If you're lucky, and you don't have default WHM tweak settings (or the user enabled log archiving) the logs will be available through:
/home/$username/access-logs/domain.com
or
/home/$username/logs/domain.com[.gz]
Best to 'stat' a hacked file, and look for that time in the logs.
/home/$username/access-logs/domain.com
or
/home/$username/logs/domain.com[.gz]
Best to 'stat' a hacked file, and look for that time in the logs.
First of all you need to find the timestamp on that phpforum files to see when they were uploaded. Then you can check the ftp logs (/home/user/access_logs/ftp.domainxxx ) and access logs (/home/user/access_logs/domainxxx) to see what all happened during that time. If you have any auto script install tools like softaculous / fantastico in cpanel, worth checking the cpanel logs as well (which may need root ). Any way, change the cpanel password for the account as soon as possible.
Hello 
Yes, after searching for the timestamp of the installation, you can check the domain access logs for the domain name within the following directory as mentioned in the other replies:
Thank you.
Yes, after searching for the timestamp of the installation, you can check the domain access logs for the domain name within the following directory as mentioned in the other replies:
Code:
/usr/local/apache/domlogs/