KillaH425

Registered
Oct 4, 2006
3
0
151
I am fairly sure that someone has hacked into our server either by exploit or by guessing our password. I want to find the logs of the FTP access, but I can't get them thru cPanel. I downloaded the main file and it brings up a command prompt and then in the FTP Manager section I can't access the links at the bottom because they don't exist. Any suggestions?!
 

designeru

Well-Known Member
Nov 2, 2005
83
0
156
Hint!

Try logging in to your console (ssh), go to /var/logs and search there:

- xferlog - ftp log
- /usr/local/apache/domlogs/ - search for wget or cmd
- last - the last logins to your server

Don't forget to run rkhunter and chkrootkit.
Also, do a:
# ps -auxf | grep nobody
... to see if there are any started processes.

Go to /tmp and search for any suspicious files.

If "the one" who broke your server and wasn't stupind enough you won't find a thing.
 

KillaH425

Registered
Oct 4, 2006
3
0
151
How do you login using SSH? And by the way, cPanel is installed on a local server and not WHM, in case that changes anything. I can still access the console, but I know someone banned IPs and screwed something up because now nothing works. Thanks.
 

designeru

Well-Known Member
Nov 2, 2005
83
0
156
Advice...

> How do you login using SSH?
google.com -> putty ssh

This is a small tool that will let you connect to your unix based server from any windows computer.

> I can still access the console, but I know someone banned IPs and screwed something up because now nothing works.

You mean you have direct access to that server? Do
# iptables -F && iptables -F -t nat && iptables -F -t mangle
... if you don't have direct access to the server, ask your seller to do that. You will need ROOT ACCESS to do that, then login from windows pc via ssh.
 

KillaH425

Registered
Oct 4, 2006
3
0
151
I am pretty positive this route would take weeks as it isn't hosted by a company. Instead it is hosted by someone that is hard to contact. I was hoping for an easier method.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
KillaH425 said:
I am pretty positive this route would take weeks as it isn't hosted by a company. Instead it is hosted by someone that is hard to contact. I was hoping for an easier method.
If you are hosting your web site, you'll have to contact your host for help. If you have a dedicated server and need help, contact your Data Center, or seek professional help.
 

Danny_T

Well-Known Member
Jul 19, 2005
181
0
166
Netherlands
the /scripts/securetmp script will fix a lot hack attempts, at least the cant run executables'ou t the tmp dirs. There are always on a webhosting system a lot php applications that are leak. Much webmasters don't update their PHP application in time or not at all.
Now i see a lot weird executeables in my tmp dirs but they are not started anymore :) that saved a lot trouble hehe

I only miss the secure of the shm device in that script (box is FC).

Danny.