Couple of files changed in public_html
Hi all,
i am investigating a possible breach on one of my cpanel accounts.
I've found a couple of files, altered, and added. All in the public html folder.
I checked every account login, ftp, apache logs. There were no logins, uploads, nothing strange in the behaviour of the server in the last couple of days.
Can someone help me in further investigation, i would really like to understand what happeened.
Thanks!
-
I would take the timestamps of the changed files and then look at the Apache access files for around that time (+/- 10 minutes usually). I'm 99% certain you'll see something like POST /xxx/xxxx?action=run&command=fetch as most exploits are through web apps.
0 -
found out where it happened, now just to find out how. It's the .well-known folder in the public_html.
0 -
Did someone experienced index.html, sitemap.xml, and robots.txt files in here? Thanks
0 -
Is there data in that directory besides the acme-challenge and pki-validation folders? That directory is used for the AutoSSL system so it's normal for those files to change automatically, but if there are non-AutoSSL files in there that would be cause for concern.
0 -
yes there is some data, index page, robots,txt, and couple other files apart from the pki-validation folder. But no trace how they would be uploaded there.
0 -
It's possible the user accessed cPanel and used the File Manager tool, so you'd see a log in /usr/local/cpanel/logs/access_log with more details from around the same time as the timestamp on the files.
0
Please sign in to leave a comment.
Comments
6 comments