On Tue, Dec 13, 2016 at 12:43 PM, jdd <jdd@dodin.org> wrote:
Le 13/12/2016 à 18:14, Darin Perusich a écrit :
Check the owner/group/time-stamps of these malicious files
I was sure I could make an error... I copied out the faulty folder, but didn't do this as root and so the owner is no more the initial one.
At first glance I only noted the date (nov 30)
and try and
correlate those with entries in your ftp/apache/susefirewall/app logs.
yes but where are these logs. No "ftp" in /var/logs. Probably some syntax with journalctl I certainly have them for the FW
Check your ftp daemon config to see what file or syslog service is uses to save logs, they may just be in /var/log/messages
yes, I have them and for the dedicated day. but there are 15223 lines... how can I find the lines giving access to the computer? what have I to search for?
In the FW logs grep for SPT=21, source port 21/ftp, to limit to only those connections and review the SRC=x.x.x.x address for the host that initiated those connection. Then it becomes a game of tracking down who owns that address, looking at for other log entries from the address, etc.
If you don't have logging enabled for said app then shame on you, if log entries for those times are "missing" you've been pwned. Don't forget logs from your router, if you're storing them, since they may also be able to help correlate the connections/activity.
it's a hosted computer, online, no router
thanks jdd
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org