What log files to check after an account gets hacked/defaced?

Ekushey

Active Member
Oct 26, 2011
31
3
133
Bangladesh
cPanel Access Level
Root Administrator
Twitter
From time to time many customer accounts gets hacked/defaced, many of whom are using WordPress or CMS as such.

Can I get a list of log files to check to identify from which IP addresses these mischief were done as well as how it was done? What scares me is mass defacement, so any pointers will be helpful.
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Normally I check ftp logs (/var/log/messages) first because they're easiest to check, though, most defacements aren't done over FTP.

Then I check cPanel access logs (The access log in /usr/local/cpanel/logs/).

After that I check the most likely culprit (though the hardest to dig through) which is the domains apache domlogs (/usr/local/apache/domlogs/domain.com)

Checking domlogs involves taking the time stamps from defaced files, and then looking for the activity at that time in the domain access log.
 
  • Like
Reactions: linux4me2

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,217
463
Hello :)

Yes, as mentioned in the previous post, the domain access log (/usr/local/apache/domlogs/$domain) is likely going to have the information you are seeking. However, keep in mind the domain access logs are often rotated after each statistics generation. You may need to search through the access logs that are archived in the user's home directory (assuming that feature is enabled on your system).

Thank you.
 
  • Like
Reactions: linux4me2

gadalf

Well-Known Member
Jun 8, 2014
50
0
6
cPanel Access Level
Root Administrator
I used that comand and it showd me logs for just today.
The file I want to invetigate was uploaded 4 days ago.
Is any chance I can find from where it was uploaded?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,217
463
I used that comand and it showd me logs for just today.
The file I want to invetigate was uploaded 4 days ago.
Is any chance I can find from where it was uploaded?
Please see this part of my previous message and let us know if it's helpful:

However, keep in mind the domain access logs are often rotated after each statistics generation. You may need to search through the access logs that are archived in the user's home directory (assuming that feature is enabled on your system).
Thank you.