Hi all,
I'm posting this message in both the Modernbill and DirectAdmin forums in hopes that the combined communities can help me trace this problem customer down.
Last month we had $20k in fraudulent charges. Thankfully FraudGuardian helped us since we set up everything to be 'Auth Only'. It's a huge headache, and now we want to track down the culprit(s).
So far, after going through the MB logs, and the Authorize.net logs, we've found the IP addresses of the people who signed up for hosting. Oddly enough, a bunch of the fraud came from an IP address that is associated with the box - meaning they signed up for one account, somehow got through, then used the box itself to sign up for the other accounts.
Since we think this happened about a month ago, I've tailed the /var/log/messages.4 file, which has login information from December 3rd to about December 10th. I tried searching for sshd logins with the IP address that we found on Authorize.net, but it appears as if sshd didn't log IP addresses to the logfile.
First, it looks like CentOS isn't keeping logs more than a month old. How do I fix this to not delete any logfiles, or am I just not looking in the right place for where all the other logs are kept?
Secondly, what else can I do to track down these culprits? Are there other files I can look at on the box itself, or within DirectAdmin or ModernBill that will help me track these people down?
Thanks in advance.
I'm posting this message in both the Modernbill and DirectAdmin forums in hopes that the combined communities can help me trace this problem customer down.
Last month we had $20k in fraudulent charges. Thankfully FraudGuardian helped us since we set up everything to be 'Auth Only'. It's a huge headache, and now we want to track down the culprit(s).
So far, after going through the MB logs, and the Authorize.net logs, we've found the IP addresses of the people who signed up for hosting. Oddly enough, a bunch of the fraud came from an IP address that is associated with the box - meaning they signed up for one account, somehow got through, then used the box itself to sign up for the other accounts.
Since we think this happened about a month ago, I've tailed the /var/log/messages.4 file, which has login information from December 3rd to about December 10th. I tried searching for sshd logins with the IP address that we found on Authorize.net, but it appears as if sshd didn't log IP addresses to the logfile.
First, it looks like CentOS isn't keeping logs more than a month old. How do I fix this to not delete any logfiles, or am I just not looking in the right place for where all the other logs are kept?
Secondly, what else can I do to track down these culprits? Are there other files I can look at on the box itself, or within DirectAdmin or ModernBill that will help me track these people down?
Thanks in advance.
