Your log doesn't start early enough. Someone uploaded a web shell (or found
an existing web shell) to your server, possibly using an upload for that
doesn't validate the input, then used that shell to run commands on your
server.
I would consider your entire server to be compromised at this point since
you have no record of what else the attacker could have done once they had
a shell.

Make sure that you do not allow users to upload files and then execute
those files.

- Y

On Tue, Jul 5, 2022 at 9:53 PM KK CHN <kkchn...@gmail.com> wrote:

> https://pastebin.com/YspPiWif
>
> One of the websites hosted  by a customer on our Cloud infrastructure was
> compromised, and the attackers were able to replace the home page with
> their banner html page.
>
> The log files output I have pasted above.
>
> The site compromised was PHP 7 with MySQL.
>
> From the above log, can someone point out what exactly happened and how
> they are able to deface the home page.
>
> How to prevent these attacks ? What is the root cause of this
> vulnerability  and how the attackers got access ?
>
> Any other logs or command line outputs required to trace back kindly let
> me know what other details  I have to produce ?
>
> Kindly shed your expertise in dealing with these kind of attacks and trace
> the root cause and prevention measures to block this.
>
> Regards,
> Krish
>
>
>

Reply via email to