Hello all,
Most of you are much more skilled then I when it comes to forensics and security, so please do me a favor and help me out here so I can better understand the processes and procedures I should follow and implement.
Short summary:
I have a dedicated server running centOS and hosting a website, there is also a custom member management
software I've been using for 2 years now that handles a few thousand CC numbers and all account billing related issues.
A few days ago, I enlisted the help of the authors of this Membership Management software (OSS5) to complete some custom modifications. The company is US based, but they use Russian programmers (yea i know what your thinking) but I've never had a problem with them, before this week.
So, I create a FTP user account for the programmer to use, and give them the credentials as they requested. After a few days of not hearing back from them, I contact them to see whats going on and they say the credentials i provided are not valid. I plug them in myself, they work fine, so I decide to check my logs to see whats up. Come to find out, not only do the credentials I provided work, but they are being used by a IP address which is in UKRAINE. 78.30.193.208
The log shows this IP uploaded a zip file, unpacked it, deleted it, also they looked at my sql.php files and config.php files and modified some other misc files. I contact them back, tell them about the logs I have and ask them whats going on. They continue to deny their involvement in whats going on, despite the fact that the IP address and have only given that login to them.
A day later, I go to login to the Admin panel of this software, to find out all admin accounts have been deleted, and I have no access to the software. Fortunately, I had a browser open that still had a valid session cookie which allowed me to look at the CP for this software, and sure enough all admin accounts are gone. All exept one account which I did not create and have no Idea where it came from.
I immediately change all my passwords (Cpanel, FTP, SSH, etc) and begin pooring through the log files to see WTF is really going on. I find out that a PHP file had been compromised that contained my CPanel username and password, and this file has been duplicated, renamed and moved off of the server.
My question is, where do I go from here? How would one go about gathering more information about the breach so I can restrict further access, or prevent this type of thing from happening again. Please help me to understand the basics of forensic analysis so I can better understand WTF is going on.
Thank You in advance.
Steve