The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What log files to check after an account gets hacked/defaced?

Discussion in 'Security' started by Ekushey, Jun 9, 2014.

  1. Ekushey

    Ekushey Member

    Joined:
    Oct 26, 2011
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bangladesh
    cPanel Access Level:
    Root Administrator
    Twitter:
    From time to time many customer accounts gets hacked/defaced, many of whom are using WordPress or CMS as such.

    Can I get a list of log files to check to identify from which IP addresses these mischief were done as well as how it was done? What scares me is mass defacement, so any pointers will be helpful.
     
    #1 Ekushey, Jun 9, 2014
    Last edited: Jun 9, 2014
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Normally I check ftp logs (/var/log/messages) first because they're easiest to check, though, most defacements aren't done over FTP.

    Then I check cPanel access logs (The access log in /usr/local/cpanel/logs/).

    After that I check the most likely culprit (though the hardest to dig through) which is the domains apache domlogs (/usr/local/apache/domlogs/domain.com)

    Checking domlogs involves taking the time stamps from defaced files, and then looking for the activity at that time in the domain access log.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, as mentioned in the previous post, the domain access log (/usr/local/apache/domlogs/$domain) is likely going to have the information you are seeking. However, keep in mind the domain access logs are often rotated after each statistics generation. You may need to search through the access logs that are archived in the user's home directory (assuming that feature is enabled on your system).

    Thank you.
     
  4. gadalf

    gadalf Well-Known Member

    Joined:
    Jun 8, 2014
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I used that comand and it showd me logs for just today.
    The file I want to invetigate was uploaded 4 days ago.
    Is any chance I can find from where it was uploaded?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please see this part of my previous message and let us know if it's helpful:

    Thank you.
     
  6. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page