Server logs vs. apache logs

macinarizona · 2010-02-22 17:20:17 UTC

I have a site that I am developing on a subdomain on my server. I was viewing the logs because the client said there was a problem with the text. Upon reviewing them, I found two ip addresses who have been accessing the site using ie6, upon further review, these ip addresses don’t belong to my client. The site is developed in Joomla v. 1.5.15

Some odd things I noticed and am wondering if it could be that my client’s computer is compromised. Yesterday in the logs I see she was viewing files with long strings of numbers and letters (like hash code). Then two minutes later, the ip from Japan was using the same string of numbers/letters.

I want to review my apache logs, but don’t know how to. I am on a macintosh and have telnet, but was reading that it is not safe? Would it tell me anything?

I have changed my dreamhost panel password and my password for ftp…but don’t actually think they are getting in there through my settings.

I haven’t banned the ip addresses yet, as I want to see what they are trying to do, and how they are getting in. They haven’t defaced anything and I don’t see any new files on the server, but then again, joomla has hundreds of folders.

At first they were looking at .js scripts, I looked through them but couldn’t find anything suspicious. They can’t find the administrator folder as I recently jsecured it (after I found them lurking around.)

Any help is appreciated. If it is that my client’s computers are compromised, then at least I know how they even found this site. It’s certainly not googled, as it still can’t be found.

Also, the site has been offline since its inception, as it is in development.

tia

sdayman · 2010-02-22 19:44:36 UTC

I’d guess it’s just a random hack attempt. You can access the logs with your FTP client, which it looks like you’ve already done. That’s about the extent of logging you can get. Just make sure you’re using the latest version of Joomla and associated plugins.

-Scott

macinarizona · 2010-02-22 20:06:48 UTC

No, they actually got into the administrator area.

the logs shows them with “200” through last week. They can’t log - in for the time being - as I have disabled all users except myself. They changed the password of one of the client’s logins.

I imagine that my clients computers are compromised. And am in the process of downloading and moving the site to a new subdomain, same with the database, but that’s not going to help if the client has a keylogger installed on their system(s).

The apache logs wouldn’t tell me anything more than the server logs? I just want to make sure they didn’t manage to get any additional info about my server (ie, managing to get into the configuration file and getting the mysql or ftp user/passwords) - especially before I grant access to the new subdomain to my clients (they have to be administrators, not super admins, but they need to do their own development).

rlparker · 2010-02-22 20:29:29 UTC

If they got into the Joomla! administrator with superadmin privileges, they got it all, unfortunately, as the combination of Global Configuration options and system info in the admin menus bares all. The wouldn’t need to see the configuration file at all - they can see everything in it from the administrator if they managed to compromise your superadministrator account.

This means your MySQL password is compromised, but hopefully not your FTP (you would never use the same password for the both, right) unless you have the FTP layer enabled (and you really shouldn’t, at DreamHost, as it is not needed and can be a security risk).

I have not yet seen a successful attack against a “core” Joomla 1.5.15 - every one I have seen has been via a component, or a compromised FTP account.

Using SFTP only, and disabling FTP access in the DreamHost panel is a good idea, as well has scouring the database for “little presents” left behind, and thoroughly reviewing all your Joomla! Add-ons and components.

–rlparker
–DreamHost Tech Support

macinarizona · 2010-02-22 21:12:58 UTC

Is there a way for me to access the apache logs to see if there is another IP address accessing ftp?

The only users they could have used was admin and author (neither are superadmins)

I am going through the sql file now. BTW ftp, databases, dreamhost admin panel all different passwords, not easy passwords either. Never have used the same on them.

Again, I don’t think Joomla itself is the culprit, I thoroughly believe the client has keylogger malware on their computers (again, seeing what the person in Japan was getting into, and reviewing it against the clients IP addresses, I can see duplicate patterns minutes apart. As well as another user I found in the US that isn’t supposed to be reviewing the site as it is offline and the only way to review is with a password.)

My clients do not have access to my admin panel at dreamhost, nor my ftp, which is why I wanted to look at the apache logs to see if anyone other than my ip address was able to ftp into my account on dreamhost. I am the only person with access to it (that I know of : )

Before I re-enable their user names (with newly changed passwords) I want to ensure that my server, etc. was not compromised and that the client does a full scan on each computer of theirs for any malware or keyloggers.

thanks rlparker, btw, I didn’t congratulate you when you got your job at DH…so congrats, a bit late. But hey, on the bright side, I haven’t had any issues with hosting in well over a year, so I haven’t been here in the discussion forum.

B