Results 1 to 9 of 9
  1. #1

    Red face Server hacked maybe?

    Does anyone know what could cause this?

    Server goes down randomly at 5AM.
    Server comes back 1h 09m later. Uptime has reset.

    Emails are not sending. I look into the issue - the problem is that "/" is chmodded to 777. I didn't do this, and I have no scripts that can do this.
    Nothing else appears to have been changed.

    Nothing out of the ordinary in access logs, no bruteforce attempts or anything. FTP password is secure (12 character lowercase+uppercase+numbers). Root password is even longer and more complicated. Both FTP and SSH are on non-standard ports.

    No user accounts have been added.
    I ran a full ClamAV scan which found nothing.


    Does this sound like a hacker or some random bug?

  2. #2
    Join Date
    Sep 2004
    Location
    Miami, FL
    Posts
    2,762
    Doesn't sound like a hacker to me. The only thing it really sounds like is a script running in the background or perhaps a Cron Job doing whatever it is doing.

    If it is only happening at around 5AM then it should and would most probably be a cron job running. Check all your crons and see which is causing the problem. Also check everything which is running, maybe a script it doing it as well.
    Aaron Ong
    Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
    Servers in Central, East/West Coast USA, EUROPE and ASIA
    Welltodo Century
    - www.welltodocentury.com

  3. #3
    Only cron I have running is DDoS-Deflate.
    This has never happened before, just today. I changed nothing to cause this.

  4. #4
    Join Date
    Sep 2004
    Location
    Miami, FL
    Posts
    2,762
    Is it a new install? What is on there?
    Aaron Ong
    Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
    Servers in Central, East/West Coast USA, EUROPE and ASIA
    Welltodo Century
    - www.welltodocentury.com

  5. #5
    Not new install, been going for a few months now.
    I run MySQL (all remote access blocked with iptables), nginx httpd, svnserve, vsftpd.

  6. #6
    Join Date
    Mar 2009
    Posts
    3,807
    you have / chmoded 777 and your system still works?

  7. #7
    Quote Originally Posted by quantumphysics View Post
    you have / chmoded 777 and your system still works?
    It wasn't me, as I said it's a complete mystery. I put it back to normal and now mail works.
    I just need to find out what caused / to go to 777. Note: it wasn't recursive.


    I'm not sure what could possibly cause the 1h 09m of downtime and reset uptime.

  8. #8
    Join Date
    Mar 2003
    Location
    WebHostingTalk
    Posts
    16,968
    If it is rebooting by itself, then you need to check your hardware too.
    Specially 4 You
    .
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  9. #9
    Quote Originally Posted by net View Post
    If it is rebooting by itself, then you need to check your hardware too.
    The rebooting isn't the main issue here, the random chmod is. If it was an intruder, they could have also rebooted it for some reason.
    Do you know any reason why a server would randomly chmod /? Any way to check for an intruder that I haven't already done?

Similar Threads

  1. Can my blog be hacked on shared hosting if my neighbour is hacked?
    By zobe in forum Hosting Security and Technology
    Replies: 17
    Last Post: 03-10-2011, 04:09 AM
  2. Server hacked : how can I find out how they are uploading files to my server?
    By listenmirndt in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-14-2007, 12:44 PM
  3. Replies: 6
    Last Post: 08-24-2006, 04:11 PM
  4. Plesk server hacked, hiring to move clients to new server
    By DaveNET in forum Employment / Job Offers
    Replies: 3
    Last Post: 07-30-2005, 09:56 PM
  5. Replies: 5
    Last Post: 08-05-2001, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •