The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access logs, file manager logs etc

Discussion in 'General Discussion' started by OpenAreas, Jan 26, 2011.

  1. OpenAreas

    OpenAreas Member

    Joined:
    Jan 7, 2011
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    Client had a breach to their website, got the access logs and fount the culprit and their IP. FTP logs show no access. Access logs show once inside cpanel then went into file manager. This where they deleted public_html folder.

    Where do i find a log that tells me they deleted this folder?
     
  2. garrettp

    garrettp Well-Known Member
    PartnerNOC

    Joined:
    Jun 18, 2004
    Messages:
    312
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Try searching through:

    Code:
    /usr/local/cpanel/logs/access_log
    This file contains access_log data for the cPanel/WHM interface, and you can search through the GET strings for 'frontend/x3/filemanager' (or whatever skin is used).
     
  3. OpenAreas

    OpenAreas Member

    Joined:
    Jan 7, 2011
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    I've had a look through them and indeed got results from the criminals IP which shows GET requests. But what am i looking for that shows a request "delete public_html" ?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm not sure that there are log files for the File Manager itself, hopefully I'll be corrected here by someone. I've just created and then deleted a directory via FM and can find no traces of those actions in my logs.
     
  5. OpenAreas

    OpenAreas Member

    Joined:
    Jan 7, 2011
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    There is logs of said person accessing file manager.

    Thing is my client wants to process legal action and needs said logs... bit lacking if logs are provided for GET accesses to FM but not rm -rf requests?
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Correct.

    I agree. If there are tracks left for actual actions in File Manager I'm not sure where they'd be.

    That said, how did they get into the account? If the user did not have a hard-to-guess password this type of damage should be expected. Restoring the account from backup and setting a much harder password, and, scanning this users home computer for any sort of problems is suggested.

    Good luck!
     
  7. OpenAreas

    OpenAreas Member

    Joined:
    Jan 7, 2011
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Yeah I store back ups for clients, so I resorted this for them within 20mins of it going down. Reset passwords and provided it via phone (too risky to provide by email at that point) The breach was from an ex-friend of theirs, they guessed my clients google mail security questions and gained access to confidential emails and credentials.

    The access logs are enough for a small claims court here in the UK. Just one of those things ain't it.... although logs of what people do in file manager would of been handy at this point.

    Thanks for your help.
     
Loading...

Share This Page