Ever since this "code red" issue started with *****, I noticed some errors within my links script. I thought they would resolve when this issue was over, but the issue never actually ended (it's still ongoing).

Well, I switched to Aletia Hosting yesterday, and plan to cancel my ***** account next week. But while transferring my files to Aletia, I noticed these "errors" were still continuing. When I compared my data files on ***** to the data files I backed up a month ago (before all this "code red" started on 7/2), I made a startling discovery. Out of 440+ data files I had, only 12! were left. Where did the other 420+ data files go?

I checked this data with the data files I backed up during the "code red" issue (on 8/4) - and found that there were only 200 data files there.

So, from 7/2 - 8/4, I lost 200+ data files. From 8/4 - 8/10, I lost pretty much all the rest. How the hell did that happen? Those files are in protected directories, and I have never even accessed those files since I first installed them! And yes, I've re-checked the data 5 times. I'm ftp'd into my ip with *****, and I'm looking at the data (or lack of) right now!

Could "code red" have done that? Or did ***** eat my data!?

Those might be restored files. Perhaps they had a drive failure or something? I guess it's a possibility. Code Red, to my knowledge, doesn't delete files. I'm not sure about Code Red II.

Don't they have any backups?

Originally posted by Palm
Don't they have any backups?

:Sigh: Good luck getting any backups...I've requested them multiple times (about a year ago) and NEVER heard back from them...I seriously doubt they even make backups! :rolleyes:

Say I add a link to my directory - that link is #300. A data file is created called 300. In that file is stored the data for number of hits, etc. It cannot be deleted, or the link will not work correctly - because if someone clicks the link with id=300 - the script has to write to that file to adjust the hits, etc.

When I backed up my files on 7/2, I had over 440 of these data files. Since they are not deleted, unless I delete the link through the script - they can only be deleted by entering a protected directory, or in this case - magic!

I doubt that ***** is trying to restore my data files. I doubt they even know they are gone. But backing up my files, is something I do regularly. I don't rely on any host to do it for me. That's how I was able to figure out that ***** even lost my files. I compared the files they have at this very moment, to files I backed-up on 8/4, and 7/2.

Once I restored the 7/2 backup to my new Aletia account, all was working once again! Thank god for that! But I'm really looking for answers as to how they disappeared in the first place. I mean, if Code Red didn't do it, what did?

I've managed to recover the data lost - but I guess I'm still upset that I had about a 30 minute panic attack - until I finally figured out what happened. Now I just wish I knew how the data actually disappeared.


Originally posted by allera
Those might be restored files. Perhaps they had a drive failure or something? I guess it's a possibility. Code Red, to my knowledge, doesn't delete files. I'm not sure about Code Red II.

Originally posted by webmystress
When I backed up my files on 7/2, I had over 440 of these data files. Since they are not deleted, unless I delete the link through the script - they can only be deleted by entering a protected directory, or in this case - magic!
What I was suggesting, which could be totally wrong, was that ***** had a hard drive failure and restored from an old backup some of your files.

I honestly have no idea what causes files to mysteriously disappear, but the fact that they are in "protected directories" doesn't mean they can't be deleted -- by any means. Perhaps there was a rouge script running as root on that server that deleted some stuff. This is assuming you are in a Unix environment, too. I know close to nothing about a Windows hosting environment, but I would assume a similar thing can happen there too.

I think probably all of us can only speculate as to what actually happened and it is only ***** that will be able to tell you what happened (even that I doubt, according to many posts here). Do let us know what happened if you find out, though. :)

I wouldn't think that would explain it, since when I signed up for ***** in May, I actually transferred 900+ data files (from my previous server) with my database (which is perl based).

I then split my database into 4 seperate databases, and thus the 400+ data files for just this one database. I still haven't looked to see exactly how many data files I lost from the other 3 databases, but I did find a loss there as well.

I wish it was that easy to explain. I guess it will remain another unsolved ***** mystery. :rolleyes:

Originally posted by allera

What I was suggesting, which could be totally wrong, was that ***** had a hard drive failure and restored from an old backup some of your files.

The code red worm itself wouldn't have done that. However, if they were hit with the code red 2 worm then a backdoor was installed. Meaning anyone who accessed the backdoor would be able to control the system. So technically they could have messed up the system and that may have caused ***** to format and install the data from a backup.

That's all speculation and I don't know what happened but if they are saying its code red related it was either the second variant or the data was lost for some other reason.

For more information on it:
http://www.securityfocus.com/templates/archive.pike?list=1&mid=201886

I know nothing about the ***** situation, this is just general code red 2 information.

Originally posted by allera
Those might be restored files. Perhaps they had a drive failure or something? I guess it's a possibility. Code Red, to my knowledge, doesn't delete files. I'm not sure about Code Red II.

Code Red II does not delete files, however it leaves a root-level back door on the server as big as the Amazon River, with a huge Welcome! sign.

It is possible that someone got more than a little mischievous with the ***** servers.

After researching more of my 8/4 backup, I am even finding html files that were also completely wiped out. These files were transferrd to ***** at the same time - not something that would be left out of their backup, because the backup would have had each file in there, even if it was a backup from the day I signed up. :uhh:

Well, it's a good thing I have my own back-ups. Though they aren't as recent as I'd like. At least their complete!

(I'm patting myself on my back for not trusting ***** as far as I could throw them!)


Originally posted by Mike the newbie


Code Red II does not delete files, however it leaves a root-level back door on the server as big as the Amazon River, with a huge Welcome! sign.

It is possible that someone got more than a little mischievous with the ***** servers.

Originally posted by Mike the newbie
..Code Red II does not delete files, however it leaves a root-level back door on the server as big as the Amazon River...

I thought it was as big as the Nile River or the Mississippi River :D

j/k

Anyways, I've had the same problems as webmystress with CISH*T (*****). All of my linux servers are corrupt :crap: and their techs at ***** have no idea what they're doing...They're messing the servers up even more... :rolleyes:

Originally posted by B-Broker
Anyways, I've had the same problems as webmystress with CISH*T (*****). All of my linux servers are corrupt :crap:
I understood that some machines are getting excess traffic due to all the code red requests but if it's running linux that's the worst that should have happened as a result of code red. Code red only impacts Windows servers running IIS *that aren't patched* so if ***** is still having issues with it they haven't taken the necessary steps to protect themselves.

Anyway, I have no clue how it would have hurt your linux server other then the excess traffic. Can you clarify that aspect of it or are you in the dark as a result of *****'s support...?

Originally posted by Todd

I understood that some machines are getting excess traffic due to all the code red requests but if it's running linux that's the worst that should have happened as a result of code red. Code red only impacts Windows servers running IIS *that aren't patched* so if ***** is still having issues with it they haven't taken the necessary steps to protect themselves.

Anyway, I have no clue how it would have hurt your linux server other then the excess traffic. Can you clarify that aspect of it or are you in the dark as a result of *****'s support...?

I have no idea what is going on with the linux servers I have with them...all of a sudden when Code Red showed up, telnet, FTP, email, and web access stopped working on all of them. I've even rebooted them several times. Now nobody can login to the servers since the passwords have been either erased or changed for all of the users...

Originally posted by allera
Those might be restored files. Perhaps they had a drive failure or something? I guess it's a possibility. Code Red, to my knowledge, doesn't delete files. I'm not sure about Code Red II.


NO.

At least not in my case (as of Nov 2001).

NOT one backup in 6 months. Unbelievable.

Actually, they deleted my site by accident. Same result, though.

Except this time it's due to their gross negligence.

DisRegard This