The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache Access Log file for all accounts ?

Discussion in 'EasyApache' started by driverC, Mar 11, 2010.

  1. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    in addition to the VirtualHost log files I would like to have an Apache log file for all accounts on the server. One which logs all accesses.

    The reason I need this is because a hacker is sending phishing emails from /tmp as user nobody and the only way I can think of to find out which script contains the security hole that allows him to do this is by analyzing Apache log files. But the log files of Cpanel do not contain the information I need and are too large. I would like to create a log file containing all accesses which only logs the URL and process ID. This way using auditd I can track down the process that creates the scripts in /tmp.

    So is there any way I can have a globald apache log file in addition to the VirtualHost log files. I needed this many times before but it seems to me (so far) that the Apache programmers simply do not support this.
     
  2. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    looks your php is not properly configured/secured.
    php script under a account should run as its cpanel user and not nobody.

    it would be better you hire some management company to first get rid of spammer and then properly setup your php to have more control.

    you can also disable the nobody user mail from tweak settings to stop mails till you track him down.
     
  3. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    If PHP runs as an Apache module then it operates as nobody. That is not insecure. It's just one out of two possibilities to handle things. It has it's advantages and disadvantages. Apart from that I have been running PHP as nobody for 6 years and can not change it since all my customer's applications are configured this way and have file ownerships and permissions set accordingly.

    All I need is the ability to log web accesses the way I want to and that would solve my problem. I realize I can do it by adding include files but that seems like a day of work. I was hoping it can be done faster.
     
  4. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    You need to find the files and remove them.

    Search for funky folders and files owned by nobody in /home

    also check dev/shm for files.

    Hackers sometimes create folders like .../
    On a quick look it seems normal but look close and you will see three dots.
    sometimes they use spaces too.

    you can't log this but you can find the way he got in by checking domlogs.
    grep /tmp * or grep wget *

    try others like curl or Wget and so on.

    You need to get the user that has the security hole in his software to install the upgrade to prevent more such problems.
     
Loading...

Share This Page