sabecs
asked on
Website hacked - which logs should I check to find out how?
Hi,
I am trying to find out how hackers are creating and uploading files to a couple of websites on my VPS,
How can I tell what they used to upload or create folders?
What logs should I look at to determine if they are using a compromised script to upload or FTP.
Example of some files and folders that have created are show below?
/home/mywebsite/public_htm l/PayPal-s ervice.com /myaccount /icon/spri te_nav_ico ns.png
/home/mywebsite/public_htm l/PayPal-s ervice.com /myaccount /icon/spri te_nav_ico ns2x.png
/home/mywebsite/public_htm l/PayPal-s ervice.com /myaccount /icon/spri te_header_ icons_2x.p ng
/home/mywebsite/public_htm l/mm/class .phpmailer .php
/home/mywebsite/public_htm l/mm/class .smtp.php
Thanks in advance for your feedback.
I am trying to find out how hackers are creating and uploading files to a couple of websites on my VPS,
How can I tell what they used to upload or create folders?
What logs should I look at to determine if they are using a compromised script to upload or FTP.
Example of some files and folders that have created are show below?
/home/mywebsite/public_htm
/home/mywebsite/public_htm
/home/mywebsite/public_htm
/home/mywebsite/public_htm
/home/mywebsite/public_htm
Thanks in advance for your feedback.
Check your apache log files for access to the file names you've listed. That will isolate the time frame when they appeared. You can then go back to correlate activity just before the file appears by looking for other data that match the lines where those files appear.
Based on the 2 PHP files in your list, I suspect that you're running PHP. Maybe your PHP scripts were not properly sanitized, making that the most likely vector. Have you made sure your latest minor version is up to date? Are you running wordpress? Did you check that it was properly updated? The log files may show which PHP script was the access point for hackers to place those files.
Based on the 2 PHP files in your list, I suspect that you're running PHP. Maybe your PHP scripts were not properly sanitized, making that the most likely vector. Have you made sure your latest minor version is up to date? Are you running wordpress? Did you check that it was properly updated? The log files may show which PHP script was the access point for hackers to place those files.
The log files external to hacked system are only thing that can be trusted.
It is all your fault that you let apache process to rewrite content, or send SMTP mail.
It is all your fault that you let apache process to rewrite content, or send SMTP mail.
ASKER
Hi Thanks for your feedback, very much appreciated.
I have checked access_log in apache and cPanel but can't see the folders or files that got created.
Where would FTP logs be located?
I have checked access_log in apache and cPanel but can't see the folders or files that got created.
Where would FTP logs be located?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
also the ftp logs should be checked
since this is a VPS you may consider contacting the service provider and ask them to assist. maybe they brute forced a password, maybe they exploited a flaw. the service provider should be able to tell you more.
mircea