Results 1 to 20 of 20
  1. #1
    Join Date
    Sep 2009
    Posts
    55

    So many problems with my server

    Hi,


    I have dedicated server with softlayer.com. Recently a lot of strange things are occurring on my server like for example:

    1) Some of the files in a certain directory are being modified by it self
    2) One of my directories are being automatically deleted.


    I have checked my dumb logs, and there is no indication of someone accessing my server and deleting the or modifying files, I have called softlayer they have said no one has accessed your server with brute force. There is obviously some problem lying somewhere.

    Could there be an issue with my server?
    Last edited by Orien; 04-29-2011 at 06:57 PM.

  2. #2
    Join Date
    Apr 2009
    Location
    Romania
    Posts
    473
    Are you sure that no one from your staff is doing this?
    And are you certain that some files are modified and some deleted?
    Btw, if a server gets compromised, the attacker can clean it's trail... making it very hard for you to find out what is going on if you do not have good technical skills.
    PidginHost.com - Managed dedicated servers, cloud servers and software development.

  3. #3
    Join Date
    Dec 2006
    Posts
    4,151
    This sounds like your server is compromised or being accessed without authorization.
    It is possible to erase traces given sufficient permission.

    I would suggest you re-install ASAP and see if this persists.
    Remember to do updates regularly and remove unneeded software.

    Alternatively, hire a server management company to investigate.

  4. #4
    Join Date
    Mar 2005
    Location
    Orlando, Florida
    Posts
    2,625
    Quote Originally Posted by Eldan88 View Post
    Hi,


    I have dedicated server with softlayer.com. Recently a lot of strange things are occurring on my server like for example:

    1) Some of the files in a certain directory are being modified by it self
    2) One of my directories are being automatically deleted.


    I have checked my dumb logs, and there is no indication of someone accessing my server and deleting the or modifying files, I have called softlayer they have said no one has accessed your server with brute force. There is obviously some problem lying somewhere.

    Could there be an issue with my server?
    I'd recommend opening a management ticket. For $3, they'll fix whatever it is.

    Better yet -- check your crontab to make sure you don't have any Cron entries that may be modifying the files seemingly by themselves.
    Matthew Rosenblatt, and I do lots of things.
    Used to be a full time server administrator, now I help build cruise ships and inspect homes.
    My company, Ferrell Solutions, specializes in home inspections and property management.
    RecallScan is a service for monitoring appliances and vehicles in your home for recalls.

  5. #5
    Join Date
    Sep 2009
    Posts
    55
    Quote Originally Posted by ClaudiuPopescu View Post
    Are you sure that no one from your staff is doing this?
    And are you certain that some files are modified and some deleted?
    Btw, if a server gets compromised, the attacker can clean it's trail... making it very hard for you to find out what is going on if you do not have good technical skills.

    I only have 1 developer who is working with my on my web application, he is the one who notifies of these things. He is telling me that I need to switch my hosting company.

    If my server got compromised why would they just delete one directory? They wouldve took everything down.

    Als soft layer has told me that I should audit my server by using the following commands
    auditctl -w /path/to/directory -k whodeletedit -p w

    Will that help me find how this is happening? Can the attacker clean its trail with that command?

    Will a firewall help????

    I need to first find how this is happening ... How can I do that?

  6. #6
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,925
    First check the usual suspects...
    cat /etc/cron.*/*
    cat /etc/crontab

    crontab -l (as root)
    crontabl -l -u <user>

    ps -auxf
    Dan Sheppard ~ Freelance whatever

  7. #7
    Join Date
    Sep 2009
    Posts
    55
    Quote Originally Posted by tsj5j View Post
    This sounds like your server is compromised or being accessed without authorization.
    It is possible to erase traces given sufficient permission.

    I would suggest you re-install ASAP and see if this persists.
    Remember to do updates regularly and remove unneeded software.

    Alternatively, hire a server management company to investigate.
    This has been happening the last few months, with little severity. A few files gets modified, and one a directory gets deleted. If the server got compromised would't he delete everything?

    Would do you mean by re-insall ASAP? Re-install my OS? Shouldn't I find out if it is the code?

    What is a good malicious scanning tool I can use to scan for any malicious bugs?

  8. #8
    Join Date
    Sep 2009
    Posts
    55
    Quote Originally Posted by Sheps View Post
    First check the usual suspects...
    cat /etc/cron.*/*
    cat /etc/crontab

    crontab -l (as root)
    crontabl -l -u <user>

    ps -auxf
    I'm not to technical, what does that command do? Can you please elaborate?

  9. #9
    Join Date
    Sep 2009
    Posts
    55
    Quote Originally Posted by Matt R View Post
    I'd recommend opening a management ticket. For $3, they'll fix whatever it is.

    Better yet -- check your crontab to make sure you don't have any Cron entries that may be modifying the files seemingly by themselves.
    I will go ahead and check my crontab, and see if that is the issue. Thanks!

  10. #10
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,925
    cat /etc/cron.*/* prints what are in the files in the cron.d/cron.daily/etc folders

    cat /etc/crontab prints out the system crontab

    crontab -l prints roots crontab(or the user you are running as currently)
    crontab -l -u <user> prints out the specified users crontab
    Dan Sheppard ~ Freelance whatever

  11. #11
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,925
    ps -auxf prints out a nice listing of all the currently running processes on the system.
    Dan Sheppard ~ Freelance whatever

  12. #12
    Join Date
    Mar 2009
    Posts
    3,816
    being ridiculously cynical, are you sure it's not the developer doing this just to get you to move to a host where he can get affiliate money or something

  13. #13
    Join Date
    Sep 2009
    Posts
    55
    Quote Originally Posted by quantumphysics View Post
    being ridiculously cynical, are you sure it's not the developer doing this just to get you to move to a host where he can get affiliate money or something
    No that is defiantly not the reason. He didn't even tell me what hosting company to go to. He just said your server is having a lot of problems, then he said just change your hosting company.

    I'm locking down the live account and from now on I'm not letting no one get into the live account, besides me. I will just create another user and make that pure testing and just upload the files my self.

    I'm still investigating the issue, and trying to find out how this is happening. If I still see this issue persist on both testing account and live account at the same time than I know its a coding issue. If I find out that something happened on my live account but not an my testing account than its a attacker. If nothing happens anymore on my live account than its my coder and the problem has been solved.

  14. #14
    Join Date
    Mar 2009
    Posts
    634
    It is (most likely) not Softlayer's fault that something has happened - I have no clue why your web developer would even start to blame the *unmanaged* provider.

  15. #15
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    832
    Being slightly less ridiculously cynical, are you sure the developer has any idea what he's doing? Because to my jaundiced eye it really looks like he's sold you an insecure application and is now trying to blame Softlayer for something they are highly unlikely to have any involvement in.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  16. #16
    Join Date
    Sep 2009
    Posts
    55
    Quote Originally Posted by Ankheg View Post
    Being slightly less ridiculously cynical, are you sure the developer has any idea what he's doing? Because to my jaundiced eye it really looks like he's sold you an insecure application and is now trying to blame Softlayer for something they are highly unlikely to have any involvement in.
    I have been through 3 different kinds of developers he is the best Ive worked with. Ive worked with him for 3 months all of which he did amazing work. I know for a fact my developer knows what he is doing.

  17. #17
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    832
    Quote Originally Posted by Eldan88 View Post
    I know for a fact my developer knows what he is doing.
    Because... he told you so?
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  18. #18
    I highly, highly doubt that SoftLayer has any blame in this situation. This sounds like a software issue.

    I would perform these steps:

    1) Reinstall the OS to be sure there is no rootkit/etc.
    2) Only install the minimally needed software.
    3) Have another person audit the software your developer is making.

    My guess is there is no malicious intent going on here. I think there is just a bug in the software and it is deleting/modifying files.

  19. #19
    Join Date
    Apr 2011
    Location
    Edmonton, Alberta, Canada
    Posts
    60
    Hi,

    I'd recommend changing your details for your dedicated machine. Then be sure to give your developer the details. I know at times, dedicated/virtual machines become "hacked" by people targeting larger based data centers.

    This will tell you if it's the developer or the hackers.

    Thanks.

  20. #20
    Join Date
    Jun 2004
    Location
    Europe
    Posts
    3,822
    Quote Originally Posted by TannerG View Post
    I'd recommend changing your details for your dedicated machine.
    The OP started with the sentence, that he rents a dedicated server.
    I think the OP needs a managed dedicated server. Both he himself as his developer seem to have no system management experience, so the server might not have been secured before hosting the application.

    So the advice is: find a good managed server or a good server management company to manage this server for you.
    Swiftway.net Your Business deserves our Quality - Experts on Hand since 2005. Europe & US locations, we operate our own network AS35017 Support response time <15 minutes 24/7
    Introducing our new Entry level server line ! Support response time <15 minutes 24/7. Technology Fast 50 & Fast 500 award winning for multiple years, Your Business deserves Swiftway Quality.

Similar Threads

  1. Softlayer problems
    By 1EightT in forum Dedicated Server
    Replies: 8
    Last Post: 02-11-2008, 06:20 PM
  2. Softlayer Problems?
    By Decius in forum Dedicated Server
    Replies: 13
    Last Post: 10-29-2007, 07:14 PM
  3. Lots of problems with Softlayer
    By Decius in forum Dedicated Server
    Replies: 19
    Last Post: 01-05-2007, 02:22 AM
  4. Softlayer connection problems?
    By BurakUeda in forum Providers and Network Outages and Updates
    Replies: 26
    Last Post: 07-30-2006, 08:13 AM
  5. Anybody else having softlayer problems?
    By mrcpu in forum Providers and Network Outages and Updates
    Replies: 3
    Last Post: 07-18-2006, 04:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •