Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Tracking deleted files?

Discussion in 'Security' started by Abdel24hour, Jul 9, 2019.

  1. Abdel24hour

    Abdel24hour Registered

    Joined:
    Sep 21, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Hello,

    I found a big directory is deleted today from my website and I saw a million logs. This directory is a WordPress and I checked cPanel, FTP, Apache, Access, Secure .. etc logs

    But what I notice that I can't figure out which IP has deleted the files. I saw a lot of logs before the directory disappeared but there are no specific words that this IP deleted this file or this directory.

    I even tried it by myself logged to cPanel and created and removed the file and I found my IP but It's all normal logs Get / .. etc

    There're no words such as " dropped, removed, deleted, .. etc" I checked also all the logs in /var/log

    I used grep, find with all options like grep -iR .. etc and filter the results.

    So any ideas how can I get accurate results?

    Thank you
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,482
    Likes Received:
    508
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    If the files were deleted through the UI you'd be able to check this through the access logs but if the files were removed over SSH you'd want to check the bash history.

    You can run the history command and it will print the bash history of the current user from oldest to newest. It's also stored in /home/$user/.bash_history
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Abdel24hour

    Abdel24hour Registered

    Joined:
    Sep 21, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Thank you, but I was asking for specific words, I checked the logs and I saw IP from other country but all the logs about GET and CSS files from file manager, how can I know which exactly files deleted ! .. cPanel doesn't give me this ability from logs ..
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,482
    Likes Received:
    508
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Actual removals of items through the UI will show a POST request in the access logs but you won't necessarily see "removed" as an output. If the files were removed through the UI in the file manager, unless you specifically check the box they are put into a trash bin which can be found at /home/$user/.trash and it might be worth checking there as well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Abdel24hour likes this.
  5. Abdel24hour

    Abdel24hour Registered

    Joined:
    Sep 21, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    That's what I was looking for " POST " .. thank you
     
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice