accounts hacked, how to find hacker?

A couple of owners of websited on my server has contacted me saying that their acocunts has been hacked, their files has been modified and in some cases their passwords were changed causing them not to be able to login.

I was told that this was probobly caused by a PHP exploit, however one of the affected accounts didnt have any PHP scripts or PHP pages on his account.
Some of the accounts did change their passwords but that did not help the hacker did still get access to their accounts.

I have no idea what to do here.

What should i do to find who is hacking the accounts? (what log to check and what do i check for)

How do I block the hacker? Would blocking the IP in APF be enough (if i find the offending IP that is).

My server details:
RedHat Enterprise 3 i686
Kernel version: 2.4.21-32.0.1.ELsmp
Apache version: 1.3.33 (Unix)
CPanel: 10.2.0-RELEASE 82
MySQL version: 4.0.24-standard
PHP version: 4.3.11
PERL version: 5.8.0

 

 

 

 

Top