Skip to main content

Several Websites Compromised

Comments

4 comments

  • quizknows
    Stat the affected files and reference the domlogs / FTP logs for the exact time stamps. Be sure to look for both the modify and change times as modify can be spoofed on non-compromised systems (change time can only be spoofed on a rooted box). Make sure apache domlog retention is enabled (now default after many years of the default being erasing the domlogs every 24h). Also be sure to check the cPanel access log too. Remember that one's in GMT, not the servers local time. One random edge case, make sure the FTP server config does not allow auth to FTP accts with the root password.
    0
  • P_W
    That's pretty much exactly what I did on the flat site as I figured it'd be a lot less noise to dig through. Plus, most of their site literally hasn't been updated since 2007. It's not a web-based access thing as there was zero domlog access at the time of the infection. Also, this site is behind an .htaccess password so there is no public access to the site at all. I checked the FTP log, also nothing for that day, but the log wasn't entirely empty, which I took as a good sign. No root to FTP. I'm completely baffled. I'm in the process of assuming the servers are toast and just shuffling them onto newer boxes, which I've been putting off anyway, but it doesn't give me warm fuzzies and I don't have a lot of time to dig into it (or why the accounts seem random).
    0
  • nospa
    check cpanel access_logs and reffer to
    0
  • cPanelMichael
    You may want to review /usr/local/cpanel/logs/login_log to see if there are any signs of a brute force attack on the accounts. Thank you.
    0

Please sign in to leave a comment.