2

I have a centos 4 linux server; Three people have the root's password including me.

When I logged on the server and switched to root today, I found that the directory /root has gone...

How can I recover my /root directory and find out who deleted it ? Is there any way that I can know who logged on the server and the every changes they made ?

Really thanks for any response.

Improve this question
1
  • Just to be sure, check 'mount' and make sure someone didn't mount an empty directory over the real one.
    – gbarry
    Commented Jan 5, 2010 at 7:50

5 Answers 5

Reset to default
5

recovery: I have no idea, sorry. You can assume I made some snippy comment about how you should have backups ;)

who dun it: Assuming everyone is accessing the machine remotely (preferably via ssh) then last should tell you the IP address and username of the last people to log on.

misc: When you say 3 people have the root password: could I recommend (if you aren't already doing so) that you set PermitRootLogin no in the sshd.conf file and just make sure these 'admins' ssh as their own account and then use su. This gives you both another layer of security as well as some more logging info (rather than just the IP address 'root' connected from, you'd see Jon ssh into the server and then take root privileges.

Improve this answer
3
  • Thanks a lot for your advice. Another question is that: I found that two people logged on the server yesterday, however, how can I discover who deleted the directory and what commands they had run? Is there any log I can check for thant ? Thanks:)
    – bluesea007
    Commented Jan 5, 2010 at 6:31
  • I don't think you can if they were logged on as root. If they were logged on as a regular user you could just check their .bash_history (home folder).
    – Kiwi
    Commented Jan 5, 2010 at 7:41
  • If people were logged in as root, all you can trace it back to is "root did it". Unless you use lastlog and last to try narrowing down the time they were logged in, then cross-reference it with the logs in /var/log saying what IP people logged in from (if from SSH) to try narrowing it down from that to what domain they were logging in from. Generally if this if you're sharing admin privs with others, you should consider a secure secondary logging server to which logs are echoed, since an admin can easily doctor or alter records on the local machine once "owned".
    – Bart Silverstrim
    Commented Jan 5, 2010 at 12:45
6

Ask them. If they can't be trusted to answer questions about what they've done on the machine, they can't be trusted with root access.

Improve this answer
2
  • +1 -either that, or they are completely trustworthy, just incredibly inept.
    – BuildTheRobots
    Commented Jan 6, 2010 at 14:29
  • If they're inept they can't be trusted with root, either.
    – womble
    Commented Jan 7, 2010 at 0:08
1

Run this command as root:

root@host:/# grep rm /var/log/audit/audit.log

A lot of information is stored in /var/log/, and the audit log was useful to me.

Improve this answer
1
  • Audit log will exist only if some software is creating it.
    – petrus
    Commented Sep 15, 2012 at 19:48
0

For recovery try Test Disk

Improve this answer
0

If there are more people knowing the root password, that still doesn't mean that it was one of them. If your server is exposed to the Internet and is not updated with security patches, it could have been owned.

A good practice for debugging such issues is to set up remote logging. If an attacker gains control and does bad things, he can't wipe the logs to cover himself, because they aren't stored on the same computer.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .