Originally Posted by zbbo
Thanks for your suggestion kbp, I wish there was a solid way like what 'history' and 'locate' do to get such information.
My question is general, let's say about a script uploaded on an account on a web server.
Incorrect File and Directory permissions has to be the number one means of doing this.
Stolen account credentials is a close second.
START by changing your password on the server
if you use one.
ssh keys are best.
"web server" would indicate apache...? WordPress?
How many users
are allowed to login to the system?
Is there a "Panel" manager software package installed?
cPanel/WHM, Plesk, V-Deck, webmin etc...
There's just so much to cover and I'm not certain I can provide you with the correct "do-this-first" answer but here's some resources I have on subjects of this nature:
25yearsofprogramming.com (off-line, or ??? atm)
grep'ing the apache|httpd logs is usually the first step.