Reconstruct changes to the crontab and a directory over 5 Months











up vote
0
down vote

favorite












Is there any way to show who moved/deleted/restored files at a specific point in time on a linux server and who changed the crontab?



Given the case described below, somebody or something either restored or changed the contents of a directory, plus altered cronjobs. As this may happen again, I need to find out how it happened and why it happend.



I am therefore in search of ways to reconstruct what happend to the crontab and the directory for a timeframe of about 5 Months.



The specific case



5 Months ago, I developed something for a linux server (SLES 12). This involved creating bash scripts and scheduling them with a cronjob.



Before starting to work, the directory looked like this (reconstructed by memory):



ll -ali



total 84

231080 drwxr-xr-x  3 root root 4096 Jun 22 10:55 .

231073 drwxr-xr-x 10 root root 4096 Feb 24  2011 ..

231100 -rwx------  1 root root 3310 Jun  8 11:13 Auswertung_KA2006.sc

231112 -rwx------  1 root root  214 Jun  7 13:41 Auswertung_KA2006.sh

231105 -rwx------  1 root root 3282 Jun  8 11:13 Auswertung_LoginPortal.sc

231102 -rwx------  1 root root  232 Jun  7 13:41 Auswertung_LoginPortal.sh

231104 -rwx------  1 root root 1119 Jun  8 11:13 Auswertung_UserPortal.sc

231103 -rwx------  1 root root  226 Jun  7 13:41 Auswertung_UserPortal.sh

231099 -rwx------  1 root root 2159 Jun  8 11:15 deaktiviereInaktiveAgBenutzer.sc

231096 -rw-------  1 root root 1966 Jun  7 13:34 deaktiviereInaktiveAgBenutzer.sc.sik

231093 -rwx------  1 root root  222 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sh

231098 -rw-------  1 root root  222 Jun  7 13:35 deaktiviereInaktiveAgBenutzer.sh.sik

231094 drwxr-xr-x  2 root root 4096 May  4  2017 ebert


After finishing my work, the directory looked like this (taken from the development server):



ll -ali



total 84

231080 drwxr-xr-x  3 root root 4096 Jun 22 10:55 .

231073 drwxr-xr-x 10 root root 4096 Feb 24  2011 ..

231107 -rwx------  1 root root 2746 Jun 22 10:54 Auswertung_KA2018.sc

231106 -rwx------  1 root root  214 Jun  8 12:44 Auswertung_KA2018.sh

231110 -rwx------  1 root root 2307 Jun 22 10:52 Auswertung_LoginPortal2018.sc

231108 -rwx------  1 root root  240 Jun  8 13:07 Auswertung_LoginPortal2018.sh

231101 -rwx------  1 root root  673 Jun 22 10:55 Auswertung_UserPortal2018.sc

231114 -rwx------  1 root root  234 Jun  8 13:10 Auswertung_UserPortal2018.sh

231099 -rwx------  1 root root 2159 Jun  8 11:15 deaktiviereInaktiveAgBenutzer.sc

231096 -rw-------  1 root root 1966 Jun  7 13:34 deaktiviereInaktiveAgBenutzer.sc.sik

231093 -rwx------  1 root root  222 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sh

231098 -rw-------  1 root root  222 Jun  7 13:35 deaktiviereInaktiveAgBenutzer.sh.sik

231094 drwxr-xr-x  2 root root 4096 May  4  2017 ebert


As you can see, I created new versions for some scripts and deleted the old versions.



Now, 5 Months later the directory looks like this (taken from the productive server):



ll -ali



total 86608

65538 drwxr-xr-x  6 root root         4096 Nov 21 22:00 .

65537 drwxr-xr-x 12 root root         4096 Oct 28  2008 ..

65734 -rw-r--r--  1 root root            0 Jul 31  2017 1

65723 -rwxr-x---  1 root root         3656 Dec  2  2015 1_Auswertung_KA2006.sc

65722 -rwxr-x---  1 root root          164 Dec  2  2015 1_Auswertung_KA2006.sh

65732 -rwx------  1 root root           26 Sep 24  2012 9.sql.gz

65561 -rwxr-x---  1 root root         2953 Jan 17  2008 Auswertung_KA2005.sc

65562 -rwxr-x---  1 root root          214 Jan 17  2008 Auswertung_KA2005.sh

65742 -rwxr-x---  1 root root         3254 Feb 13  2018 Auswertung_KA2006.sc

65560 -rwxr-x---  1 root root         2953 Mar 20  2008 Auswertung_KA2006.sc.2008-03-20

65557 -rwxr-x---  1 root root         3130 Mar  5  2009 Auswertung_KA2006.sc.2009-03-05

65716 -rwxr-x---  1 root root         3618 Dec 21  2015 Auswertung_KA2006.sc.20151221

65713 -rwxr-x---  1 root root         3656 Apr  4  2016 Auswertung_KA2006.sc.20160404

65726 -rwxr-x---  1 root root         3661 Mar 16  2017 Auswertung_KA2006.sc.20170316

65733 -rwxr-x---  1 root root         3706 Mar 16  2017 Auswertung_KA2006.sc.20170316-2

65731 -rwxr-x---  1 root root         3587 Feb 13  2018 Auswertung_KA2006.sc.20180213

65628 -rwxr-x---  1 root root         3423 Jun  8  2012 Auswertung_KA2006.sc_201206808

65566 -rwxr-x---  1 root root          214 Jan 17  2008 Auswertung_KA2006.sh

65633 -rwxr-x---  1 root root         3179 Mar 30  2012 Auswertung_LoginPortal.sc

65568 -rwxr-x---  1 root root         2646 Jan 17  2008 Auswertung_LoginPortal.sc.bak

65570 -rwxr-x---  1 root root          232 Jan 17  2008 Auswertung_LoginPortal.sh

65636 -rwxr-x---  1 root root         1063 May 24  2012 Auswertung_UserPortal.sc

65580 -rwxr-x---  1 root root         1112 May 24  2012 Auswertung_UserPortal.sc_20120524

65572 -rwxr-x---  1 root root          226 Jan 17  2008 Auswertung_UserPortal.sh

65573 -rwxr-x---  1 root root          262 Jan 17  2008 Downloads_ohne_Widerruf.sc

132598 drwxrwxrwx  2 root root         4096 Jul 13  2012 Dump_portal_bvs20120525

65738 -rwx------  1 root root          757 Jul 31  2017 MySQLdump.sh

65634 -rwx------  1 root root          264 Mar  5  2009 MySQLdump.sh.20090305

65714 -rw-r--r--  1 root root     88429915 Nov 21 22:00 all_databases.sql.gz

65688 -rwxr-xr-x  1 root root          120 Mar  1  2013 checkmail.sh

65556 lrwxrwxrwx  1 root root            9 Jan 17  2008 dbuser -> dbuser.sh

65559 -rwxr-xr-x  1 root root          337 Jan 17  2008 dbuser.sh

65708 -rw-------  1 root root         1966 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sc

65577 -rw-------  1 root root         1860 May 25  2012 deaktiviereInaktiveAgBenutzer.sc.20120525

65637 -rwx------  1 root root          222 Jan  3  2011 deaktiviereInaktiveAgBenutzer.sh

65737 -rwx------  1 root root          386 Jul 20  2012 dump_portal_bvs.sh

65711 drwxr-xr-x  2 root root         4096 May  4  2017 ebert

65564 -rwxr-xr-x  1 root informix      735 Jan 28  2009 logstat

65567 drwxrwxrwx  2 root root         4096 Nov 22 03:00 portal_bvs_Dump

65641 -rwx------  1 root root          441 Jul 19  2012 portal_bvs_Sicherung.sh

65721 drwxr-xr-x  2 root root         4096 Jul 31  2017 status

65629 -rw-r--r--  1 root root          426 Jan 29  2009 who_db.sql


All my new scripts are gone, older versions are ?restored?. Nobody knows anything, this is a production server and I need answers...






cron directory forensics







share|improve this question







New contributor




Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Addressing the intent of the question - Is it possible that an old backup was restored at some point, overwriting the newer scripts?
    – Haxiel
    Nov 22 at 12:47












  • It is entirely possible, that a backup was restored on the server, yet the responsible sysadmin has already declined that this has happend. But I cannot prove either. This is why i want to maybe see a log of what happened.
    – Martin
    Nov 22 at 12:49















up vote
0
down vote

favorite












Is there any way to show who moved/deleted/restored files at a specific point in time on a linux server and who changed the crontab?



Given the case described below, somebody or something either restored or changed the contents of a directory, plus altered cronjobs. As this may happen again, I need to find out how it happened and why it happend.



I am therefore in search of ways to reconstruct what happend to the crontab and the directory for a timeframe of about 5 Months.



The specific case



5 Months ago, I developed something for a linux server (SLES 12). This involved creating bash scripts and scheduling them with a cronjob.



Before starting to work, the directory looked like this (reconstructed by memory):



ll -ali



total 84

231080 drwxr-xr-x  3 root root 4096 Jun 22 10:55 .

231073 drwxr-xr-x 10 root root 4096 Feb 24  2011 ..

231100 -rwx------  1 root root 3310 Jun  8 11:13 Auswertung_KA2006.sc

231112 -rwx------  1 root root  214 Jun  7 13:41 Auswertung_KA2006.sh

231105 -rwx------  1 root root 3282 Jun  8 11:13 Auswertung_LoginPortal.sc

231102 -rwx------  1 root root  232 Jun  7 13:41 Auswertung_LoginPortal.sh

231104 -rwx------  1 root root 1119 Jun  8 11:13 Auswertung_UserPortal.sc

231103 -rwx------  1 root root  226 Jun  7 13:41 Auswertung_UserPortal.sh

231099 -rwx------  1 root root 2159 Jun  8 11:15 deaktiviereInaktiveAgBenutzer.sc

231096 -rw-------  1 root root 1966 Jun  7 13:34 deaktiviereInaktiveAgBenutzer.sc.sik

231093 -rwx------  1 root root  222 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sh

231098 -rw-------  1 root root  222 Jun  7 13:35 deaktiviereInaktiveAgBenutzer.sh.sik

231094 drwxr-xr-x  2 root root 4096 May  4  2017 ebert


After finishing my work, the directory looked like this (taken from the development server):



ll -ali



total 84

231080 drwxr-xr-x  3 root root 4096 Jun 22 10:55 .

231073 drwxr-xr-x 10 root root 4096 Feb 24  2011 ..

231107 -rwx------  1 root root 2746 Jun 22 10:54 Auswertung_KA2018.sc

231106 -rwx------  1 root root  214 Jun  8 12:44 Auswertung_KA2018.sh

231110 -rwx------  1 root root 2307 Jun 22 10:52 Auswertung_LoginPortal2018.sc

231108 -rwx------  1 root root  240 Jun  8 13:07 Auswertung_LoginPortal2018.sh

231101 -rwx------  1 root root  673 Jun 22 10:55 Auswertung_UserPortal2018.sc

231114 -rwx------  1 root root  234 Jun  8 13:10 Auswertung_UserPortal2018.sh

231099 -rwx------  1 root root 2159 Jun  8 11:15 deaktiviereInaktiveAgBenutzer.sc

231096 -rw-------  1 root root 1966 Jun  7 13:34 deaktiviereInaktiveAgBenutzer.sc.sik

231093 -rwx------  1 root root  222 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sh

231098 -rw-------  1 root root  222 Jun  7 13:35 deaktiviereInaktiveAgBenutzer.sh.sik

231094 drwxr-xr-x  2 root root 4096 May  4  2017 ebert


As you can see, I created new versions for some scripts and deleted the old versions.



Now, 5 Months later the directory looks like this (taken from the productive server):



ll -ali



total 86608

65538 drwxr-xr-x  6 root root         4096 Nov 21 22:00 .

65537 drwxr-xr-x 12 root root         4096 Oct 28  2008 ..

65734 -rw-r--r--  1 root root            0 Jul 31  2017 1

65723 -rwxr-x---  1 root root         3656 Dec  2  2015 1_Auswertung_KA2006.sc

65722 -rwxr-x---  1 root root          164 Dec  2  2015 1_Auswertung_KA2006.sh

65732 -rwx------  1 root root           26 Sep 24  2012 9.sql.gz

65561 -rwxr-x---  1 root root         2953 Jan 17  2008 Auswertung_KA2005.sc

65562 -rwxr-x---  1 root root          214 Jan 17  2008 Auswertung_KA2005.sh

65742 -rwxr-x---  1 root root         3254 Feb 13  2018 Auswertung_KA2006.sc

65560 -rwxr-x---  1 root root         2953 Mar 20  2008 Auswertung_KA2006.sc.2008-03-20

65557 -rwxr-x---  1 root root         3130 Mar  5  2009 Auswertung_KA2006.sc.2009-03-05

65716 -rwxr-x---  1 root root         3618 Dec 21  2015 Auswertung_KA2006.sc.20151221

65713 -rwxr-x---  1 root root         3656 Apr  4  2016 Auswertung_KA2006.sc.20160404

65726 -rwxr-x---  1 root root         3661 Mar 16  2017 Auswertung_KA2006.sc.20170316

65733 -rwxr-x---  1 root root         3706 Mar 16  2017 Auswertung_KA2006.sc.20170316-2

65731 -rwxr-x---  1 root root         3587 Feb 13  2018 Auswertung_KA2006.sc.20180213

65628 -rwxr-x---  1 root root         3423 Jun  8  2012 Auswertung_KA2006.sc_201206808

65566 -rwxr-x---  1 root root          214 Jan 17  2008 Auswertung_KA2006.sh

65633 -rwxr-x---  1 root root         3179 Mar 30  2012 Auswertung_LoginPortal.sc

65568 -rwxr-x---  1 root root         2646 Jan 17  2008 Auswertung_LoginPortal.sc.bak

65570 -rwxr-x---  1 root root          232 Jan 17  2008 Auswertung_LoginPortal.sh

65636 -rwxr-x---  1 root root         1063 May 24  2012 Auswertung_UserPortal.sc

65580 -rwxr-x---  1 root root         1112 May 24  2012 Auswertung_UserPortal.sc_20120524

65572 -rwxr-x---  1 root root          226 Jan 17  2008 Auswertung_UserPortal.sh

65573 -rwxr-x---  1 root root          262 Jan 17  2008 Downloads_ohne_Widerruf.sc

132598 drwxrwxrwx  2 root root         4096 Jul 13  2012 Dump_portal_bvs20120525

65738 -rwx------  1 root root          757 Jul 31  2017 MySQLdump.sh

65634 -rwx------  1 root root          264 Mar  5  2009 MySQLdump.sh.20090305

65714 -rw-r--r--  1 root root     88429915 Nov 21 22:00 all_databases.sql.gz

65688 -rwxr-xr-x  1 root root          120 Mar  1  2013 checkmail.sh

65556 lrwxrwxrwx  1 root root            9 Jan 17  2008 dbuser -> dbuser.sh

65559 -rwxr-xr-x  1 root root          337 Jan 17  2008 dbuser.sh

65708 -rw-------  1 root root         1966 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sc

65577 -rw-------  1 root root         1860 May 25  2012 deaktiviereInaktiveAgBenutzer.sc.20120525

65637 -rwx------  1 root root          222 Jan  3  2011 deaktiviereInaktiveAgBenutzer.sh

65737 -rwx------  1 root root          386 Jul 20  2012 dump_portal_bvs.sh

65711 drwxr-xr-x  2 root root         4096 May  4  2017 ebert

65564 -rwxr-xr-x  1 root informix      735 Jan 28  2009 logstat

65567 drwxrwxrwx  2 root root         4096 Nov 22 03:00 portal_bvs_Dump

65641 -rwx------  1 root root          441 Jul 19  2012 portal_bvs_Sicherung.sh

65721 drwxr-xr-x  2 root root         4096 Jul 31  2017 status

65629 -rw-r--r--  1 root root          426 Jan 29  2009 who_db.sql


All my new scripts are gone, older versions are ?restored?. Nobody knows anything, this is a production server and I need answers...






cron directory forensics







share|improve this question







New contributor




Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Addressing the intent of the question - Is it possible that an old backup was restored at some point, overwriting the newer scripts?
    – Haxiel
    Nov 22 at 12:47












  • It is entirely possible, that a backup was restored on the server, yet the responsible sysadmin has already declined that this has happend. But I cannot prove either. This is why i want to maybe see a log of what happened.
    – Martin
    Nov 22 at 12:49













up vote
0
down vote

favorite









up vote
0
down vote

favorite











Is there any way to show who moved/deleted/restored files at a specific point in time on a linux server and who changed the crontab?



Given the case described below, somebody or something either restored or changed the contents of a directory, plus altered cronjobs. As this may happen again, I need to find out how it happened and why it happend.



I am therefore in search of ways to reconstruct what happend to the crontab and the directory for a timeframe of about 5 Months.



The specific case



5 Months ago, I developed something for a linux server (SLES 12). This involved creating bash scripts and scheduling them with a cronjob.



Before starting to work, the directory looked like this (reconstructed by memory):



ll -ali



total 84

231080 drwxr-xr-x  3 root root 4096 Jun 22 10:55 .

231073 drwxr-xr-x 10 root root 4096 Feb 24  2011 ..

231100 -rwx------  1 root root 3310 Jun  8 11:13 Auswertung_KA2006.sc

231112 -rwx------  1 root root  214 Jun  7 13:41 Auswertung_KA2006.sh

231105 -rwx------  1 root root 3282 Jun  8 11:13 Auswertung_LoginPortal.sc

231102 -rwx------  1 root root  232 Jun  7 13:41 Auswertung_LoginPortal.sh

231104 -rwx------  1 root root 1119 Jun  8 11:13 Auswertung_UserPortal.sc

231103 -rwx------  1 root root  226 Jun  7 13:41 Auswertung_UserPortal.sh

231099 -rwx------  1 root root 2159 Jun  8 11:15 deaktiviereInaktiveAgBenutzer.sc

231096 -rw-------  1 root root 1966 Jun  7 13:34 deaktiviereInaktiveAgBenutzer.sc.sik

231093 -rwx------  1 root root  222 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sh

231098 -rw-------  1 root root  222 Jun  7 13:35 deaktiviereInaktiveAgBenutzer.sh.sik

231094 drwxr-xr-x  2 root root 4096 May  4  2017 ebert


After finishing my work, the directory looked like this (taken from the development server):



ll -ali



total 84

231080 drwxr-xr-x  3 root root 4096 Jun 22 10:55 .

231073 drwxr-xr-x 10 root root 4096 Feb 24  2011 ..

231107 -rwx------  1 root root 2746 Jun 22 10:54 Auswertung_KA2018.sc

231106 -rwx------  1 root root  214 Jun  8 12:44 Auswertung_KA2018.sh

231110 -rwx------  1 root root 2307 Jun 22 10:52 Auswertung_LoginPortal2018.sc

231108 -rwx------  1 root root  240 Jun  8 13:07 Auswertung_LoginPortal2018.sh

231101 -rwx------  1 root root  673 Jun 22 10:55 Auswertung_UserPortal2018.sc

231114 -rwx------  1 root root  234 Jun  8 13:10 Auswertung_UserPortal2018.sh

231099 -rwx------  1 root root 2159 Jun  8 11:15 deaktiviereInaktiveAgBenutzer.sc

231096 -rw-------  1 root root 1966 Jun  7 13:34 deaktiviereInaktiveAgBenutzer.sc.sik

231093 -rwx------  1 root root  222 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sh

231098 -rw-------  1 root root  222 Jun  7 13:35 deaktiviereInaktiveAgBenutzer.sh.sik

231094 drwxr-xr-x  2 root root 4096 May  4  2017 ebert


As you can see, I created new versions for some scripts and deleted the old versions.



Now, 5 Months later the directory looks like this (taken from the productive server):



ll -ali



total 86608

65538 drwxr-xr-x  6 root root         4096 Nov 21 22:00 .

65537 drwxr-xr-x 12 root root         4096 Oct 28  2008 ..

65734 -rw-r--r--  1 root root            0 Jul 31  2017 1

65723 -rwxr-x---  1 root root         3656 Dec  2  2015 1_Auswertung_KA2006.sc

65722 -rwxr-x---  1 root root          164 Dec  2  2015 1_Auswertung_KA2006.sh

65732 -rwx------  1 root root           26 Sep 24  2012 9.sql.gz

65561 -rwxr-x---  1 root root         2953 Jan 17  2008 Auswertung_KA2005.sc

65562 -rwxr-x---  1 root root          214 Jan 17  2008 Auswertung_KA2005.sh

65742 -rwxr-x---  1 root root         3254 Feb 13  2018 Auswertung_KA2006.sc

65560 -rwxr-x---  1 root root         2953 Mar 20  2008 Auswertung_KA2006.sc.2008-03-20

65557 -rwxr-x---  1 root root         3130 Mar  5  2009 Auswertung_KA2006.sc.2009-03-05

65716 -rwxr-x---  1 root root         3618 Dec 21  2015 Auswertung_KA2006.sc.20151221

65713 -rwxr-x---  1 root root         3656 Apr  4  2016 Auswertung_KA2006.sc.20160404

65726 -rwxr-x---  1 root root         3661 Mar 16  2017 Auswertung_KA2006.sc.20170316

65733 -rwxr-x---  1 root root         3706 Mar 16  2017 Auswertung_KA2006.sc.20170316-2

65731 -rwxr-x---  1 root root         3587 Feb 13  2018 Auswertung_KA2006.sc.20180213

65628 -rwxr-x---  1 root root         3423 Jun  8  2012 Auswertung_KA2006.sc_201206808

65566 -rwxr-x---  1 root root          214 Jan 17  2008 Auswertung_KA2006.sh

65633 -rwxr-x---  1 root root         3179 Mar 30  2012 Auswertung_LoginPortal.sc

65568 -rwxr-x---  1 root root         2646 Jan 17  2008 Auswertung_LoginPortal.sc.bak

65570 -rwxr-x---  1 root root          232 Jan 17  2008 Auswertung_LoginPortal.sh

65636 -rwxr-x---  1 root root         1063 May 24  2012 Auswertung_UserPortal.sc

65580 -rwxr-x---  1 root root         1112 May 24  2012 Auswertung_UserPortal.sc_20120524

65572 -rwxr-x---  1 root root          226 Jan 17  2008 Auswertung_UserPortal.sh

65573 -rwxr-x---  1 root root          262 Jan 17  2008 Downloads_ohne_Widerruf.sc

132598 drwxrwxrwx  2 root root         4096 Jul 13  2012 Dump_portal_bvs20120525

65738 -rwx------  1 root root          757 Jul 31  2017 MySQLdump.sh

65634 -rwx------  1 root root          264 Mar  5  2009 MySQLdump.sh.20090305

65714 -rw-r--r--  1 root root     88429915 Nov 21 22:00 all_databases.sql.gz

65688 -rwxr-xr-x  1 root root          120 Mar  1  2013 checkmail.sh

65556 lrwxrwxrwx  1 root root            9 Jan 17  2008 dbuser -> dbuser.sh

65559 -rwxr-xr-x  1 root root          337 Jan 17  2008 dbuser.sh

65708 -rw-------  1 root root         1966 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sc

65577 -rw-------  1 root root         1860 May 25  2012 deaktiviereInaktiveAgBenutzer.sc.20120525

65637 -rwx------  1 root root          222 Jan  3  2011 deaktiviereInaktiveAgBenutzer.sh

65737 -rwx------  1 root root          386 Jul 20  2012 dump_portal_bvs.sh

65711 drwxr-xr-x  2 root root         4096 May  4  2017 ebert

65564 -rwxr-xr-x  1 root informix      735 Jan 28  2009 logstat

65567 drwxrwxrwx  2 root root         4096 Nov 22 03:00 portal_bvs_Dump

65641 -rwx------  1 root root          441 Jul 19  2012 portal_bvs_Sicherung.sh

65721 drwxr-xr-x  2 root root         4096 Jul 31  2017 status

65629 -rw-r--r--  1 root root          426 Jan 29  2009 who_db.sql


All my new scripts are gone, older versions are ?restored?. Nobody knows anything, this is a production server and I need answers...






cron directory forensics







share|improve this question







New contributor




Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Is there any way to show who moved/deleted/restored files at a specific point in time on a linux server and who changed the crontab?



Given the case described below, somebody or something either restored or changed the contents of a directory, plus altered cronjobs. As this may happen again, I need to find out how it happened and why it happend.



I am therefore in search of ways to reconstruct what happend to the crontab and the directory for a timeframe of about 5 Months.



The specific case



5 Months ago, I developed something for a linux server (SLES 12). This involved creating bash scripts and scheduling them with a cronjob.



Before starting to work, the directory looked like this (reconstructed by memory):



ll -ali



total 84

231080 drwxr-xr-x  3 root root 4096 Jun 22 10:55 .

231073 drwxr-xr-x 10 root root 4096 Feb 24  2011 ..

231100 -rwx------  1 root root 3310 Jun  8 11:13 Auswertung_KA2006.sc

231112 -rwx------  1 root root  214 Jun  7 13:41 Auswertung_KA2006.sh

231105 -rwx------  1 root root 3282 Jun  8 11:13 Auswertung_LoginPortal.sc

231102 -rwx------  1 root root  232 Jun  7 13:41 Auswertung_LoginPortal.sh

231104 -rwx------  1 root root 1119 Jun  8 11:13 Auswertung_UserPortal.sc

231103 -rwx------  1 root root  226 Jun  7 13:41 Auswertung_UserPortal.sh

231099 -rwx------  1 root root 2159 Jun  8 11:15 deaktiviereInaktiveAgBenutzer.sc

231096 -rw-------  1 root root 1966 Jun  7 13:34 deaktiviereInaktiveAgBenutzer.sc.sik

231093 -rwx------  1 root root  222 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sh

231098 -rw-------  1 root root  222 Jun  7 13:35 deaktiviereInaktiveAgBenutzer.sh.sik

231094 drwxr-xr-x  2 root root 4096 May  4  2017 ebert


After finishing my work, the directory looked like this (taken from the development server):



ll -ali



total 84

231080 drwxr-xr-x  3 root root 4096 Jun 22 10:55 .

231073 drwxr-xr-x 10 root root 4096 Feb 24  2011 ..

231107 -rwx------  1 root root 2746 Jun 22 10:54 Auswertung_KA2018.sc

231106 -rwx------  1 root root  214 Jun  8 12:44 Auswertung_KA2018.sh

231110 -rwx------  1 root root 2307 Jun 22 10:52 Auswertung_LoginPortal2018.sc

231108 -rwx------  1 root root  240 Jun  8 13:07 Auswertung_LoginPortal2018.sh

231101 -rwx------  1 root root  673 Jun 22 10:55 Auswertung_UserPortal2018.sc

231114 -rwx------  1 root root  234 Jun  8 13:10 Auswertung_UserPortal2018.sh

231099 -rwx------  1 root root 2159 Jun  8 11:15 deaktiviereInaktiveAgBenutzer.sc

231096 -rw-------  1 root root 1966 Jun  7 13:34 deaktiviereInaktiveAgBenutzer.sc.sik

231093 -rwx------  1 root root  222 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sh

231098 -rw-------  1 root root  222 Jun  7 13:35 deaktiviereInaktiveAgBenutzer.sh.sik

231094 drwxr-xr-x  2 root root 4096 May  4  2017 ebert


As you can see, I created new versions for some scripts and deleted the old versions.



Now, 5 Months later the directory looks like this (taken from the productive server):



ll -ali



total 86608

65538 drwxr-xr-x  6 root root         4096 Nov 21 22:00 .

65537 drwxr-xr-x 12 root root         4096 Oct 28  2008 ..

65734 -rw-r--r--  1 root root            0 Jul 31  2017 1

65723 -rwxr-x---  1 root root         3656 Dec  2  2015 1_Auswertung_KA2006.sc

65722 -rwxr-x---  1 root root          164 Dec  2  2015 1_Auswertung_KA2006.sh

65732 -rwx------  1 root root           26 Sep 24  2012 9.sql.gz

65561 -rwxr-x---  1 root root         2953 Jan 17  2008 Auswertung_KA2005.sc

65562 -rwxr-x---  1 root root          214 Jan 17  2008 Auswertung_KA2005.sh

65742 -rwxr-x---  1 root root         3254 Feb 13  2018 Auswertung_KA2006.sc

65560 -rwxr-x---  1 root root         2953 Mar 20  2008 Auswertung_KA2006.sc.2008-03-20

65557 -rwxr-x---  1 root root         3130 Mar  5  2009 Auswertung_KA2006.sc.2009-03-05

65716 -rwxr-x---  1 root root         3618 Dec 21  2015 Auswertung_KA2006.sc.20151221

65713 -rwxr-x---  1 root root         3656 Apr  4  2016 Auswertung_KA2006.sc.20160404

65726 -rwxr-x---  1 root root         3661 Mar 16  2017 Auswertung_KA2006.sc.20170316

65733 -rwxr-x---  1 root root         3706 Mar 16  2017 Auswertung_KA2006.sc.20170316-2

65731 -rwxr-x---  1 root root         3587 Feb 13  2018 Auswertung_KA2006.sc.20180213

65628 -rwxr-x---  1 root root         3423 Jun  8  2012 Auswertung_KA2006.sc_201206808

65566 -rwxr-x---  1 root root          214 Jan 17  2008 Auswertung_KA2006.sh

65633 -rwxr-x---  1 root root         3179 Mar 30  2012 Auswertung_LoginPortal.sc

65568 -rwxr-x---  1 root root         2646 Jan 17  2008 Auswertung_LoginPortal.sc.bak

65570 -rwxr-x---  1 root root          232 Jan 17  2008 Auswertung_LoginPortal.sh

65636 -rwxr-x---  1 root root         1063 May 24  2012 Auswertung_UserPortal.sc

65580 -rwxr-x---  1 root root         1112 May 24  2012 Auswertung_UserPortal.sc_20120524

65572 -rwxr-x---  1 root root          226 Jan 17  2008 Auswertung_UserPortal.sh

65573 -rwxr-x---  1 root root          262 Jan 17  2008 Downloads_ohne_Widerruf.sc

132598 drwxrwxrwx  2 root root         4096 Jul 13  2012 Dump_portal_bvs20120525

65738 -rwx------  1 root root          757 Jul 31  2017 MySQLdump.sh

65634 -rwx------  1 root root          264 Mar  5  2009 MySQLdump.sh.20090305

65714 -rw-r--r--  1 root root     88429915 Nov 21 22:00 all_databases.sql.gz

65688 -rwxr-xr-x  1 root root          120 Mar  1  2013 checkmail.sh

65556 lrwxrwxrwx  1 root root            9 Jan 17  2008 dbuser -> dbuser.sh

65559 -rwxr-xr-x  1 root root          337 Jan 17  2008 dbuser.sh

65708 -rw-------  1 root root         1966 Dec  3  2014 deaktiviereInaktiveAgBenutzer.sc

65577 -rw-------  1 root root         1860 May 25  2012 deaktiviereInaktiveAgBenutzer.sc.20120525

65637 -rwx------  1 root root          222 Jan  3  2011 deaktiviereInaktiveAgBenutzer.sh

65737 -rwx------  1 root root          386 Jul 20  2012 dump_portal_bvs.sh

65711 drwxr-xr-x  2 root root         4096 May  4  2017 ebert

65564 -rwxr-xr-x  1 root informix      735 Jan 28  2009 logstat

65567 drwxrwxrwx  2 root root         4096 Nov 22 03:00 portal_bvs_Dump

65641 -rwx------  1 root root          441 Jul 19  2012 portal_bvs_Sicherung.sh

65721 drwxr-xr-x  2 root root         4096 Jul 31  2017 status

65629 -rw-r--r--  1 root root          426 Jan 29  2009 who_db.sql


All my new scripts are gone, older versions are ?restored?. Nobody knows anything, this is a production server and I need answers...






cron directory forensics




cron directory forensics






share|improve this question







New contributor




Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Nov 22 at 12:44









Martin

6




6




New contributor




Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Martin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Addressing the intent of the question - Is it possible that an old backup was restored at some point, overwriting the newer scripts?
    – Haxiel
    Nov 22 at 12:47












  • It is entirely possible, that a backup was restored on the server, yet the responsible sysadmin has already declined that this has happend. But I cannot prove either. This is why i want to maybe see a log of what happened.
    – Martin
    Nov 22 at 12:49


















  • Addressing the intent of the question - Is it possible that an old backup was restored at some point, overwriting the newer scripts?
    – Haxiel
    Nov 22 at 12:47












  • It is entirely possible, that a backup was restored on the server, yet the responsible sysadmin has already declined that this has happend. But I cannot prove either. This is why i want to maybe see a log of what happened.
    – Martin
    Nov 22 at 12:49
















Addressing the intent of the question - Is it possible that an old backup was restored at some point, overwriting the newer scripts?
– Haxiel
Nov 22 at 12:47






Addressing the intent of the question - Is it possible that an old backup was restored at some point, overwriting the newer scripts?
– Haxiel
Nov 22 at 12:47














It is entirely possible, that a backup was restored on the server, yet the responsible sysadmin has already declined that this has happend. But I cannot prove either. This is why i want to maybe see a log of what happened.
– Martin
Nov 22 at 12:49




It is entirely possible, that a backup was restored on the server, yet the responsible sysadmin has already declined that this has happend. But I cannot prove either. This is why i want to maybe see a log of what happened.
– Martin
Nov 22 at 12:49















active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






Martin is a new contributor. Be nice, and check out our Code of Conduct.










 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f483443%2freconstruct-changes-to-the-crontab-and-a-directory-over-5-months%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes








Martin is a new contributor. Be nice, and check out our Code of Conduct.










 

draft saved


draft discarded


















Martin is a new contributor. Be nice, and check out our Code of Conduct.













Martin is a new contributor. Be nice, and check out our Code of Conduct.












Martin is a new contributor. Be nice, and check out our Code of Conduct.















 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f483443%2freconstruct-changes-to-the-crontab-and-a-directory-over-5-months%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Morgemoulin

Image
Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré...
Read more

Scott Moir

Image
Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S...
Read more

Souastre

Image
Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe...
Read more