You can trying using auditd to audit the file.

sudo apt-get install auditd

Running sudo auditctl -l by default show no rules

Create a temporary rule to audit changes to index.php

sudo auditctl -w /var/www/html/index.php -p rwxa # -p = read, write, execute, attributes

Run sudo auditctl -l will show the rule that was created.
Now run sudo ausearch -f index.php | more to show what's touching index.php
or sudo tail -f /var/log/audit/audit.log | grep index.php.

@Dashrender said in Weird thing on O365 account:

@Kelly said in Weird thing on O365 account:

@Dashrender said in Weird thing on O365 account:

Alright, the user has confirmed that she made changes yesterday, and those change could associate with GMT based time.

Anyone know if the logs are only/mainly in GMT?

Almost all O365 logs are UTC 0 regardless of the timezone of the server or requestor.

yeah, OK that makes the time line up for when the user added the rules, I'm just curious why it took MS 6 hours to send the noticed of alert?

They batch some of their processes, so it may have had to wait for the group to run rather than being on demand/occurrence.

@IRJ said in Email investigation - have we been hacked?:

@Dashrender said in Email investigation - have we been hacked?:

one of the addresses is for an @ameritrade.com address, but only for one person. I have yet to find any connection via google searches between this person and ameritrade.... so I'm not sure why this was tried?

Thoughts?

You dont have that data either, right?

What do you mean?

@Dashrender said in When Anti-Virus Companies Get Hacked: Symantec, Trend Micro, and Intel McAfee:

I can't recall if the bad ccleaner was signed or not?

Even if it was, that would be a Microsoft compromise. This is about the AV vendors getting hacked.

@dafyre said in TurboTax Hit with Cyberattack, Tax Returns Compromised:

@JaredBusch said in TurboTax Hit with Cyberattack, Tax Returns Compromised:

@wrx7m said in TurboTax Hit with Cyberattack, Tax Returns Compromised:

@dafyre Yes. Exactly. That is why I use different random passwords from a generator for anything of any importance.

My random password generator of choice (http://correcthorsebatterystaple.net) :
3fc1f8b0-afea-415d-a25d-3ac4a50257f7-image.png

I just use Bitwarden's generator if I need one.

I like this because, when I rarely actually need to type one in, I can easily do so.

Mixing up the special characters (see separator box) makes it more than just words.
Separator: 213456789!@#$%
b2acbe68-5cf5-4aa9-8a8e-9a38413db100-image.png

YOu can also do a free test from Qualys
https://www.qualys.com/free-services/
https://www.qualys.com/community-edition/

ownedCloud.

@aaronstuder I watched that video some time ago, such a good channel.

I believe that @QuixoticJeremy is doing a talk about something kind of similar.