What are some potential sources of forensics related to an intrusion on WHM/CPanel on a Linux server?
I'm aware of
/var/log/usr/local/apache/logs//usr/local/cpanel/logs//usr/local/apache/domlogs.Anything else I can look into? Also, what's a good way to parse/interpret this data?
I'm aware of /var/log, /usr/local/apache/logs/, /usr/local/cpanel/logs/, /usr/local/apache/domlogs.
Any logs that are on a compromised server should be considered suspect and likely worthless for forensics.
Also, what's a good way to parse/interpret this data
To a large extent it will depend upon which log (they all have different formats), use a mk1 eyeball and experience but note my comment about the value of logs on a compromised server.
