Hey ertebat7,
Sorry to hear a site got compromised. Some good steps to follow would first be reviewing the FTP logs for the account. If the name of the cPanel account was (userna5) you'd use this command:
Code:
grep userna5 /var/log/messages
If you see any FTP uploads in there for the user, it could just be they had their FTP password compromised, in which case you should update their cPanel password which updates the FTP one as well.
It would also show you any files they uploaded, and then you can go inspect those paths to ensure the files are removed if they're still there.
Next you should review your Apache access log for that site, this can be tricky, but usually you'd look for 1 IP address that has more requests than any other with this command:
Code:
cat /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n | sed 's/[ ]*//'
That should spit out how many hits each IP address has, let's say that 123.123.123.123 stood out with 5,000 requests. Then you'd want to see if they were hitting duplicate requests with this command:
Code:
grep 123.123.123.123 /home/userna5/access-logs/example.com| cut -d\" -f2 | awk '{print $1 " " $2}' | sort | uniq -c | sort -n | sed 's/[ ]*//'
If you notice that they have a bunch of duplicate requests to one particular PHP script such as (timthumb.php), then that could have been their entry point. A lot of times hackers will exploit PHP scripts to then in turn inject or hack your other files.
There are a few other things you can do as well, but it would be helpful to know what type of software the site is running to give you better help. Such as, is it running WordPress, Joomla, Drupal, or another CMS, or just custom written scripts?
- Jacob
Linear Mode
