Our server was attack this weekend and websites index.html files were replaced with racist comments. Can anyone provide advice on logs that might help track this attacker? Our connection is on a CBeyond T1 connected to a Linksys RV042 VPN router. We have one-to-one NAT to internal IP addresses for the servers. We actually were locking down the firewall on the router to block all requests but web, mail and dns and this attack was happening literally hours before we finished this. Secure.log shows scores of ssh attempts testing with all sorts of name/password combinations none of them remotely correct, but somehow they did get in.
.
.
Comments are closed