Results 1 to 20 of 20
Thread: So many problems with my server
-
04-21-2011, 07:25 AM #1Junior Guru Wannabe
- Join Date
- Sep 2009
- Posts
- 55
So many problems with my server
Hi,
I have dedicated server with softlayer.com. Recently a lot of strange things are occurring on my server like for example:
1) Some of the files in a certain directory are being modified by it self
2) One of my directories are being automatically deleted.
I have checked my dumb logs, and there is no indication of someone accessing my server and deleting the or modifying files, I have called softlayer they have said no one has accessed your server with brute force. There is obviously some problem lying somewhere.
Could there be an issue with my server?Last edited by Orien; 04-29-2011 at 06:57 PM.
-
04-21-2011, 08:18 AM #2Web Hosting Evangelist
- Join Date
- Apr 2009
- Location
- Romania
- Posts
- 473
Are you sure that no one from your staff is doing this?
And are you certain that some files are modified and some deleted?
Btw, if a server gets compromised, the attacker can clean it's trail... making it very hard for you to find out what is going on if you do not have good technical skills.PidginHost.com - Managed dedicated servers, cloud servers and software development.
-
04-21-2011, 08:57 AM #3WebHosting Master
- Join Date
- Dec 2006
- Posts
- 4,151
This sounds like your server is compromised or being accessed without authorization.
It is possible to erase traces given sufficient permission.
I would suggest you re-install ASAP and see if this persists.
Remember to do updates regularly and remove unneeded software.
Alternatively, hire a server management company to investigate.
-
04-21-2011, 08:58 AM #4Web Hosting Master
- Join Date
- Mar 2005
- Location
- Orlando, Florida
- Posts
- 2,625
█ Matthew Rosenblatt, and I do lots of things.
█ Used to be a full time server administrator, now I help build cruise ships and inspect homes.
█ My company, Ferrell Solutions, specializes in home inspections and property management.
█ RecallScan is a service for monitoring appliances and vehicles in your home for recalls.
-
04-21-2011, 01:52 PM #5Junior Guru Wannabe
- Join Date
- Sep 2009
- Posts
- 55
I only have 1 developer who is working with my on my web application, he is the one who notifies of these things. He is telling me that I need to switch my hosting company.
If my server got compromised why would they just delete one directory? They wouldve took everything down.
Als soft layer has told me that I should audit my server by using the following commands
auditctl -w /path/to/directory -k whodeletedit -p w
Will that help me find how this is happening? Can the attacker clean its trail with that command?
Will a firewall help????
I need to first find how this is happening ... How can I do that?
-
04-21-2011, 01:55 PM #6Web Hosting Master
- Join Date
- Dec 2002
- Location
- The Shadows
- Posts
- 2,925
First check the usual suspects...
cat /etc/cron.*/*
cat /etc/crontab
crontab -l (as root)
crontabl -l -u <user>
ps -auxfDan Sheppard ~ Freelance whatever
-
04-21-2011, 01:56 PM #7Junior Guru Wannabe
- Join Date
- Sep 2009
- Posts
- 55
This has been happening the last few months, with little severity. A few files gets modified, and one a directory gets deleted. If the server got compromised would't he delete everything?
Would do you mean by re-insall ASAP? Re-install my OS? Shouldn't I find out if it is the code?
What is a good malicious scanning tool I can use to scan for any malicious bugs?
-
04-21-2011, 01:58 PM #8Junior Guru Wannabe
- Join Date
- Sep 2009
- Posts
- 55
-
04-21-2011, 01:59 PM #9Junior Guru Wannabe
- Join Date
- Sep 2009
- Posts
- 55
-
04-21-2011, 01:59 PM #10Web Hosting Master
- Join Date
- Dec 2002
- Location
- The Shadows
- Posts
- 2,925
cat /etc/cron.*/* prints what are in the files in the cron.d/cron.daily/etc folders
cat /etc/crontab prints out the system crontab
crontab -l prints roots crontab(or the user you are running as currently)
crontab -l -u <user> prints out the specified users crontabDan Sheppard ~ Freelance whatever
-
04-21-2011, 02:01 PM #11Web Hosting Master
- Join Date
- Dec 2002
- Location
- The Shadows
- Posts
- 2,925
ps -auxf prints out a nice listing of all the currently running processes on the system.
Dan Sheppard ~ Freelance whatever
-
04-21-2011, 02:41 PM #12Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,816
being ridiculously cynical, are you sure it's not the developer doing this just to get you to move to a host where he can get affiliate money or something
-
04-21-2011, 02:50 PM #13Junior Guru Wannabe
- Join Date
- Sep 2009
- Posts
- 55
No that is defiantly not the reason. He didn't even tell me what hosting company to go to. He just said your server is having a lot of problems, then he said just change your hosting company.
I'm locking down the live account and from now on I'm not letting no one get into the live account, besides me. I will just create another user and make that pure testing and just upload the files my self.
I'm still investigating the issue, and trying to find out how this is happening. If I still see this issue persist on both testing account and live account at the same time than I know its a coding issue. If I find out that something happened on my live account but not an my testing account than its a attacker. If nothing happens anymore on my live account than its my coder and the problem has been solved.
-
04-21-2011, 03:07 PM #14Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 634
It is (most likely) not Softlayer's fault that something has happened - I have no clue why your web developer would even start to blame the *unmanaged* provider.
-
04-21-2011, 03:09 PM #15Web Hosting Master
- Join Date
- Mar 2003
- Location
- Saint Paul, MN
- Posts
- 832
Being slightly less ridiculously cynical, are you sure the developer has any idea what he's doing? Because to my jaundiced eye it really looks like he's sold you an insecure application and is now trying to blame Softlayer for something they are highly unlikely to have any involvement in.
redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS
-
04-21-2011, 03:11 PM #16Junior Guru Wannabe
- Join Date
- Sep 2009
- Posts
- 55
-
04-21-2011, 03:24 PM #17Web Hosting Master
- Join Date
- Mar 2003
- Location
- Saint Paul, MN
- Posts
- 832
redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS
-
04-21-2011, 03:28 PM #18New Member
- Join Date
- May 2008
- Posts
- 3
I highly, highly doubt that SoftLayer has any blame in this situation. This sounds like a software issue.
I would perform these steps:
1) Reinstall the OS to be sure there is no rootkit/etc.
2) Only install the minimally needed software.
3) Have another person audit the software your developer is making.
My guess is there is no malicious intent going on here. I think there is just a bug in the software and it is deleting/modifying files.
-
04-21-2011, 03:32 PM #19Temporarily Suspended
- Join Date
- Apr 2011
- Location
- Edmonton, Alberta, Canada
- Posts
- 60
Hi,
I'd recommend changing your details for your dedicated machine. Then be sure to give your developer the details. I know at times, dedicated/virtual machines become "hacked" by people targeting larger based data centers.
This will tell you if it's the developer or the hackers.
Thanks.
-
04-21-2011, 04:33 PM #20Always there
- Join Date
- Jun 2004
- Location
- Europe
- Posts
- 3,822
The OP started with the sentence, that he rents a dedicated server.
I think the OP needs a managed dedicated server. Both he himself as his developer seem to have no system management experience, so the server might not have been secured before hosting the application.
So the advice is: find a good managed server or a good server management company to manage this server for you.█ Swiftway.net Your Business deserves our Quality - Experts on Hand since 2005. Europe & US locations, we operate our own network AS35017 Support response time <15 minutes 24/7
█ Introducing our new Entry level server line ! Support response time <15 minutes 24/7. Technology Fast 50 & Fast 500 award winning for multiple years, Your Business deserves Swiftway Quality.
Similar Threads
-
Softlayer problems
By 1EightT in forum Dedicated ServerReplies: 8Last Post: 02-11-2008, 06:20 PM -
Softlayer Problems?
By Decius in forum Dedicated ServerReplies: 13Last Post: 10-29-2007, 07:14 PM -
Lots of problems with Softlayer
By Decius in forum Dedicated ServerReplies: 19Last Post: 01-05-2007, 02:22 AM -
Softlayer connection problems?
By BurakUeda in forum Providers and Network Outages and UpdatesReplies: 26Last Post: 07-30-2006, 08:13 AM -
Anybody else having softlayer problems?
By mrcpu in forum Providers and Network Outages and UpdatesReplies: 3Last Post: 07-18-2006, 04:02 PM