Apache Access Log file for all accounts ?

[driverC]

Hi,

in addition to the VirtualHost log files I would like to have an Apache log file for all accounts on the server. One which logs all accesses.

The reason I need this is because a hacker is sending phishing emails from /tmp as user nobody and the only way I can think of to find out which script contains the security hole that allows him to do this is by analyzing Apache log files. But the log files of Cpanel do not contain the information I need and are too large. I would like to create a log file containing all accesses which only logs the URL and process ID. This way using auditd I can track down the process that creates the scripts in /tmp.

So is there any way I can have a globald apache log file in addition to the VirtualHost log files. I needed this many times before but it seems to me (so far) that the Apache programmers simply do not support this.

[mohit]

looks your php is not properly configured/secured.
php script under a account should run as its cpanel user and not nobody.

it would be better you hire some management company to first get rid of spammer and then properly setup your php to have more control.

you can also disable the nobody user mail from tweak settings to stop mails till you track him down.

[driverC]

looks your php is not properly configured/secured.
php script under a account should run as its cpanel user and not nobody.

it would be better you hire some management company to first get rid of spammer and then properly setup your php to have more control.

you can also disable the nobody user mail from tweak settings to stop mails till you track him down.

If PHP runs as an Apache module then it operates as nobody. That is not insecure. It's just one out of two possibilities to handle things. It has it's advantages and disadvantages. Apart from that I have been running PHP as nobody for 6 years and can not change it since all my customer's applications are configured this way and have file ownerships and permissions set accordingly.

All I need is the ability to log web accesses the way I want to and that would solve my problem. I realize I can do it by adding include files but that seems like a day of work. I was hoping it can be done faster.

[vincentg]

You need to find the files and remove them.

Search for funky folders and files owned by nobody in /home

also check dev/shm for files.

Hackers sometimes create folders like .../
On a quick look it seems normal but look close and you will see three dots.
sometimes they use spaces too.

you can't log this but you can find the way he got in by checking domlogs.
grep /tmp * or grep wget *

try others like curl or Wget and so on.

You need to get the user that has the security hole in his software to install the upgrade to prevent more such problems.