I just want to explore ideas of different experts.
If you notice someone has accessed the server and change files or left unnecessary files, how would you trace that person and find where he came from?
lucy24
5:50 pm on Jun 22, 2016 (gmt 0)
You forgot one crucial detail: Is this your own server, or shared hosting?
Can we assume your very first action was to change all applicable passwords?
keyplyr
4:17 am on Jun 23, 2016 (gmt 0)
"invalid?" Do you mean unauthorized?
Many entry points to a server, depending on how it is set up.
One way to find where he came from is to look in the server access log to get the IP address, then use one of the thousands of online IP Look-Up tool.
If that does not uncover the info you need, I would then contact the server admin at your host. The intruder may have entered your account laterally, through another account on your server. That would suggest an exploit in your host's security.
It may also be the intrusion happened at a vulnerable directory or file. Check CHMOD settings at all upstream levels where you found those files added.
lucy24
5:54 pm on Jun 23, 2016 (gmt 0)
look in the server access log to get the IP address
I assumed he was asking about ftp-or-equivalent (that is, non-http) access. That wouldn't show up in logs. If it was http access via PUT, and the access was not blocked, then there's an appalling hole in the server setup.
keyplyr
8:35 pm on Jun 23, 2016 (gmt 0)
Well if the exploit is determined to be through FTP then it may be an inside job, especially if FTPS or SFTP is being used (which I recommend since non-secure FTP is last decade's technology) so passwords should be changed as well as making sure there are no other users allowed. And again, file permissions (CHMOD) should be checked.
