You should be able to look in the mysql transaction log and line up any corresponding entries to timestamps and Also in the web/system log files as a very general response. Without more detail, it is still hard to say whether your problem is local or if someone is breaking the door down, but there will be a correlation between the events.
rachel -- rachel polanskis IT Consulting, UNIX & Macintosh Greater Western Sydney <gr...@exemail.com.au> > On 2 Jun 2015, at 15:20, David Lyon <david.lyon.preissh...@gmail.com> wrote: > > > If you think a malicious actor is deleting files, check also your > > database links for insertion attacks or other indications of > > attempted tampering. > > We are seeing MySQL table corruption as well in a 'Session' table. > > > > >> On Tue, Jun 2, 2015 at 3:01 PM, gr0ve <gr...@exemail.com.au> wrote: >> Hi David, >> Are you sure the .php files are being removed by a malicious actor? Are >> there log entries or other traces that indicate an exposure to an exploit? >> To remove files from a system would leave traces of >> activity, even remotely and subsequent tampering to cover it up is usually >> clumsily executed and easily identified. >> It would depend also on your specific php version but you could install >> suhosin to log any out of band activity. If you think a malicious actor is >> deleting files, check also your database links for insertion attacks or >> other indications of attempted tampering. I suspect an in house error such >> as a bad day for someone, or a rogue cron job, perhaps, or if you are >> exposed to the ext4 corruption bug on Linux, look there. >> Without more information, I always assume a more local problem first, as >> opposed to intrusion etc. >> >> -- >> rachel polanskis >> IT Consulting, UNIX & Macintosh >> Greater Western Sydney >> <gr...@exemail.com.au> >> >> > On 2 Jun 2015, at 13:57, David Lyon <david.lyon.preissh...@gmail.com> >> > wrote: >> > >> > Hello all, >> > >> > One place I do work for is having trouble with Hacker activity. >> > >> > Let's face it, there are hacker's out there trying to take down systems. >> > >> > The specific issue I'm seeing is .php files vanishing from the web server. >> > >> > This is annoying and I'm wondering if any others are seeing anything like >> > this. >> > >> > I'm also wondering what specific steps can be taken to minimise hacking >> > problems. >> > >> > We don't have a big budget, a counter-hacking team or anything like that. >> > >> > To me it looks like the ISP may have been hacked in a similar way as >> > GoDaddy was hacked in the US. >> > >> > Regards >> > >> > David >> > -- >> > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ >> > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
