Access logs, file manager logs etc

OpenAreas

Member
Jan 7, 2011
14
0
51
Hi

Client had a breach to their website, got the access logs and fount the culprit and their IP. FTP logs show no access. Access logs show once inside cpanel then went into file manager. This where they deleted public_html folder.

Where do i find a log that tells me they deleted this folder?
 

garrettp

Well-Known Member
PartnerNOC
Jun 18, 2004
312
1
166
cPanel Access Level
DataCenter Provider
Try searching through:

Code:
/usr/local/cpanel/logs/access_log
This file contains access_log data for the cPanel/WHM interface, and you can search through the GET strings for 'frontend/x3/filemanager' (or whatever skin is used).
 

OpenAreas

Member
Jan 7, 2011
14
0
51
Hi

I've had a look through them and indeed got results from the criminals IP which shows GET requests. But what am i looking for that shows a request "delete public_html" ?
 

OpenAreas

Member
Jan 7, 2011
14
0
51
There is logs of said person accessing file manager.

Thing is my client wants to process legal action and needs said logs... bit lacking if logs are provided for GET accesses to FM but not rm -rf requests?
 

Infopro

Well-Known Member
May 20, 2003
17,090
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
There is logs of said person accessing file manager.
Correct.

bit lacking if logs are provided for GET accesses to FM but not rm -rf requests?
I agree. If there are tracks left for actual actions in File Manager I'm not sure where they'd be.

That said, how did they get into the account? If the user did not have a hard-to-guess password this type of damage should be expected. Restoring the account from backup and setting a much harder password, and, scanning this users home computer for any sort of problems is suggested.

Good luck!
 

OpenAreas

Member
Jan 7, 2011
14
0
51
Yeah I store back ups for clients, so I resorted this for them within 20mins of it going down. Reset passwords and provided it via phone (too risky to provide by email at that point) The breach was from an ex-friend of theirs, they guessed my clients google mail security questions and gained access to confidential emails and credentials.

The access logs are enough for a small claims court here in the UK. Just one of those things ain't it.... although logs of what people do in file manager would of been handy at this point.

Thanks for your help.