How to pursue unauthorized server access?

jefferymac

Registered
Mar 19, 2005
3
0
151
Last week someone accessed the primary account of my design business on my server via FTP, downloaded files and defaced the website. I suspect it was a former business partner as the IP address traces to my city and it's really the only logical explanation for the actions in question.

I believe this falls outside of the user's AUP with their service provider (violation of privacy), however the user's service provider is asking for specific information from the firewall logs that I don't see in /var/logs/messages. Specifically, they want log entries that are stamped with time zone, the IP of my server, and the local port.

How should I pursue this further? I don't necessarily want to be punitive, but I want to determine if the attacker in question is in fact this former business partner as his actions would be in violation of a separation agreement.
 

NightStorm

Well-Known Member
Jul 28, 2003
285
4
168
cPanel Access Level
Root Administrator
Twitter
Since it was a week ago, it's possible that the log containing his traffic was rotated. Try logging in with SSH, cd to /var/log and grep <ip> messages*
See if it finds the log containing his login... if you find it, you can pull from it the information that the ISP requests, or send them the complete unedited log and let them sift through it themselves.
 

jefferymac

Registered
Mar 19, 2005
3
0
151
I was able to find the IP and verify his connections and file transfers and I sent this in to his ISP. Unfortunately his ISP replied saying that they needed more specific information from the log files (specifically the Time Zone, local IP and Port). My logs only contain:

Jun 30 13:00:09 host pure-ftpd: ([email protected]**.**.**.**) [INFO] New connection from **.**.**.**
Jun 30 14:12:05 host pure-ftpd: (******@**.**.**.**) [NOTICE] /****/****.jpg downloaded (784526 bytes, 186.33KB/sec)

etc etc, no time zone, local port (although 21 is implied by the ftpd connection) or local IP.
 

NightStorm

Well-Known Member
Jul 28, 2003
285
4
168
cPanel Access Level
Root Administrator
Twitter
Could try sending them the raw ftp log from cPanel.
Log into cPanel (not WHM) for the account that he messed with... go to FTP manager, and click on "FTP Accounts". At the bottom will be some links to download raw files... right-click on the one that ends in -ftp_log and see if he's in there.