...
| Code Block |
|---|
lnav /var/log/apache2/{jira,confluence}.$client.com.au/access.log* -n -c ";select distinct c_ip from access_log where cs_username != '-' ;" > valid_ips.txt |
Resume normal business activities
Once an operating system account has been compromised, it's generally safest to assume that the attacker has also found a local privilege escalation, achieved root, has installed trojan variants of system binaries. If so, it is game over: time to build a new server from scratch.
...
check additional tables against the backup in accordance with your level of paranoia.
Going forward..
The aftermath of a hack is a golden time in which management are suddenly extremely security conscious. Take the opportunity to make long-term changes for the better!
...