Select my favorite easy chair, grab a tablet, a glass of scotch and dive into reading log files. Sound like a fun time?
Most of you will cringe at that. However, I’ve found that with few exceptions, the proof is in the log files. Unfortunately, many hosting providers have the log files off by default. When a new customer comes to us to remove the malware from their website, they always want to know how it happened.
Seems logical doesn’t it?
However, without log files all we have is comparing similar situations. We actually know of one competitor that deletes the log files after we told them what 3rd party services they were using based on the information in the log files.
You see, the log files don’t lie. They may not contain all the information, but they don’t lie.
For instance, often times we remove malware from a WordPress website. That’s not to imply that WordPress is more vulnerable than other CMS’s (Content Management Systems). But they are the most popular which by itself, makes them a huge target.
While removing malware from a WordPress website we look for clues. If the log files have been activated, we run them through our analyzer (automated and written in-house) which either pinpoints the exact point of entry or at least gives us enough evidence to make a highly educated guess.
Too often, we determine the point of entry to be stolen WordPress passwords. This is due to a virus/trojan on someone’s local computer that is waiting for them to login to their WordPress website. It then records the login URL, username and password.
Quite often we’ll see a sequence like this:
POST /wp-login.php HTTP/1.0″ 302
Followed by and entry like this:
You can only get to the theme-editor if you’re logged in with the proper rights. When we see this in a log file, we know that some WordPress user with administrator rights has logged in and used the theme-editor to modify the footer.php file.
We open the footer.php file and 99.9999% of the time, we find infectious code. The theme-editor can also be used to inject code in any of the of the other files as well. While they’re logged in they might also upload a “media” (not really) file, which is nothing more than a backdoor shell.
You can find so much information in the log files that we get really excited when we have log files to analyze because we know it will lead us to the final reckoning. We find the evidence and we state, “I reckon that’s how the hackers got in!”
If your security company deletes log files or just doesn’t ever activate them, you have to wonder, “Do they really know how my site was infected? Or are they just telling me to install 3 or 4 security plugins and they’re hoping for the best?”
That my friends is something for you to consider.
If you have log files you’d like us to analyze for you, put them in a zip file and email them to me at: firstname.lastname@example.org. I’ll run them through our analyzer and give you our opinion of how your site was infected – no charge.