What log files to check after an account gets hacked/defaced?

Ekushey

Ekushey

Well-Known Member
Oct 26, 2011
46
7
133
Bangladesh
cPanel Access Level
Root Administrator
Twitter
From time to time many customer accounts gets hacked/defaced, many of whom are using WordPress or CMS as such.

Can I get a list of log files to check to identify from which IP addresses these mischief were done as well as how it was done? What scares me is mass defacement, so any pointers will be helpful.
 
Last edited:
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Normally I check ftp logs (/var/log/messages) first because they're easiest to check, though, most defacements aren't done over FTP.

Then I check cPanel access logs (The access log in /usr/local/cpanel/logs/).

After that I check the most likely culprit (though the hardest to dig through) which is the domains apache domlogs (/usr/local/apache/domlogs/domain.com)

Checking domlogs involves taking the time stamps from defaced files, and then looking for the activity at that time in the domain access log.
 
  • Like
Reactions: linux4me2
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hello :)

Yes, as mentioned in the previous post, the domain access log (/usr/local/apache/domlogs/$domain) is likely going to have the information you are seeking. However, keep in mind the domain access logs are often rotated after each statistics generation. You may need to search through the access logs that are archived in the user's home directory (assuming that feature is enabled on your system).

Thank you.
 
  • Like
Reactions: linux4me2
G

gadalf

Well-Known Member
Jun 8, 2014
50
0
6
cPanel Access Level
Root Administrator
I used that comand and it showd me logs for just today.
The file I want to invetigate was uploaded 4 days ago.
Is any chance I can find from where it was uploaded?
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
gadalf said:
I used that comand and it showd me logs for just today.
The file I want to invetigate was uploaded 4 days ago.
Is any chance I can find from where it was uploaded?
Click to expand...
Please see this part of my previous message and let us know if it's helpful:

However, keep in mind the domain access logs are often rotated after each statistics generation. You may need to search through the access logs that are archived in the user's home directory (assuming that feature is enabled on your system).
Click to expand...
Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
Fakher Uploaded Files Log? Security 1
A Changed system files - No info in "New" or "Chaneg Log" Security 3
sehh stale *-ssl_data_log files Security 1
F How name the files with password and login Security 1
Y looking at log files to see if a cpanel vulnerability was used to hack a website Security 2
Similar threads
Uploaded Files Log?
Changed system files - No info in "New" or "Chaneg Log"
stale *-ssl_data_log files
How name the files with password and login
looking at log files to see if a cpanel vulnerability was used to hack a website
Top Bottom