I have a site that I am developing on a subdomain on my server. I was viewing the logs because the client said there was a problem with the text. Upon reviewing them, I found two ip addresses who have been accessing the site using ie6, upon further review, these ip addresses don’t belong to my client. The site is developed in Joomla v. 1.5.15
Some odd things I noticed and am wondering if it could be that my client’s computer is compromised. Yesterday in the logs I see she was viewing files with long strings of numbers and letters (like hash code). Then two minutes later, the ip from Japan was using the same string of numbers/letters.
I want to review my apache logs, but don’t know how to. I am on a macintosh and have telnet, but was reading that it is not safe? Would it tell me anything?
I have changed my dreamhost panel password and my password for ftp…but don’t actually think they are getting in there through my settings.
I haven’t banned the ip addresses yet, as I want to see what they are trying to do, and how they are getting in. They haven’t defaced anything and I don’t see any new files on the server, but then again, joomla has hundreds of folders.
At first they were looking at .js scripts, I looked through them but couldn’t find anything suspicious. They can’t find the administrator folder as I recently jsecured it (after I found them lurking around.)
Any help is appreciated. If it is that my client’s computers are compromised, then at least I know how they even found this site. It’s certainly not googled, as it still can’t be found.
Also, the site has been offline since its inception, as it is in development.