Hello there,

One of my sites in my machine is hacked and i am trying to find out who accessed the domain but i cannot find older logs. All logs are 1-3 days old. Can you help me to find who accessed the ftp account? thanks for your help.

Chances are they might have deleted the logs.

Few things first though.

1. What FTP server are you using?
2. Was there just 1 FTP account setup?

You might be able to find something in messages.

cd /var/log

more messages | grep accountname@servername/ip

or...you could just do

more messages | grep ftp

The site cpanel password is captured i think because the other sites and the server itself is secure. The problem is that /var/messages includes last few days. The older logs are not available. but i need to view older logs which i don't know where. thank you..

PS : 1. i am using pure-ftp
2. there are lots of domains and accounts are hosted right now and each account in server has 1 ftp user.

Is there a

messages.1
messages.2

etc etc in your /var/log folder?

You can start going through some of the apache logs and what not for that user.

those logs are in

/usr/local/apache/domlogs

They'll be named for the domain they log.

The weird thing is that, /usr/local/cpanel/logs/access_log is only contains data for the last few days. Older info seems to be nowhere

What about /usr/local/apache/domlogs

??

I've spent hours narrowing down "who did it" only to find out that it doesn't really matter. The best thing you can do is work on figuring out how whatever they did was done, this way you can take measures to ensure you can't be compromised the same way twice.