[Solved] Site Comprimised Request Logs

suriya · October 9, 2013

Hey . Just about 20 mins ago my site (suriya.me) hosted in server stevie, got defaced (I know cause I was checking one of my comments and then suddenly got a 404 when I browsed and index showed this) . I don't think its a targeted attack and have good reason to think that it might be the server that was compromised and a script was run to deface sites (DB was untouched) .As you might already know I am a security researcher and have helped you fix vuls in the past. I would like to have a look at the logs and get to the bottom of this . Please provide me with the logs if possible and maybe a give a backup or restore of my site if you can .

I think I even know the attack method used (mightt have something to do with stevie cpanel expiring) . Admins can PM for it .

Ice IT Support · October 10, 2013

This support request is being escalated to our root admin.

Krydos · October 17, 2013

What logs are you interested in seeing?

The system does not create or store any old versions of files or backups of anything automatically. Users are able to create their own backups through cPanel and we highly recommend that everyone does so quite frequently.

suriya · October 17, 2013

What logs are you interested in seeing? The system does not create or store any old versions of files or backups of anything automatically. Users are able to create their own backups through cPanel and we highly recommend that everyone does so quite frequently.

apache file access logs and visitor logs . I still think the server was compromised .

Krydos · October 17, 2013

apache file access logs and visitor logs .

Domain, time frame, username, server, etc?

suriya · October 17, 2013

apache file access logs and visitor logs .
Domain, time frame, username, server, etc?

Domain:suriya.me , Time frame (08 October 2013 - 1 AM to 10 AM) , Username:suriya , Server:stevie

Krydos · October 17, 2013

Domain:suriya.me , Time frame (08 October 2013 - 1 AM to 10 AM) , Username:suriya , Server:stevie

And is that time in server time (which is currently PDT) or UTC or what timezone?

suriya · October 17, 2013

Domain:suriya.me , Time frame (08 October 2013 - 1 AM to 10 AM) , Username:suriya , Server:stevie
And is that time in server time (which is currently PDT) or UTC or what timezone?

I guess the same time zone this forum is running in (forum time) . I am basing this on the first message I sent to the mods .

Krydos · October 17, 2013

The timestamp you see on forum posts is based on the timezone you selected when you set up your forum account. The first post in this thread was at 5:24 pm PDT.

suriya · October 17, 2013

So then its 12:30 - 21:30 , 7th october . (this forum post was much later when one of the mods told me to open a thread also)

Krydos · October 21, 2013

I am unable to find any logs referencing any visits to your site during the time frame determined above.

suriya · October 21, 2013

I am unable to find any logs referencing any visits to your site during the time frame determined above.

Like I said . Somebody compromised the server using an another site and ran a script against my site or possibly other sites

[Solved] Site Comprimised Request Logs

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites