SOLVED Tracking deleted files?

[Abdel24hour]

Hello,

I found a big directory is deleted today from my website and I saw a million logs. This directory is a WordPress and I checked cPanel, FTP, Apache, Access, Secure .. etc logs

But what I notice that I can't figure out which IP has deleted the files. I saw a lot of logs before the directory disappeared but there are no specific words that this IP deleted this file or this directory.

I even tried it by myself logged to cPanel and created and removed the file and I found my IP but It's all normal logs Get / .. etc

There're no words such as " dropped, removed, deleted, .. etc" I checked also all the logs in /var/log

I used grep, find with all options like grep -iR .. etc and filter the results.

So any ideas how can I get accurate results?

Thank you

 

[cPanelLauren]

If the files were deleted through the UI you'd be able to check this through the access logs but if the files were removed over SSH you'd want to check the bash history.

You can run the history command and it will print the bash history of the current user from oldest to newest. It's also stored in /home/$user/.bash_history

 

[Abdel24hour]

If the files were deleted through the UI you'd be able to check this through the access logs but if the files were removed over SSH you'd want to check the bash history.

You can run the history command and it will print the bash history of the current user from oldest to newest. It's also stored in /home/$user/.bash_history

Thank you, but I was asking for specific words, I checked the logs and I saw IP from other country but all the logs about GET and CSS files from file manager, how can I know which exactly files deleted ! .. cPanel doesn't give me this ability from logs ..

 

[cPanelLauren]

Actual removals of items through the UI will show a POST request in the access logs but you won't necessarily see "removed" as an output. If the files were removed through the UI in the file manager, unless you specifically check the box they are put into a trash bin which can be found at /home/$user/.trash and it might be worth checking there as well.

 

[Abdel24hour]

Actual removals of items through the UI will show a POST request in the access logs but you won't necessarily see "removed" as an output. If the files were removed through the UI in the file manager, unless you specifically check the box they are put into a trash bin which can be found at /home/$user/.trash and it might be worth checking there as well.

That's what I was looking for " POST " .. thank you