1
I've recently ran into a very odd occurrence on one system I'm using. For no apparent reason, my user account was deleted, although the home directory is still there.
I have root access, so I can restore the account, but first, I want to know how this happened, and exactly when. Inspecting the root's .bash_history file and the "last" command gave nothing, and I'm (well, was) the only sudoer on the system.
How would I know when this deletion happened?
The distro is CentOS release 5.4 (Final), if that helps.
1This is actually what happened. Someone first gained access as a regular user, then tried to login as several app-level users ("oracle"), and finally managed to login as "dev", which is actually the same user as root (userid 0). – executor21 – 2010-12-28T21:06:05.813
Thanks for replying back to let everyone know what happened. Its good information for others to see. If your mention of oracle is any indication of what that server does, you need to do a full audit. You should do one anyways and reinstall if possible, auditing your data, scripts, programs, user access, etc. – deltaray – 2010-12-28T22:17:17.493
One more thing: don't trust the backed-up data unless you audit that, too. A really malicious cracker could play with your Oracle databases. If there's financial or medical data in there, you may have legal obligations to report the possibility of leakage. – CarlF – 2010-12-29T13:33:25.637