Link to home
Start Free TrialLog in
Avatar of erzoolander
erzoolander

asked on

Hacked File Timestamps

Our server was recently hacked.  So far the damage is relatively minor (like they just come in and change out the content of the primary index.html or index.php files).

One thing that I'm a little confused by - and maybe someone can clarify for me (and it might shed some light on the avenues of attack) - is that the timestamps of the impacted files are unaffected.  When the site(s) CMS files started showing evidence of the hacks - I originally did scans on the server to find recently updated files with timestamps that would coincide with the timing of the attacks.  But - those yielded nothing.

So, like say I originally put the file on 02/24/2016 - it still shows that file last being updated on that day...even though I know for a fact it was updated on 12/24/2016.

Any ideas on how that was managed?  How a file could either be altered (thereby re-saved) or replaced but leaving the original timestamp in place?
ASKER CERTIFIED SOLUTION
Avatar of Jeff Darling
Jeff Darling
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just guessing, but maybe the files were not changed.  Maybe the damage is coming from inside the WP database.

This also looks interesting.
https://articles.forensicfocus.com/2015/08/25/linux-timestamps-oh-boy/
Avatar of erzoolander
erzoolander

ASKER

In this specific instance - it's a plain old html file - not tied to Wordpress whatsoever, in a separate WHM account/separate CPanel.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial