Hey, guys
How’re you all?
So, today my boss told me that a man he had never seen before had created an account on his own in the metabase and he thinks we may have been attacked or invaded by some hacker. Anyway, I searched the metabase logs and found nothing like this user’s IP or at least which administrator account created this user.
Can you help me?
Thanks and greetings to all Metabase developers, you’re revolutionary!
@CsnCaio
Which version of Metabase?
But is there a user account that you don’t know?
You should check the metadata, which has tables, where you can see query activity and other things.
Thanks
@CsnCaio
Just go and check if the user exists in Admin > People (also check Deactivated tab).
You should not be using H2 in production - I would recommend that you migrate away:
https://www.metabase.com/docs/latest/operations-guide/migrating-from-h2.html
@flamber
I’ve checked, we’ve deactivated him.
My question is how can I know when he logs in and out and who have sent an invitation for him.
@CsnCaio
You should be able to see information in the table activity, but I’m not sure if it stores that info.
EDIT: Looking at the code, it doesn’t seem like that information is stored.
Users can only be invited by another user who’s in the Admin group, so that should limit your scope.
If you store outgoing emails, then you should be able to see who invited the user, since it has it in the header of the mail: {{invitorName}} wants you to join them on Metabase.
On a side note, the Enterprise Edition has an entire Audit module
on the first post: