AW: Deletion of all files owned by specific owner

[Meidinger Chris <chris.meidinger () badenit de>]

It sounds like someone executed the followoing command:

user@host~:# find -uid `id -u` -exec rm -f {} \;

Check the ~/.bash_history for the user, if you have and kind of process
accounting or auditing this could help you. Otherwise, check
/var/log/messages, or /var/adm/messages or whereever your logs are to see if
the command produced any errors that might have been logged. 

other than that, you are probably in the cold without a jacket.

Cheers,

Chris

> -----Ursprüngliche Nachricht-----
> Von: D Hull [mailto:dbhull1 () hotmail com] 
> Gesendet: Freitag, 12. November 2004 07:43
> An: security-basics () securityfocus com
> Betreff: Deletion of all files owned by specific owner
>
>
>
> This evening, all of the files owned by a specific user were 
> removed from a server, including the user's home directory 
> and files owned on an NFS mounted partition.
>
> I did not have any baselines in place to help troubleshoot 
> this problem so I am starting from scratch and don't have 
> much to go on. I realize I am in a bad spot. I am able to 
> recover the data. I need to be able to determine what 
> happened though - as best as possible under the 
> circumstances. Any suggestions would be greatly appreciated.