PROBLEM:
I have several missing directories on an offsite Linux/Apache server. I've tracked down about when they went missing from the httpd error logs, and I have a list of SSL logins to the machine (complete with network addresses.)
There are several individuals who have access to my account on the machine, so I am trying to confirm whether the files were removed accidentally or intentionally. If I can determine that the session came from an external network address, then I can be sure it was intentional. Otherwise I will need additional information.
QUESTION:
Is there any way to determine what user account (mine vs. root), network session, or process removed the files? I'm not worried about restoring them as backups are recent.
RELATED QUESTION:
I've tried looking at the bash history for my own account (the only one other than root with permission) and it only seems to extend back to the beginning of my SSL session. Does this imply the bash history was tampered with, or is this normal behavior?
Best Answer
By default, this isn't logged (imagine how big the logs would get). You can add logging with auditctl or inotify/iwatch (interesting options, check them out), or your control panel logging or ftp logs (usually all in /var/log somewhere) or bash history might help you track it down a little. Check your HTTP access logs in case some GET request managed to do this (unlikely, but possible)
If your history isn't there, it has been cleared. This is either done manually, or a command in your .bash_logout or .logout files.
Also, it's SSH not SSL :)