How do I find out when and by whom a particular user was deleted in linux?

1

I've recently ran into a very odd occurrence on one system I'm using. For no apparent reason, my user account was deleted, although the home directory is still there.

I have root access, so I can restore the account, but first, I want to know how this happened, and exactly when. Inspecting the root's .bash_history file and the "last" command gave nothing, and I'm (well, was) the only sudoer on the system.

How would I know when this deletion happened?

The distro is CentOS release 5.4 (Final), if that helps.

executor21

Posted 2010-12-28T20:06:40.193

Reputation: 225

Answers

0

If you're the only sudoer, and the only one with legit access to root, then your server was in all probability cracked. Many (less skilled) crackers will delete or disable root accounts to prevent counteraction. Back up your data and reinstall, or if you are able to do a security audit and find the hole the cracker used, do that.

CarlF

Posted 2010-12-28T20:06:40.193

Reputation: 8 576

1This is actually what happened. Someone first gained access as a regular user, then tried to login as several app-level users ("oracle"), and finally managed to login as "dev", which is actually the same user as root (userid 0). – executor21 – 2010-12-28T21:06:05.813

Thanks for replying back to let everyone know what happened. Its good information for others to see. If your mention of oracle is any indication of what that server does, you need to do a full audit. You should do one anyways and reinstall if possible, auditing your data, scripts, programs, user access, etc. – deltaray – 2010-12-28T22:17:17.493

One more thing: don't trust the backed-up data unless you audit that, too. A really malicious cracker could play with your Oracle databases. If there's financial or medical data in there, you may have legal obligations to report the possibility of leakage. – CarlF – 2010-12-29T13:33:25.637

2

It really depends on how it was deleted and in relation to other users, but here are a few techniques you can try:

  • See if your user is still listed in passwd. If it isn't, then see if its in a file called passwd-, which is a backup made of passwd. If its in there, then the timestamp on that older file would probably indicate when the account was removed.
  • Its possible that the deletion is in root or some user's .bash_history file and you might be able to tell from the context there when it happened
  • If it was done via sudo or something then it might be in /var/log/messages

That's all I can think of right now. Probably a few other techniques.

deltaray

Posted 2010-12-28T20:06:40.193

Reputation: 1 665

Asked: 2010-12-28T20:06:40.193

Viewed: 1 662 times

Active: 2016-04-15T14:40:21.213