1

We suspect that one of our CentOS server has been compromised because someone left a filesystem mounted accidentally (its an old empty partition we don't use anymore, in a home/unusual_name directory name. We think someone mounted it to check what's inside and forgot to dismount)

No mount command trace in .bash_history nor /var/log/messages.

We have several login auditories so we can use those timestamps to know if we can catch who left that filesystem mounted, but how can we know when that filesystem was mounted?

Regards

Improve this question
4
  • 4
    This may be of some help: superuser.com/a/152645/441365 Commented Jan 9, 2017 at 17:41
  • What do you mean by "home/unusual_name directory"? Commented Jan 9, 2017 at 17:42
  • @AndrewHenle Thanks a lot! I tried to search that with no results. Commented Jan 9, 2017 at 17:53
  • @Thomas I mean a directory with an name out of our particular directories hierarchy. He/she named /root/tmpdir ... Commented Jan 9, 2017 at 18:03

1 Answer 1

Reset to default
0

As Andrew Henle commented, this was already answered in this superuser.com question:

Finding out the time a filesystem was last mounted

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.