How did my developer get access to my server after I deleted his FTP user account?
I have been working with my developer for a while. He used to have access to the root folder a while ago. I have then seen some strange activity on the server 1 month ago. Therefore I have restricted access to a specific folder that he needs to work on, and changed the cpanel and WHM passwords so he won't access it.
Today I fired him, however right before I fired him I deleted all his user accounts, so he won't access the server. He then somehow accessed my server a few hours later and overwritten all my new files with some old files I previously has.
When I submitted a ticket regarding this, softlayer couldn't find a trace of him logging in to the specific directory . Then I spoke with softlayer again and they said that he might have opened a backdoor if he had access to my previous files.
How might this happen? Were can I find a service that patch up the open holes he got int through?
You shouldn't have allowed him access to your production server at all. What I do is get a VPS and let the developer work on there. I manually transfer the changes to the production server. I think you should consider something like this in the future.
Looks like he didn't get what he wanted for his/her job and just removed it.
He probably wrote backdoor into his project so in case he get fired or scammed he could just delete his work.
I might be wrong.
Probably a backdoor. You should check the scripts. Also if he had root, you probably should rkhunt and chkrootkit also.
Also look for additional software running and listening, like in inetd.conf or in linux you can find out which software is listening by using 'netstat -ln' command, in freebsd it's easier to use sockstat -l, in windows as far as i remember it's netstat -nb
Last edited by Azar-A; 06-06-2011 at 09:33 PM.
██ServerAstra.com website / e-mail: info @ serverastra.com
██ HU/EU Co-Location / Managed and Unmanaged VDS & Dedicated servers in Hungary with unmetered connections