how to find out who deleted the directory in Unix

Former Member · ‎06-25-2009

Hi Experts,

In my system some body tampered the directories, and more over some body deleted the bin directory under the /usr/sap/trans in Unix operating system. now i am checking to find out who deleted and for the more logs.

i am unable to find out the user name and deleted directory logs..i know its completely related to the unix level but mean time i am searching for the same.

Any ideas and clues will be heighly appreciated.

-Srini

Former Member · ‎04-16-2010

thanks guys for your valuable time.. it was very help ful get the details... thanks to all.

Former Member · ‎06-25-2009

Hi Srini

history command and/or the syslog files will help in finding this.

Thanks,

Srini.

Former Member · ‎06-25-2009

depending on OS and shell you may want to check .sh_history or .history from the users home directory. You can simply cat these files.

Former Member · ‎06-25-2009

To know the OS would have been helpful

First ask the people around you if anybody did it, maybe he is man enough to admit...

Try to find out who logged at the time when the directory was deleted.

- check the OS syslog (/var/adm/syslog/syslog.log for hp-ux, /var/log/messages for linux)

- try the last commando to get a list of who logged on when

- check the command histories of the sidadm, root user, use the history command, or the h alias

- check if there are scripts running, which regularly delete files

As the trans directory might be NFS mounted to other servers, you might need to do the checks there too.

Best regards, Michael

how to find out who deleted the directory in Unix

Accepted Solutions (0)

Answers (4)

Answers (4)

Re: HTTP Receiver adapter with Dynamic value in UR...

How to create a rolling forecast in SAC? I have an...

In SAP Hana Cloud, do packages exist as database o...

Re: Mass Update a Zfield in Std Table with Split &...

Re: Change BW Query Initial Variable Input at runt...