Server goes down randomly at 5AM.
Server comes back 1h 09m later. Uptime has reset.
Emails are not sending. I look into the issue - the problem is that "/" is chmodded to 777. I didn't do this, and I have no scripts that can do this.
Nothing else appears to have been changed.
Nothing out of the ordinary in access logs, no bruteforce attempts or anything. FTP password is secure (12 character lowercase+uppercase+numbers). Root password is even longer and more complicated. Both FTP and SSH are on non-standard ports.
No user accounts have been added.
I ran a full ClamAV scan which found nothing.
Doesn't sound like a hacker to me. The only thing it really sounds like is a script running in the background or perhaps a Cron Job doing whatever it is doing.
If it is only happening at around 5AM then it should and would most probably be a cron job running. Check all your crons and see which is causing the problem. Also check everything which is running, maybe a script it doing it as well.
Dedicated Servers - 100TB Servers - 100Mbps Unmetered Servers - Web Hosting - CDN Network
Servers in Central, East/West Coast USA, EUROPE and ASIA
Welltodo Century - www.welltodocentury.com
If it is rebooting by itself, then you need to check your hardware too.
The rebooting isn't the main issue here, the random chmod is. If it was an intruder, they could have also rebooted it for some reason.
Do you know any reason why a server would randomly chmod /? Any way to check for an intruder that I haven't already done?