How to analyse logs after the site was hacked
Posted
by
Vasiliy Toporov
on Server Fault
See other posts from Server Fault
or by Vasiliy Toporov
Published on 2012-09-28T08:38:39Z
Indexed on
2012/09/28
9:39 UTC
Read the original article
Hit count: 278
One of our web-projects was hacked. Malefactor changed some template files in project and 1 core file of the web-framework (it's one of the famous php-frameworks). We found all corrupted files by git and reverted them. So now I need to find the weak point.
With high probability we can say, that it's not the ftp or ssh password abduction. The support specialist of hosting provider (after logs analysis) said that it was the security hole in our code.
My questions:
1) What tools should I use, to review access and error logs of Apache? (Our server distro is Debian).
2) Can you write tips of suspicious lines detection in logs? Maybe tutorials or primers of some useful regexps or techniques?
3) How to separate "normal user behavior" from suspicious in logs.
4) Is there any way to preventing attacks in Apache?
Thanks for your help.
© Server Fault or respective owner