This may not help Matt now, but I just came across this today and believe it may help others who have to deal with incidents: http://cert.societegenerale.com/en/publications.html --> "IRM (Incident Response Methodologies)" If you changed the file contents before noting the created date, modified date, etc. then begin looking at your backups. This date will then help you track down the log entries and finally lead you to the root cause. Also, if possible, please post the culprit code that caused this, exif'ing the sensitive data of course :-) -- Thank you, Robert Miller http://www.armoredpackets.com Twitter: @arch3angel On 6/27/12 7:50 AM, TR Shaw wrote:
On Jun 27, 2012, at 3:36 AM, Michael J Wise wrote:
On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
We found the aberrant .htaccess file and have removed it. What a mess!
Trusting you carefully noted the date/time stamp before removing it, as that's an important bit of forensics. And done forget there is a trail on that file on your backups.
Tom