See inline
Greg,
<Can you check your Windows event logs to see who's been logging into
your system? Perhaps there's another account on your system that you
don't know about?
Perhaps the dates of the files uploaded by your hackers might provide a
clue to when your server was hacked?>
My thought process exactly. After it happened I went through the security
event log, but alas I did not have it logging failures, only successes so I
think I missed some activity.
<If you're keeping log files for your website (http and ftp) you should
be able to learn some more clues. Perhaps someone figured out a way to
upload a script to your system (in a folder with execution rights) and
then called that scripted and uploaded all their files from there?>
Hmm, that's possible that they got a script to run, I hadn't thought about
that. I will look into that some more.
<You should also be able to look at where the traffic to your site has
been coming from just to verify the country of orgin.>
Thanks for the tips!
Malcolm
[excessive quoting removed by server]
©2004 Greg Gum |
