suriya Posted October 9, 2013 Posted October 9, 2013 Hey . Just about 20 mins ago my site (suriya.me) hosted in server stevie, got defaced (I know cause I was checking one of my comments and then suddenly got a 404 when I browsed and index showed this) . I don't think its a targeted attack and have good reason to think that it might be the server that was compromised and a script was run to deface sites (DB was untouched) .As you might already know I am a security researcher and have helped you fix vuls in the past. I would like to have a look at the logs and get to the bottom of this . Please provide me with the logs if possible and maybe a give a backup or restore of my site if you can . I think I even know the attack method used (mightt have something to do with stevie cpanel expiring) . Admins can PM for it .
Ice IT Support Posted October 10, 2013 Posted October 10, 2013 This support request is being escalated to our root admin.
Krydos Posted October 17, 2013 Posted October 17, 2013 What logs are you interested in seeing? The system does not create or store any old versions of files or backups of anything automatically. Users are able to create their own backups through cPanel and we highly recommend that everyone does so quite frequently. 1
suriya Posted October 17, 2013 Author Posted October 17, 2013 What logs are you interested in seeing? The system does not create or store any old versions of files or backups of anything automatically. Users are able to create their own backups through cPanel and we highly recommend that everyone does so quite frequently. apache file access logs and visitor logs . I still think the server was compromised .
Krydos Posted October 17, 2013 Posted October 17, 2013 apache file access logs and visitor logs .Domain, time frame, username, server, etc?
suriya Posted October 17, 2013 Author Posted October 17, 2013 apache file access logs and visitor logs . Domain, time frame, username, server, etc? Domain:suriya.me , Time frame (08 October 2013 - 1 AM to 10 AM) , Username:suriya , Server:stevie
Krydos Posted October 17, 2013 Posted October 17, 2013 Domain:suriya.me , Time frame (08 October 2013 - 1 AM to 10 AM) , Username:suriya , Server:stevieAnd is that time in server time (which is currently PDT) or UTC or what timezone?
suriya Posted October 17, 2013 Author Posted October 17, 2013 Domain:suriya.me , Time frame (08 October 2013 - 1 AM to 10 AM) , Username:suriya , Server:stevie And is that time in server time (which is currently PDT) or UTC or what timezone? I guess the same time zone this forum is running in (forum time) . I am basing this on the first message I sent to the mods .
Krydos Posted October 17, 2013 Posted October 17, 2013 The timestamp you see on forum posts is based on the timezone you selected when you set up your forum account. The first post in this thread was at 5:24 pm PDT.
suriya Posted October 17, 2013 Author Posted October 17, 2013 So then its 12:30 - 21:30 , 7th october . (this forum post was much later when one of the mods told me to open a thread also)
Krydos Posted October 21, 2013 Posted October 21, 2013 I am unable to find any logs referencing any visits to your site during the time frame determined above.
suriya Posted October 21, 2013 Author Posted October 21, 2013 I am unable to find any logs referencing any visits to your site during the time frame determined above. Like I said . Somebody compromised the server using an another site and ran a script against my site or possibly other sites
Recommended Posts