I logged to my site via ssh/putty in this morning to check on things and noticed that someone else had logged in. btw I've got ssh moved to a different port number. They had executed a tracert and then a sftp command. The sftp was to an anonymous ftp account on a machine located at a hosting company. Based on what I see I think someone either ftp'd my application OR put something on my server. Does sftp have a log file? Any recomendations on how to track this down? I need to gather enough information to either file charges or take civil action. -jay P.s. I've changed my shell password, done a virus scan and a rootkit scan on my PC and they come back negative.
imho, I would contact the host, and delete the account, and start new from a backup. A clean backup. I had a box hacked, and I had hidden " ." directories in different places, with sniffer programs, etc. hth, and sorry, tom
Tom, This app is really big. Probably 20G of data and 500k visitors a month. Moving to a new account/host is a huge project. Is there anyway to see what the SOBs did with sftp? Thanks! -jay
sftp has a log it is together with ssh but i would probably asked for secure or syslog of the server..