The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Deleted Files - Who Did It

Discussion in 'Security' started by jeremys_ppc, May 9, 2014.

  1. jeremys_ppc

    jeremys_ppc Member

    Joined:
    May 7, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello all. I have a user whom all data was deleted and replaced with some php files. This content is not the clients content... In either case I am just trying to figure out how these files got deleted. I've checked the /usr/local/cpanel/logs/access_log and /var/log/messages but not seeing anything specific.

    I was under the impression that file uploads and deletions by ftp would be in /var/log/messages yet I dont see anything from this client so I'm assuming that the deletions didn't happen by FTP. Are there any other logs I can check?

    Thanks in advance.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It was likely done through a vulnerability in their site. stat the new files (stat $filename) to get the change/modify times, and look for those times in the domains apache access log (/usr/local/apache/domlogs).
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, as quizknows suggested, please review the Apache domain access logs for this domain name. It's likely the account was exploited through a vulnerable script.

    Thank you.
     
Loading...

Share This Page