I'm administrating a debian server since last week. It used to have another administrator.
I presume it's been hacked: files might have been read via SFTP to obtain information about a site that's hosted on the server I'm mentioning, and then tables were deleted from the database via PhpMyAdmin.
I'm about to give up here, since phpmyadmin doesn't log activity by default, and SFTP doesn't either. The server's SFTP activity and phpmyadmin were not configured to output data to log files.
The plausible "hacker" made the mistake of accessing the server with a user I didn't realize existed, a couple of times via SSH! however I couldn't track any more activity, since he/she was careful enough to only navigate to the folder where the site is hosted (directly, not even messing around through the files, so he clearly knew the server) the rest of the activity was made through phpmyadmin and SFTP.
Not many people knew about this user on the server as you are probably realizing, since it was NOT root, and I've got his IP address which we all know won't help much.
All he/she did on the server, when logged as the other user, was cd
to the directory where the site lives, made a directory there called "m" and that's it; the "m" directory was removed, it wasn't removed using the terminal by me, nor by the intruder.
The file /etc/ssh/sshd_config
is now configured to track activity, and works, but it's of course a little too late, unfortunately.
Can you please help me find a way of tracking the SFTP activity or any other way of tracking the activity of a particular server's user other than executing the history
command logging in as that user via SSH? THANKS!