User account hack

[Anne]

Hi,

I've had a user sending spam. It was using a user account with correct password.
But the user account password was a random 8 character (upper/lower/numbers) password. So should impossible to hack brute force right?

The problem was, that I could not login myself anymore. So the hacker could have changed the password.

What is the best way to trace this? What steps can I check? Is there a log where you can see when a user password is changed?

Anything else is much appreciated.

 

[zEitEr]

Hello,

Read logs in /var/log/ Use malware scanners, check manually last modified files in user's account, check MySQL DBs for new users, admins for user's site. Change passwords, clean and change passwords once again.

No need to brute-force password nowadays (though brute-force is still commonly used)... passwords can be intercepted, or even viewed in configs after a site was hacked.

 

[Anne]

Thank you very much. I think I found the leak, but your advice is worth trying. Also DB checks is a good one. Thanks.

 

[SeLLeRoNe]

Just matter of curiosity, what was the leak?

Best regards