Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

rm command to remove dir, how do I check who run that?

Status
Not open for further replies.
AIXdream

AIXdream

Technical User
Mar 27, 2007
33
US
Hello Guys,

I was working on an issue and found 2 directories were removed by user with rm command on Linux, anyone any idea how do we find who run rm on the server? This caused application and business outage. I Checked /root/.bash_history and found the command rm was executed on 2 log directories under /logs. But that doesnt tell whole story, who did.

Any help is appreciated.

 
Sort by date Sort by votes
Uhhhh 'root' did it!

Now "who" was root is apparently your interest?

Use 'last'
Check your /var/log/secure (or similar) for attempts to issue "sudo" or "su" commands...

Keep in mind you're either looking for a sloppy/malicious known user or a cracker.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
727
gbaughma
gbaughma
Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
171
Steve Bowman
Steve Bowman
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
341
spamjim
spamjim
grazinggoat2
  • Locked
  • Question
Old PIDS after script runs
Replies
0
Views
199
grazinggoat2
grazinggoat2
krabban
  • Locked
  • Question
Dirvish for backup
Replies
0
Views
258
krabban
krabban

Part and Inventory Search

Sponsor

Back
Top