erzoolander
asked on
Hacked File Timestamps
Our server was recently hacked. So far the damage is relatively minor (like they just come in and change out the content of the primary index.html or index.php files).
One thing that I'm a little confused by - and maybe someone can clarify for me (and it might shed some light on the avenues of attack) - is that the timestamps of the impacted files are unaffected. When the site(s) CMS files started showing evidence of the hacks - I originally did scans on the server to find recently updated files with timestamps that would coincide with the timing of the attacks. But - those yielded nothing.
So, like say I originally put the file on 02/24/2016 - it still shows that file last being updated on that day...even though I know for a fact it was updated on 12/24/2016.
Any ideas on how that was managed? How a file could either be altered (thereby re-saved) or replaced but leaving the original timestamp in place?
One thing that I'm a little confused by - and maybe someone can clarify for me (and it might shed some light on the avenues of attack) - is that the timestamps of the impacted files are unaffected. When the site(s) CMS files started showing evidence of the hacks - I originally did scans on the server to find recently updated files with timestamps that would coincide with the timing of the attacks. But - those yielded nothing.
So, like say I originally put the file on 02/24/2016 - it still shows that file last being updated on that day...even though I know for a fact it was updated on 12/24/2016.
Any ideas on how that was managed? How a file could either be altered (thereby re-saved) or replaced but leaving the original timestamp in place?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In this specific instance - it's a plain old html file - not tied to Wordpress whatsoever, in a separate WHM account/separate CPanel.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This also looks interesting.
https://articles.forensicfocus.com/2015/08/25/linux-timestamps-oh-boy/