httpd needed restart

[neiderlaander]

Hey all, i'm fairly new to cpanel, but I just ran into some script kiddie who got into my server and put a redirect on one of my sites. Basically, i'm trying to find the log of what happened so I can destroy the security hole. What log would I have to pull to see that?

[chinmay]

Hey all, i'm fairly new to cpanel, but I just ran into some script kiddie who got into my server and put a redirect on one of my sites. Basically, i'm trying to find the log of what happened so I can destroy the security hole. What log would I have to pull to see that?

If the redirect has been set from the cPanel you can check the cPanel access logs on the server for the domain. The cPanel access logs are located at "/usr/local/cpanel/logs/access_log".

If you still have any issue do post as to how was the redirect set on the server.

[PlatinumServerM]

You may have to check all the logs unless you are sure they came through cpanel. Other logs are in /var/log/ for ftp, /usr/local/apache/logs/ for http, etc.

[Spiral]

In addition to what PlatinumServerM said, "/usr/local/apache/domlogs"
which will give you the detailed logs for each account.

If exploited by IP address or not an account specifically, the general access_log
and error_log files at /usr/local/apache/logs may be revealing.

It goes without saying to take a look at /usr/local/apache/conf/httpd.conf
at the Virtualhost configuration for the account or domain compromised and
also look at the individual files within that account as your first starting place.

There is also the possibility that the compromise was done through some
other avenue or service other than Cpanel or direct web attack.

How strong are your passwords?
Do you have any exploitable services?
Do you have the latest updates and patches?
Have you closed security holes and hardened the server?

(Sorry but as good as Cpanel is as a general management system
for a server, it downright sucks for lack of a better word when talking
about real defensive security although it is improving slowly.
***no offense meant ***)

Who has SSH access on your server? (check /etc/passwd)

Speaking of the last question, you should also check the ".bash_history"
files in each home directory where users have shell access which will
often be listed as "/bin/jailshell" or "/bin/bash" in /etc/passwd

(I personally don't recommend any shell access for users unless
absolutely require and even then I would strongly curtail the idea)

In your /var/log folder, I would review all logs but take the closest attention
to your 'messages' and 'secure' files. There is also binary log data available
but that is really beyond the scope of this help post.

*** Note: most hackers that have any sense know to doctor the logs but
but that often leads behind tattle tail signs of a different sort.

It is also possible that the attack was made by obtaining access to a normal
user's account via a weak or vulnerable script legitimately posted by the user
(can help you with that) or by a weak guessable password and then found
a way to escalate once inside (easier to do that way especially if a server
isn't properly secured from the inside or between user accounts).

Anyway, those are just some tips. Hope you can track down the issue
but if you need any help closing down the problem or hardening your
server so that this doesn't happen to you again, I'd be glad to give you
a hand. I've actually got more than 30 years experience as a systems
administrator myself and I know how most hackers think so don't feel
like you are stuck alone if you can't figure out what is going on.