1

Possible Duplicate:
My server's been hacked EMERGENCY

So I noticed some files/folders on my webserver and investigating leads the fact that a brute force attack via SSH was done on my server (there is a file in a folder called unix which is titled UnixCoD Atack Scanner so I know what is is for plus another file with username/password combos)

What should I investigate to try and detect what has been compromised. I have looked through the only .bash_history file I could find and only my commands are present.

Before this I had never heard of UnixCoD, I had seen the .bash_history file but didn't know what it was, so you can gauge my level of expertise.....

Also would a service like Cloudflare Cloudflare Security Features be a solution to some of the issues?

Any help will be appreciated

Community
  • 1
Kobby Owusu
  • 11

1 Answers1

0

It's trivially easy to bypass the .bash_history file. Some logs worth looking at, depending on what's installed on your server:

  • /var/log/messages
  • /var/log/auth.log (if present)
  • /var/log/secure.log (if present)
  • Apache error logs (there may be clues on which scripts may have been called/exploited)

Are the files inside your webroot (i.e. the folder where your website is served from) or outside? This may also give you a clue to the attack vector.

gac
  • 459