0

I'm very new to using SSH and my server has been hacked, someone has gone onto a website of mine and made modifications. I have the time which they did it (29/07/2013 18:14:30), but cannot see how they go into the website.

I have tried tail /var/log/messages and tail /var/log/secure but cannot see any activity at this time.

I just want to know if they came via control panel/ssh/ftp so that I can change the passwords and perhaps ports to stop them.

Any help is greatly appreciated.

Thank you

Paul
  • 131
  • 1
  • 1
  • 3
  • Thank you, I will quickly read this and delete my message. – Paul Jul 30 '13 at 09:26
  • Thank you for the link, but this appears to be a plan of action on how to generally deal with the situation. I do not know how to track how the user got into the site so cannot follow the instructions in the link. – Paul Jul 30 '13 at 09:30
  • 2
    That article is the distilled wisdom of SF on how to deal with a compromise. I understand that you just want to "*find out how they got in and change a password or port to stop them*", but hopefully that article makes it clear why **that's not an option any more**. The server's been compromised; you have to regard it as unreliable, and re-secure from scratch. Yes, you will need to know how they got in, but you have **many** more things to do as well. – MadHatter Jul 30 '13 at 11:02
  • I completely agree and thank you for the information. Unfortunately the server has to stay online, so would just like to fill holes where I can... for an immediate measure. – Paul Jul 30 '13 at 14:25

1 Answers1

0

I'm pretty sure they did not end up hacking or modifying your site via ssh, unless you have predictable user names and passwords or otherwise some compromised accounts.

Instead I would take a deep look at your web server (Apache, nginx, lighttpd) log files and would try to find suspicious activity around the hacking time. Probably the attacker used a known weakness in some CMS and for example uploaded a file via some form, and somehow executed it to give the user more power. Or then just got in with some finely handcrafted strange URLs exposing your CMS to SQL injections or similar.

So take a look at /var/log/apache2/access.log or so.

Janne Pikkarainen
  • 31,852
  • 4
  • 58
  • 81