What log files to check after an account gets hacked/defaced?
From time to time many customer accounts gets hacked/defaced, many of whom are using WordPress or CMS as such.
Can I get a list of log files to check to identify from which IP addresses these mischief were done as well as how it was done? What scares me is mass defacement, so any pointers will be helpful.
-
Normally I check ftp logs (/var/log/messages) first because they're easiest to check, though, most defacements aren't done over FTP. Then I check cPanel access logs (The access log in /usr/local/cpanel/logs/). After that I check the most likely culprit (though the hardest to dig through) which is the domains apache domlogs (/usr/local/apache/domlogs/domain.com) Checking domlogs involves taking the time stamps from defaced files, and then looking for the activity at that time in the domain access log. 0 -
Hello :) Yes, as mentioned in the previous post, the domain access log (/usr/local/apache/domlogs/$domain) is likely going to have the information you are seeking. However, keep in mind the domain access logs are often rotated after each statistics generation. You may need to search through the access logs that are archived in the user's home directory (assuming that feature is enabled on your system). Thank you. 0 -
I used that comand and it showd me logs for just today. The file I want to invetigate was uploaded 4 days ago. Is any chance I can find from where it was uploaded? 0 -
I used that comand and it showd me logs for just today. The file I want to invetigate was uploaded 4 days ago. Is any chance I can find from where it was uploaded?
Please see this part of my previous message and let us know if it's helpful: [QUOTE]However, keep in mind the domain access logs are often rotated after each statistics generation. You may need to search through the access logs that are archived in the user's home directory (assuming that feature is enabled on your system).
Thank you.0
Please sign in to leave a comment.
Comments
5 comments