| Posted by ertebat7, 01-11-2013, 01:15 AM | | hi everybody
i have a ded server with centos 5.8
i use cpanel and hosted 275 sites on this server
last night 1 site of server hacked
i want understand reson of hack this site
how can i check log this site and find that it how hacked?
please help me
|
| Posted by JacobN, 01-11-2013, 01:43 AM | | Hey ertebat7,
Sorry to hear a site got compromised. Some good steps to follow would first be reviewing the FTP logs for the account. If the name of the cPanel account was (userna5) you'd use this command:
If you see any FTP uploads in there for the user, it could just be they had their FTP password compromised, in which case you should update their cPanel password which updates the FTP one as well.
It would also show you any files they uploaded, and then you can go inspect those paths to ensure the files are removed if they're still there.
Next you should review your Apache access log for that site, this can be tricky, but usually you'd look for 1 IP address that has more requests than any other with this command:
That should spit out how many hits each IP address has, let's say that 123.123.123.123 stood out with 5,000 requests. Then you'd want to see if they were hitting duplicate requests with this command:
If you notice that they have a bunch of duplicate requests to one certain PHP script such as (timthumb.php), then that could have been their entry point. A lot of times hackers will exploit PHP scripts to then in turn inject or hack your other files.
There are a few other things you can do as well, but it would be helpful to know what type of software the site is running to give you better help. Such as, is it running WordPress, Joomla, Drupal, or another CMS, or just custom written scripts?
- Jacob
|
| Posted by BestServerSupport, 01-11-2013, 11:15 AM | | Have you installed any kind of third party scripts like WordPress, Joomla etc?
It may also be possible that some plugins have Vulnerability and breached the security of your website.
|
| Posted by Dr_Michael, 01-11-2013, 11:35 AM | | Perform a full virus scan on the machines that had ftp access to this site. It may be a trojan - stolen ftp password.
|
| Posted by dareORdie, 01-11-2013, 11:46 AM | | You need to check with the FTP logs as JacobN has suggested. If its due to the FTP, Change the password of your cpanel account and keep it a complicated one. Also check the Ip's connection currently on the server...
|
| Posted by Infinitnet, 01-11-2013, 11:48 AM | | Follow the instructions JacobN gave you (good to see new users make useful posts). Furthermore you should install maldet and set it to monitoring mode, install and configure mod_security using the ASL ruleset and follow these suggestions.
|
| Posted by BestServerSupport, 01-11-2013, 11:53 AM | | Do not download softwares from un reliable source since it may download virurs/trojans/keyloggers in your local system.
|
|
 Add to Favourites
 Print this Article
|
