Recently my internal company site got defaced, is it self hosted site on a VPS, I suspect it has something to do with outdated program we use (e. g. php-5.5.9 and apache 2.4), and also it ran off Ubuntu 14.04.
Weirdly it doesn't occur on the main page, rather the deface page shows up when I tried to submit form. I have check fail2ban and ufw and it doesn't seem there was any strange activity.
What the best way to proceed the problem ? Is there any website vulnerability scanner I can use ?
I would start by looking at the log files for suspicious behaviour to point me in the right direction, and also look to ownership but more importantly datestamps on modified files as guide.
The problem is unlikely to be php or Apache, but most likely code injection or some compromise related to the code that is running on the server. If you are using Ubuntu 14.04, and unsupported versions of Apache and PHP, it seems very likely you are running unpatched vulnerable php code as well - It would not surprise me if the vulnerable code related to the code processing the form.
Fail2Ban does not log hacks, it looks for bad behaviour and blocks on that - generally brute-force behaviour on known paths.
