out the tables from the database via the File System appeared to be what happened. I can see the bash history (provided by your command) only lists the items post-deletion, I suppose it was wiped before he left as you mentioned.

    Code:
    
Private server.  All activity is being logged.
root@server [~]# grep mydatabasename /root/.bash_history /home/*/.bash_history
/root/.bash_history:cp -a mydatabasename.sql /home/useracc/public_html/
/root/.bash_history:chmod useracc:useracc mydatabasename.sql
/root/.bash_history:chown useracc:useracc mydatabasename.sql
/root/.bash_history:cp -a mydatabasename /home/
/root/.bash_history:cp -a mydatabasename.sql /home/useracc/
/root/.bash_history:grep /mydatabasename/ /etc/httpd/domlogs/useracctelectric.com >> sqllogs.txt
/root/.bash_history:cd mydatabasename
    Code:
    connect mydbname
connect database mydbname
open mydbname
open mydbname dir;
select database mydbname
select database mydbname
select database mydbname
use mydbname
source /home/useracc/mydbname.sql
    This was exactly what I required, thank you very much!

    Regards,
    Jesse-Lee Stringer
     
    #5 JesseLee, Mar 3, 2011
    Last edited: Mar 3, 2011
(You must log in or sign up to post here.)
Loading...
Similar Threads - File Logs Where
  1. Masimo

    Locating access logs for file on an account

    Masimo, Oct 14, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    748
    cPAusaf
    Oct 14, 2017
  2. martin MHC

    Can WHM Update Logs actually show Files that have been updated

    martin MHC, Aug 31, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    511
    cPanelMichael
    Aug 31, 2017
  3. Nyke

    New Thread Wp-content files missing

    Nyke, Nov 19, 2018 at 10:43 AM, in forum: General Discussion
    Replies:
    0
    Views:
    10
    Nyke
    Nov 19, 2018 at 10:43 AM
  4. Sunlander

    New Thread Hide files from view in ftp but still allow scripts to process content

    Sunlander, Nov 19, 2018 at 6:33 AM, in forum: General Discussion
    Replies:
    0
    Views:
    19
    Sunlander
    Nov 19, 2018 at 6:33 AM
  5. monkeyblue

    New Thread SSL Pending Queue Error - cannot open file

    monkeyblue, Nov 19, 2018 at 3:21 AM, in forum: Security
    Replies:
    0
    Views:
    23
    monkeyblue
    Nov 19, 2018 at 3:21 AM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice