Can a database just delete?

I’ve been a hoster for 20 years and done countless forensics cases. There are plenty of logs available with a proper host.

Apache/IIS Access Logs are usually my best friend. If you have a control panel you probably have access to them. It’s usually very easy to see when it happened as your HTTP codes will no longer show 200, 301, 302 etc. I believe you will be looking for codes in the 500-range. That usually lets you see if a malicious script was called right before the database was deleted. Check what happened right before. Which would in turn give you info if it was an outside job.

FTP logs are also worth investigating. It often goes under the radar, but comprimised FTP accounts are more common than what many think. Again, it will show in the access logs as the malicious script needs to be executed.

Finally all control panels have separate access logs. Often your host would be the only ones with that level of access.

If the database was a MySQL one and you allowed external access to your database, then don’t bother investigating – get yourself a mental checkup instead

Likewise if it is a WordPress site but you never updated themes and plugins

Either way, I think you need to buy help to get to the bottom of this one if your host is not able to provide any info (it can be quite time-consuming which could explain why they have not found anything…). <<snipped>>

#database #delete

Leave a Reply