Link to home
Start Free TrialLog in
Avatar of sabecs
sabecs

asked on

Website hacked - which logs should I check to find out how?

Hi,
I am trying to find out how hackers are creating and uploading files to a couple of websites on my VPS,
How can I tell what they used to upload or create folders?

What logs should I look at to determine if they are using a compromised script to upload or FTP.

Example of some files and folders that have created are show below?

/home/mywebsite/public_html/PayPal-service.com/myaccount/icon/sprite_nav_icons.png
/home/mywebsite/public_html/PayPal-service.com/myaccount/icon/sprite_nav_icons2x.png
/home/mywebsite/public_html/PayPal-service.com/myaccount/icon/sprite_header_icons_2x.png
/home/mywebsite/public_html/mm/class.phpmailer.php
/home/mywebsite/public_html/mm/class.smtp.php

Thanks in advance for your feedback.
Avatar of msimion
msimion
Flag of Romania image

if the http server is Apache I would check access.log and error.log in apache_home/logs

also the ftp logs should be checked

since this is a VPS you may consider contacting the service provider and ask them to assist. maybe they brute forced a password, maybe they exploited a flaw. the service provider should be able to tell you more.

mircea
Avatar of serialband
Check your apache log files for access to the file names you've listed.  That will isolate the time frame when they appeared.  You can then go back to correlate activity just before the file appears by looking for other data that match the lines where those files appear.

Based on the 2 PHP files in your list, I suspect that you're running PHP.  Maybe your PHP scripts were not properly sanitized, making that the most likely vector.  Have you made sure your latest minor version is up to date?  Are you running wordpress?  Did you check that it was properly updated?  The log files may show which PHP script was the access point for hackers to place those files.
The log files external to hacked system are only thing that can be trusted.
It is all your fault that you let apache process to rewrite content, or send SMTP mail.
Avatar of sabecs
sabecs

ASKER

Hi Thanks for your feedback, very much appreciated.

I have checked access_log in apache and cPanel but can't see the folders or files that got created.

Where would FTP logs be located?
ASKER CERTIFIED SOLUTION
Avatar of gheist
gheist
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial