Security Breach

[Twreck]

We suspect a security breach in our phpBB forum and I am looking for a log that would show log in time and date by user. Is this info available through my Plesk panel? I have searched around and have not come up with what I am looking for. Any help will be greatly appreciated.
Thank You,
Twreck

 

[geeza@]

The apache access_log may be able to help you with this. On my system (FreeBSD) this can be found in /usr/local/psa/apache/logs

Its well worth getting logwatch (http://www2.logwatch.org:8080/) as this can help identify suspicious behavior from your logs and then email you with the results.

 

[Twreck]

Geeza,
Thanks for the response, unfortunately for me the files you suggested are not in my USR file. I have searched through all files and have not found any logs? I know they must be there someplace, guess I will continue to search. Logwatch looks like a good idea and I will take a look at it, thanks.
Twreck

 

[falcon7]

I run Plesk installs with full root access, and even then cannot find much logging info on these kind of breaches.
When they exploit phpBB, it goes through http, and the access will be in your regular web log. However, it will not show anything unusual (other than lots of accesses from Brazil ;-); the logs are not particularly helpful.

Best thing is to assume the breach has happened. Load up the latest version of phpBB to prevent further exploits. Check your system carefully for rootkits and trojans. If you don't know how to do that, you have two choices: find a consultant who can do it; or reload the entire system from scratch.

For serious ecommerce, you need a monitoring service like Scanalert to make sure these things don't happen.

Good Luck.