maybe it’s more linux related than Virtualmin, but is there a way to have a log where i can see all logins on the server ?
i’m mostly using my account to log on the server but i would like to be able to get a list of all logins through SSH …
is there already such a log in virtualmin or webmin or is there a log file i could add to the system logs tab of Webmin ?
How about the commands
who --all and
Nice idea but what’s strange is that i have commands from the hacker in the .bash_history of a specific user without having the user connected in “last” command … is it normal ?
That suggests that they didn’t actually login via SSH or similar – but that they instead likely took advantage of a security hole – probably in a web app, and from there they managed to launch a shell.
You may want to look for any unusual processes that are running, as well as make sure that all of your web apps are fully up to date.
On Debian/Ubuntu, there’s also
/var/log/auth.log, which records most stuff related to authentication, also from other processes/commands like webmin, perl, CRON, su.
Also relevant might be the stuff in
/var/log/proftpd, in case they used FTP to upload evil things.
To discover malware scripts in your web hosting, I can recommend this software which Eric recently suggested in a similar situation: LMD (Linux Malware Detect). It makes use of the ClamAV engine that Virtualmin installs, and scans your customers’ home directories for about 5300 known currently active web-hosting based malware scripts.
Thanks for all your tips …
Server has been cleaned, spam is not sent anymore …
i had found the bad scripts, and cleaned everything
but now i have installed LMD and i feel pretty secure with such a tool ! it has found some php injections that were in very old code … great tool !