Dante78

Well-Known Member
May 1, 2010
59
0
56
Hello

It seems that one of my clients were hacked and someone installed a phpbb forum on its account. How can I see from witch ip has been done this?

Thanks
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If you're lucky, and you don't have default WHM tweak settings (or the user enabled log archiving) the logs will be available through:

/home/$username/access-logs/domain.com
or
/home/$username/logs/domain.com[.gz]

Best to 'stat' a hacked file, and look for that time in the logs.
 

MaestriaNick

Well-Known Member
Aug 6, 2008
159
3
68
First of all you need to find the timestamp on that phpforum files to see when they were uploaded. Then you can check the ftp logs (/home/user/access_logs/ftp.domainxxx ) and access logs (/home/user/access_logs/domainxxx) to see what all happened during that time. If you have any auto script install tools like softaculous / fantastico in cpanel, worth checking the cpanel logs as well (which may need root ). Any way, change the cpanel password for the account as soon as possible.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Yes, after searching for the timestamp of the installation, you can check the domain access logs for the domain name within the following directory as mentioned in the other replies:

Code:
/usr/local/apache/domlogs/
Thank you.