SOLVED Tracking deleted files?

Abdel24hour

Registered
Sep 21, 2017
4
1
3
Egypt
cPanel Access Level
Root Administrator
Hello,

I found a big directory is deleted today from my website and I saw a million logs. This directory is a WordPress and I checked cPanel, FTP, Apache, Access, Secure .. etc logs

But what I notice that I can't figure out which IP has deleted the files. I saw a lot of logs before the directory disappeared but there are no specific words that this IP deleted this file or this directory.

I even tried it by myself logged to cPanel and created and removed the file and I found my IP but It's all normal logs Get / .. etc

There're no words such as " dropped, removed, deleted, .. etc" I checked also all the logs in /var/log

I used grep, find with all options like grep -iR .. etc and filter the results.

So any ideas how can I get accurate results?

Thank you
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,945
753
263
Houston
cPanel Access Level
DataCenter Provider
If the files were deleted through the UI you'd be able to check this through the access logs but if the files were removed over SSH you'd want to check the bash history.

You can run the history command and it will print the bash history of the current user from oldest to newest. It's also stored in /home/$user/.bash_history
 

Abdel24hour

Registered
Sep 21, 2017
4
1
3
Egypt
cPanel Access Level
Root Administrator
If the files were deleted through the UI you'd be able to check this through the access logs but if the files were removed over SSH you'd want to check the bash history.

You can run the history command and it will print the bash history of the current user from oldest to newest. It's also stored in /home/$user/.bash_history
Thank you, but I was asking for specific words, I checked the logs and I saw IP from other country but all the logs about GET and CSS files from file manager, how can I know which exactly files deleted ! .. cPanel doesn't give me this ability from logs ..
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,945
753
263
Houston
cPanel Access Level
DataCenter Provider
Actual removals of items through the UI will show a POST request in the access logs but you won't necessarily see "removed" as an output. If the files were removed through the UI in the file manager, unless you specifically check the box they are put into a trash bin which can be found at /home/$user/.trash and it might be worth checking there as well.
 
  • Like
Reactions: Abdel24hour

Abdel24hour

Registered
Sep 21, 2017
4
1
3
Egypt
cPanel Access Level
Root Administrator
Actual removals of items through the UI will show a POST request in the access logs but you won't necessarily see "removed" as an output. If the files were removed through the UI in the file manager, unless you specifically check the box they are put into a trash bin which can be found at /home/$user/.trash and it might be worth checking there as well.
That's what I was looking for " POST " .. thank you
 
  • Like
Reactions: cPanelLauren