Access logs, file manager logs etc

[OpenAreas]

Hi

Client had a breach to their website, got the access logs and fount the culprit and their IP. FTP logs show no access. Access logs show once inside cpanel then went into file manager. This where they deleted public_html folder.

Where do i find a log that tells me they deleted this folder?

 

[garrettp]

Try searching through:

/usr/local/cpanel/logs/access_log

This file contains access_log data for the cPanel/WHM interface, and you can search through the GET strings for 'frontend/x3/filemanager' (or whatever skin is used).

 

[OpenAreas]

Hi

I've had a look through them and indeed got results from the criminals IP which shows GET requests. But what am i looking for that shows a request "delete public_html" ?

 

[Infopro]

I'm not sure that there are log files for the File Manager itself, hopefully I'll be corrected here by someone. I've just created and then deleted a directory via FM and can find no traces of those actions in my logs.

 

[OpenAreas]

There is logs of said person accessing file manager.

Thing is my client wants to process legal action and needs said logs... bit lacking if logs are provided for GET accesses to FM but not rm -rf requests?

 

[Infopro]

There is logs of said person accessing file manager.

Correct.

bit lacking if logs are provided for GET accesses to FM but not rm -rf requests?

I agree. If there are tracks left for actual actions in File Manager I'm not sure where they'd be.

That said, how did they get into the account? If the user did not have a hard-to-guess password this type of damage should be expected. Restoring the account from backup and setting a much harder password, and, scanning this users home computer for any sort of problems is suggested.

Good luck!

 

[OpenAreas]

Yeah I store back ups for clients, so I resorted this for them within 20mins of it going down. Reset passwords and provided it via phone (too risky to provide by email at that point) The breach was from an ex-friend of theirs, they guessed my clients google mail security questions and gained access to confidential emails and credentials.

The access logs are enough for a small claims court here in the UK. Just one of those things ain't it.... although logs of what people do in file manager would of been handy at this point.

Thanks for your help.