Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Deleted Files - Who Did It

Discussion in 'Security' started by jeremys_ppc, May 9, 2014.

  1. jeremys_ppc

    jeremys_ppc Member

    Joined:
    May 7, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello all. I have a user whom all data was deleted and replaced with some php files. This content is not the clients content... In either case I am just trying to figure out how these files got deleted. I've checked the /usr/local/cpanel/logs/access_log and /var/log/messages but not seeing anything specific.

    I was under the impression that file uploads and deletions by ftp would be in /var/log/messages yet I dont see anything from this client so I'm assuming that the deletions didn't happen by FTP. Are there any other logs I can check?

    Thanks in advance.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    It was likely done through a vulnerability in their site. stat the new files (stat $filename) to get the change/modify times, and look for those times in the domains apache access log (/usr/local/apache/domlogs).
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, as quizknows suggested, please review the Apache domain access logs for this domain name. It's likely the account was exploited through a vulnerable script.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice