I'm very new to using SSH and my server has been hacked, someone has gone onto a website of mine and made modifications. I have the time which they did it (29/07/2013 18:14:30), but cannot see how they go into the website.
I have tried tail /var/log/messages and tail /var/log/secure but cannot see any activity at this time.
I just want to know if they came via control panel/ssh/ftp so that I can change the passwords and perhaps ports to stop them.
Any help is greatly appreciated.
Thank you
I'm pretty sure they did not end up hacking or modifying your site via ssh, unless you have predictable user names and passwords or otherwise some compromised accounts.
Instead I would take a deep look at your web server (Apache, nginx, lighttpd) log files and would try to find suspicious activity around the hacking time. Probably the attacker used a known weakness in some CMS and for example uploaded a file via some form, and somehow executed it to give the user more power. Or then just got in with some finely handcrafted strange URLs exposing your CMS to SQL injections or similar.
So take a look at /var/log/apache2/access.log or so.
