I would start by checking the log files under /var/log and associated web & db log files, especially any php logs. Copy them offline to another system and look through the date stamps to see if anything matches the problems you are experiencing. You may notice a pattern of activity that points to malicious activity. If it is file system corruption, it may be something you would have to check with the service provider, in the case they have moved the underlying infrastructure to the ext4 filesystem version that has recently been found to have a corruption issue. There are steps to forensically derive if your system has been tampered with, but if you see widespread ongoing file deletion, it is more likely something local to the system itself.
-- rachel polanskis IT Consulting, UNIX & Macintosh Greater Western Sydney <[email protected]> > On 2 Jun 2015, at 15:06, David Lyon <[email protected]> wrote: > > Files are definitely being deleted. > > Which log would I look in ? > > It's a common Linux cpanel hosting plan. > >> On Tue, Jun 2, 2015 at 3:01 PM, gr0ve <[email protected]> wrote: >> >> Hi David, >> Are you sure the .php files are being removed by a malicious actor? Are >> there log entries or other traces that indicate an exposure to an exploit? >> To remove files from a system would leave traces of >> activity, even remotely and subsequent tampering to cover it up is usually >> clumsily executed and easily identified. >> It would depend also on your specific php version but you could install >> suhosin to log any out of band activity. If you think a malicious actor is >> deleting files, check also your database links for insertion attacks or >> other indications of attempted tampering. I suspect an in house error such >> as a bad day for someone, or a rogue cron job, perhaps, or if you are >> exposed to the ext4 corruption bug on Linux, look there. >> Without more information, I always assume a more local problem first, as >> opposed to intrusion etc. >> >> -- >> rachel polanskis >> IT Consulting, UNIX & Macintosh >> Greater Western Sydney >> <[email protected]> >> >>>> On 2 Jun 2015, at 13:57, David Lyon <[email protected]> >>> wrote: >>> >>> Hello all, >>> >>> One place I do work for is having trouble with Hacker activity. >>> >>> Let's face it, there are hacker's out there trying to take down systems. >>> >>> The specific issue I'm seeing is .php files vanishing from the web >> server. >>> >>> This is annoying and I'm wondering if any others are seeing anything like >>> this. >>> >>> I'm also wondering what specific steps can be taken to minimise hacking >>> problems. >>> >>> We don't have a big budget, a counter-hacking team or anything like that. >>> >>> To me it looks like the ISP may have been hacked in a similar way as >>> GoDaddy was hacked in the US. >>> >>> Regards >>> >>> David >>> -- >>> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ >>> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
