Hi,

Has anyone ever had the same problem as me, well here it goes:

A few days ago, the /admin directory dissappeared therefore i couldnt log into telnet anymore, it would reject the admin password & username. My dedicated server host fixed the issue and the samething happened again the next day, isn't this a bit odd? also I DIDN'T delete the /admin directory.

Any ideas what the problem could be?

Also if there are any specialist in this area can you please contact me at admin@valuablehost.com

Regards,
HostEXP

This sound very strange ... directories just do not dissapear.

Are you using any management software that could delete files?

If not, you should consider that you may have been hacked and somebody is deleting your admin account. Look at the /etc/passwd files for any other root level accounts (uid=0). Also, monitor log files carefully for intrusion.

Please post more about your machine (OS, cron tasks etc). If the account routinely gets deleted, then either a persistant app, a cron job, or someone is deleting your directory. Presumably, this app, job or someone would have to have root or admin privs. to delete your account.

Well we use Ensim webapplianceLH for management. We are running Redhat Linux 6.2, well only 3 people had access, that was a programmer, the dedicated server company and ofcourse me. But i dont see any point where any of them would delete the admin account.

I am not using this post for support:

We have already once fixed his issue with his server.

We also have provided around the clock support to solve his problem.

This is the second time this has happened, and this support is not covered under our free support.

Overall our costs are $90 per hour.

What was first done, was the /home/admin folders were deleted from his server causing him a problem accessing the server via admin side.

This did not effect logging in as root and or any of his clients.

We rebuilt the folders and restored it, within a few hours of the problem.

We dont have a problem fixing something once, that is not supported, but twice in 2-3 days is a problem.

We have offered our services to repair the problem, the client is looking for other resources to solve it.

We are waiting for our client to let us know.

Joe

Well it has been causing a problem, its not the money that i'm worried about, but whats the use if it will keep on happening.

Joe, I didn't get the impression this person was putting any blame on you about it.

Out of curiosity, what was this programmer doing? The fact you mention that, other than someone getting in there and doing it after they compromised the system, seems a bit odd. I mean, usually people either do more damage, or they don't do any or any noticeable damage, as to not let you know you've been compromised.

Therefore, I'm wondering what this programmer was doing? Did this programmer create a script or program to remove any files for something? Maybe the path was incorrect and it deleted the admin directory? Also, does the admin user run any software/scripts that people can access via the web? Anything like a web board, chat room, upload script or anything? If so, and you are running SuEXEC or any other type of tool that will allow a web accessed program/script to run as your "admin" username, someone could have (or be) using a hole in the script/program to delete the user's directory running it (admin, in this case).

Finally, have you changed your password from the time the admin directory was first deleted? And, have you checked the logs for any FTP, telnet, SSH type access, as perhaps some complete moron had FTPed or telnetted in or something and just deleted the directory, not thinking they'd have to worry about the logs. You never know. Anyway, you definitely need to check and see if it's a program not working properly, a web based program that could be exploited, or if it's some type of FTP or shell access or compromise that resulted in someone deleting it. Finally, check your system's hard drive integrity, maybe an inode went South and took the admin directory with it. That's known to be the cause of files and/or directories disappearing.

[Note: I mentioned what I did above, based on the fact, that if it was a system compromise and someone went in to do damage, they'd either have done more damage, or they were only able to get into the admin account and not root, and they did as much damage as the admin user as they were able to. I say this, because unless it's one of the above reasons, it sounds like someone did just intend to cause as mcuh damage as they could, yet since they didn't know how or weren't able to get root, they did all they could -- and that would be in the logs.]

I know my client isnt passing blame to us.

I just felt it would help if you got more info from me on the situation.

We are reviewing logs.

Joe

Hi Tim,

And thanks for the reply,

Well he did install ssh a while ago, and now he did setup a script usin MySQL which saves clients details (addresses, names etc..) into the database, the scripts username was 'admin' which was used to access it & the mysql database, when i tried to access the admin script i recieved a database error, when trying to checkup on the database the admin login wouldn't allow me to login. Also i trust the programmer alot as he is doing a paid job, i dont see why he would delete the admin.

Again thanks for the reply.

I didn't mean the programmer would be doing the damage, just that mistakes happen, and it's not that rare for some programmers to overlook things, where you can run a script and it'll wipe something out -- for a variety of reasons. I'll assume your programmer is competent and didn't make such as mistake, but this is definitely an unusual scenario. I mean, it honestly sounds like some exploit of a web based program, running as your admin user (CGI, for example) and someone exploited it to just rm -rf /home/admin or the like. Anyway, let us know if you find out what the cause was and good luck.

I noticed on your account features page that you offer root access in your packages? Is this true? If so, I would be thanking God right now that no one has put rm -rf / and wiped out your whole system.

But thats just root access to the VDS there own root, not the servers.

Seems the programmer deleted /useradmin.

In what manner/way did they delete it? A mistake, or purposeful act in a script, or for some other reason? I take it the problem is solved, or at least the reason known anyway? If so, it's good that you found out it's not because of any compromised access.

The script seemed to have deleted it.

You see! YOU SEE! I told you that was it!! *l* Just kidding... It's good that you figured out what the problem was. That must be a big relief! Cool deal. Glad to hear it worked out. Good luck!

I deleted it :p (before this gets taken wrong. I deleted /useradmin not the admin dir or anything. Just the dir my script was in ok)
Oh btw everyone i'm the coder programmer guy. I deleted it cause ya told me to on ICQ, so we could see whether it was the script killing the admin acct. or not. I'm confused.
:confused:

Hi,

Well it must of been the script, everything is working fine now.