What logs to read?

P

Pavel2016-01-26 23:06:44

Joomla

Pavel, 2016-01-26 23:06:44

What logs to read?

On hosting from reg.ru, sites are constantly infected, despite the fact that the latest version of the CMS is always used, CMS updates are made regularly.
Some time ago, a paid service for the treatment of sites appeared.
One gets the impression that the matter is precisely in the "promotion" of this service.
hosting logins - different, including with the 1st site on the hosting.
Support says fix bugs in your scripts.

Question - how to identify a vulnerable script? what logs to read?
As I understand it, in the Apache logs, requests like POST indicate the already successful operation of a shell. but how to identify the process of placing one on the server? What logs to read/request from the host?

UPD: it is required to find evidence of the fact of infection from the outside, otherwise the hoster did / overlooked it.
So?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vlad Zhivotnev, 2016-01-27
@inkvizitor68sl

They usually get there also through a tricky POST / GET request. Take access.log, sort by the number of hits and consider all strange requests - this way some vulnerability inside cms will pop up.
Well, first of all, check the version of proftpd on the server.

D

dpivovarov, 2016-01-27
@dpivovarov

I recommend reading the following material: https://habrahabr.ru/company/sprinthost/blog/125839/
In general, I have little faith that reg.ru is engaged in such insanity.

UPD: it is required to find evidence of the fact of infection from the outside, otherwise the hoster did / overlooked it.
So?

In any case, you have nothing to prove to anyone. On any hosting, if hacked sites are detected, blocking will follow. And hosting will almost never be to blame.

Z

zooks, 2016-01-27
@zooks

You do not need to read the logs, but to drive them away with antivirus programs.
https://revisium.com/ai/https://yandex.ru/promo/manul
_