Quote:
Originally Posted by Capt_Caveman
You can check the Apache/Plesk logs to see if you can find how it was specifically exploited. When checking Apache logs, look for URLs with embedded shell commands. Other than that a format/reinstall is recommended unless you have some way of checking file alteration (like tripwire).
|
all logs file checked.
the log files seems no weird url at the file modified time period
security log didn't shown ssh logged at that period...
just shown ftp login at that period for all domains, all almost at the same time but just few seconds different for all domains (more than hundred domains).
I'm wondering, is that a "bypass" way for ftp login ???