How to Spot Security Breaches on Your Web Hosted Log Files
The big question is always about security. How can you spot web hosted security breaches to keep your site secure and guarantee that it won’t get hacked? The short answer is this: You can’t.
Everything is hackable given enough time, devious brains, and resources. There are things you can do, though, to protect yourself somewhat. But first, here are some things you can do to track down the source of your problems if you do get hacked.
The first thing to do is to check your FTP log files. In cPanel, those are found in /home/youraccount/access-logs/.
If you have been hacked, then it is most likely that some of your files have been altered. Use FTP to look at the date stamps on your files to see when the affected ones were last changed and thus find out when the attack happened.
Then download the logs to your computer via FTP, like Notepad++, and open them.
The FTP log should have lines of data looking a little like this:
Fri Nov 16 11:11:33 2012 0 184.108.40.206 248 /home/daytutor/public_html/.htaccess a _ o r daytutor ftp 1 * c
The information in that line of data breaks down like this:
Fri Nov 16 11:11:33 2012 is the date and time, obviously.
0 is the number of whole seconds the transfer took. This transfer took less than a second.
220.127.116.11 is the IP address of the computer that did the transfer.
248 is the size of the file transferred (in bytes).
/home/daytutor/public_html/.htaccess is the file transferred and the full path to it.
a is the type of transfer. It can be either a for ASCII or b for binary.
_ [underscore] represents the action taken. The _ means no action, C means compressed, U means uncompressed, and T means Tar’ed.
Tar originally meant Tape ARchive and was a system developed for converting data into a single stream for recording onto backup tapes. The technology is still used today but it's mostly used to collect files into a single archive file and store them on any media. A tar file usually has the file extension .tar and is uncompressed.
You can use additional compression software to compress .tar files, in which case the file extension is changed to indicate what compression software was used. For example, a .tar file compressed using the gzip program will have the extension .tar.gz.
o is the direction of the transfer. The o is for outgoing, i is for incoming, and d is for deleted.
r represents the type of user. r is for a real user, and a is for an anonymous user. Note: Real does not mean human; it means the login used a username/password combination.
daytutor is the username used to log in.
ftp is the service used (this normally will be FTP).
1 is the authentication method. The 1 is a valid authentication method as defined by RFC931. A 0 means no authentication was used.
* indicates the user ID of the user who made the transfer (if said user were logged into the server at the time). The * means the user was not logged in.
c is the completion status. A c means the transfer was complete. An i means it was incomplete.
In the example, you can see that it was a file called .htaccess that was transferred out using FTP by user daytutor on November 16, 2012, at 11:11.
However, the big question is who did the transfer. All you know is that the person used the username daytutor and had the IP address 18.104.22.168.
The first thing you should do is go to whatsmyip, which will tell you what your IP address is so you can compare the two. If the IP address in the file is not the same as yours, it may signal a security breach.
If the IP address is not yours, does anyone else have FTP access to your server? Do you use a backup system on another server that uses FTP to connect to this one?
Go to your preferred search engine and enter the IP address. This will give you a list of sites that can show you the geographical location of the device that uses that IP address. If the IP address is for a server, it should also show the hostname of the server.
You can also go to a site such as http://network-tools.com and enter the IP address there. If the IP address is connected with a server, you may get more information about the server from Network Tools.
Next, go to your server’s firewall settings and deny that IP address access to your server. This won’t stop some hackers because they can simply switch IP addresses, but at least it stops attacks coming directly from that IP address again.