The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to pursue unauthorized server access?

Discussion in 'General Discussion' started by jefferymac, Jul 2, 2006.

  1. jefferymac

    jefferymac Registered

    Joined:
    Mar 19, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Last week someone accessed the primary account of my design business on my server via FTP, downloaded files and defaced the website. I suspect it was a former business partner as the IP address traces to my city and it's really the only logical explanation for the actions in question.

    I believe this falls outside of the user's AUP with their service provider (violation of privacy), however the user's service provider is asking for specific information from the firewall logs that I don't see in /var/logs/messages. Specifically, they want log entries that are stamped with time zone, the IP of my server, and the local port.

    How should I pursue this further? I don't necessarily want to be punitive, but I want to determine if the attacker in question is in fact this former business partner as his actions would be in violation of a separation agreement.
     
  2. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Since it was a week ago, it's possible that the log containing his traffic was rotated. Try logging in with SSH, cd to /var/log and grep <ip> messages*
    See if it finds the log containing his login... if you find it, you can pull from it the information that the ISP requests, or send them the complete unedited log and let them sift through it themselves.
     
  3. jefferymac

    jefferymac Registered

    Joined:
    Mar 19, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I was able to find the IP and verify his connections and file transfers and I sent this in to his ISP. Unfortunately his ISP replied saying that they needed more specific information from the log files (specifically the Time Zone, local IP and Port). My logs only contain:

    Jun 30 13:00:09 host pure-ftpd: (?@**.**.**.**) [INFO] New connection from **.**.**.**
    Jun 30 14:12:05 host pure-ftpd: (******@**.**.**.**) [NOTICE] /****/****.jpg downloaded (784526 bytes, 186.33KB/sec)

    etc etc, no time zone, local port (although 21 is implied by the ftpd connection) or local IP.
     
  4. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could try sending them the raw ftp log from cPanel.
    Log into cPanel (not WHM) for the account that he messed with... go to FTP manager, and click on "FTP Accounts". At the bottom will be some links to download raw files... right-click on the one that ends in -ftp_log and see if he's in there.
     

Share This Page