Portal Home > Knowledgebase > Articles Database > how to track phishing files been upload via script ?
how to track phishing files been upload via script ?
| Posted by ttgt, 02-11-2012, 04:52 AM |
| Hi,
some site's .php or or script may have bug and cracker use it to upload phishing files to his site,
for centos/cpanel server,
is any way to check which scrip was been used to load it ?
thanx
|
| Posted by fshagan, 02-11-2012, 02:17 PM |
| Check the affected file time stamps, then search the logs for access during those times. Not foolproof, because hackers can mask their tracks, but they often don't.
|
| Posted by ttgt, 02-11-2012, 02:22 PM |
| do you recommend which file ? i check /var/log/messages at the same time,do not find related log.thanx
|
| Posted by fshagan, 02-12-2012, 10:53 AM |
| On my cPanel server, the access_log is at /etc/httpd/logs/
|
| Posted by ttgt, 02-12-2012, 11:12 AM |
| Hi,it seems it will remove the old log ? will all the web's connection log on server will log on it ? thanx
|
| Posted by fshagan, 02-13-2012, 11:01 AM |
| Sorry, I gave you bad information.
If you know the domain that was being exploited, try using the Raw Access Log in cPanel to find when someone logged in, and their IP address. You can also look for the FTP logs in /usr/local/apache/domlogs/ by the domain name ... ftp.yourdomainname.com-ftp_log. Lines in that log look like this:
I can't remember now where to find the Apache log with all the logins in it on a cPanel server.
|
| Posted by kevinnivek, 02-13-2012, 11:47 AM |
| Check
- Access logs
- temp folder (ideally this should be a centralized location , i.e. /tmp)
- Error logs
- Date/Timestamps/Ownerships
|
Add to Favourites 
Print this Article
Also Read
