Deleted Files - Who Did It

jeremys_ppc

• May 09, 2014 15:41

Hello all. I have a user whom all data was deleted and replaced with some php files. This content is not the clients content... In either case I am just trying to figure out how these files got deleted. I've checked the /usr/local/cpanel/logs/access_log and /var/log/messages but not seeing anything specific. I was under the impression that file uploads and deletions by ftp would be in /var/log/messages yet I dont see anything from this client so I'm assuming that the deletions didn't happen by FTP. Are there any other logs I can check? Thanks in advance.

• 

  quizknows

  • May 09, 2014 23:11

  It was likely done through a vulnerability in their site. stat the new files (stat $filename) to get the change/modify times, and look for those times in the domains apache access log (/usr/local/apache/domlogs).

  0
• 

  cPanelMichael

  • May 12, 2014 12:37

  Hello :) Yes, as quizknows suggested, please review the Apache domain access logs for this domain name. It's likely the account was exploited through a vulnerable script. Thank you.

  0

Please sign in to leave a comment.