[SLUG] inspecting logs for hacked access

lists Tue, 08 Oct 2013 14:20:45 -0700

a user website was hacked through ftp upload as so:

Mon Oct 07 11:14:30 2013 0 ::ffff:37.139.47.33 372
/home/adom.com.au/public_html/rleeDW.html a _ i r adom.com.au ftp 0 * c
Mon Oct 07 11:14:32 2013 0 ::ffff:37.139.47.33 399
/home/adom.com.au/public_html/aleeDW.html a _ i r adom.com.au ftp 0 * c
Fri Oct 04 04:09:53 2013 0 ::ffff:95.163.104.67 33
/home/adom.com.au/public_html/dt.php a _ i r adom.com.au ftp 0 * c
Fri Oct 04 04:47:25 2013 0 ::ffff:37.139.47.33 7323
/home/adom.com.au/public_html/xmlrpcVZY.php a _ i r adom.com.au ftp 0 * c
Fri Sep 20 04:34:21 2013 0 ::ffff:95.163.104.67 33 /home/adom.com.au


(redirect in html, mail script in xmlrpcVZY.php, dt.php gone)

ftp is proftpd linked to system user name/password, password was a random
string

based on above ftp xfer log, what other logs, and, what to look for ?

(suspect password might have leaked from outsourced web developer..??)

Voytek


-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[SLUG] inspecting logs for hacked access

Reply via email to