how to find who is perform malicious activity in shared hosting server

Question

I am a shared webhosting provider, I got a complain: * COMPLAINT *

 | *.*(server shared ip)    | 2011-09-17 20:02:12   | jakarta.dreamhost.com | 1807770   | oscommerce remote upload from 'categories.php'    |
| *.*(server shared ip) | 2011-09-17 19:42:51   | claudus.dreamhost.com | 1798150   | e107 BBCode Arbitrary PHP Code Execution Vulnerability    |
| *.*(server shared ip) | 2011-09-17 19:54:54   | djibouti.dreamhost.com    | 1800723   | e107 BBCode Arbitrary PHP Code Execution Vulnerability    |
| *.*(server shared ip) | 2011-09-17 19:50:18   | fernandes.dreamhost.com   | 1802863   | oscommerce remote upload from 'categories.php'    |
| *.*(server shared ip) | 2011-09-17 19:53:32   | andromeda.dreamhost.com   | 1791213   | e107 BBCode Arbitrary PHP Code Execution Vulnerability    |
| *.*(server shared ip) | 2011-09-17 19:54:17   | pictor.dreamhost.com  | 1814763   | oscommerce remote upload from 'categories.php'    |
| *.*(server shared ip) | 2011-09-17 19:54:54   | telescopium.dreamhost.com | 1819732   | e107 BBCode Arbitrary PHP Code Execution Vulnerability    

because ip address is shared, any one here can help me how to find which user did this?

my server is centos with cpanel WHM

is there any way to determine which script did this? or is there any way to see the tcp connection history to determine which scripts have connection to the target IP?

Answer 1

If the PHP scripts run from your web server (as opposed to the command line, which is also possible), you should find the relevant informations in your log files for the web server.

Answer 2

Make a image backup of the server (if it is a VM is is easy to do it). Save and analyze your logs apache, messages, auth, ftp. Check for logins just before the time in the logs. Search for files/scripts with atime at the same date or after.