Results 1 to 38 of 38
  1. #1

    Urgent a tech did this

    And now my mysql server is erroring and exim stats.
    sorry for the double post guys
    all websites with databases are down

    error: 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)'
    Check that mysqld is running and that the socket: '/var/lib/mysql/mysql.sock' exists!


    this is what the tech did is this the problem?
    7 top
    908 cd /tmp
    909 clamscan
    910 top
    911 ps aux
    912 ps aux
    913 cd /tmp
    914 ls
    915 strings backshell
    916 ls
    917 ps aux
    918 killall -9 server_linux
    919 ps aux
    920 who
    921 /scripts/securetmp
    922 ls
    923 ls
    924 rm *
    925 rm -rf *
    926 ls
    927 cat .bs.pl
    928 ls
    929 ./.bs.pl
    930 rm -rf .bs.pl
    931 ls
    932 cd .yas
    933 ls
    934 cd .amech
    935 ls
    936 cd ..
    937 cd ..
    938 rm -rf .yas
    939 lsd
    940 sl
    941 ls
    942 cd .iroha_unix/
    943 ls
    944 cd ..
    945 rm -rf .iroha_unix
    946 ls
    947 ls
    948 exit

  2. #2
    Looks as though you have deleted the mysql.sock file.

    Take a look here: http://dev.mysql.com/doc/mysql/en/Ca...to_server.html
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  3. #3
    I didnt do that a tech from my data center did that becasue i ask them to look at some problems. The second he logged in and 1 min later zzzzzzzzzzzz bye bye mysql. I think to that he deleted it because it is easier to do an os reload then a fix on what i asked.

    But i dont want to jump to conclusions but it seems that he did and if he did im surly not gonna pay for it.

  4. #4
    They have removed all the files inside the /tmp directory which they should not do. As this is where mysql keeps mysql.sock which is needed to connect to the mysqld server.

    You need to create a symlink to /var/lib/mysql/mysql.sock to /tmp/mysql.sock

    I believe this will fix the issue. Or you can ask the tech to fix it back up.
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  5. #5
    If you where here i would kiss you you prolly saved me $200

  6. #6
    Glad to help. We have had similar problems ourselves before.

    Are you getting them to fix it? Or are you creating the symlink yourself? If so did it work?
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  7. #7
    Im calling them so this wont happen to others. if i hear that this happen to others i think than its the issue that they where BSing me arround and i will be verry angry. Isnt it strange that a "security" tech deletes those files??? whats your opinion my friend?

  8. #8
    I'm not sure why the tech would delete that file. If they did do it without knowing it, then they are pretty crappy technicians. I can understand why he would have been deleting files from the /tmp directory, but you should still take a lot of care while doing this.
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  9. #9
    the strangest thing is that he looked and deleted in 2 mins and replied in the ticked that i need an os reload. Yes mr tech now i need one.. whahaha lol

  10. #10
    Where is your server hosted? Sounds like they have very bad techs there.
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  11. #11
    hehehe i think its not fair at this stage to tell people that. maybe its a honest mistake. Im still waiting for that call back from them...

  12. #12
    A verry good tech lets call him J solved the situation beautifull.
    He saw whats wrong and what was missing and he fixed it like no other tech idd ever seen.

  13. #13
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,560
    929 ./.bs.pl
    930 rm -rf .bs.pl
    backdoor anyone?

    starting a hidden file, then deleting it..

    'backshell'

  14. #14
    Join Date
    Feb 2004
    Posts
    1,226
    Originally posted by Slidey
    backdoor anyone?

    starting a hidden file, then deleting it..

    'backshell'
    didn't the "rm -rf *" deleted this file?

    if not i must agree that's suspicious


    btw, once a ev1 tech deleted my /lib dir!! hehe...
    and i think a few others too, because nor "ls" worked

    he tried to remove a directory that was hard linked to it (probably by jailshell) and that happens

    we know mistakes happens, and they were VERY helpful and fast restoring the system (for free, of course)

  15. #15
    In my case i have to begg to help me with this.
    First it was OS reload or nothing.
    So in their mind it was that i had to pay for it and as you can see there are strange things going on there. Still dont know what they did but ive got a bind within rootkit check that suddenly gives errors. Anyways it gave me a bad taste in my mouth and soon thinking to switch.


    If someone knows more about these commands please let me know.

  16. #16
    Just for your information bind shows up quite often as a false positive, I have cPanel and ckrootkit giving these false positives on serveral servers. This is unlikely to be the cause of your problems.
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  17. #17
    thank you. Yeah they wanted to do an OS reload to make sure because the system was erroring. So now its fixed i sure think nothing is wrong with it. But i will never and i say never allow a tech from that data center on my server.

  18. #18
    Sometimes you have to be a bit wary about the admins, even when dealing with some of the bigger more reputable companies.
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  19. #19
    I went to accunet and those guys are good. everything is running like a charm...

  20. #20
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Originally posted by crucialparad
    Sometimes you have to be a bit wary about the admins, even when dealing with some of the bigger more reputable companies.
    This is what you get when you pay admins $7/hr to do their work. Cheap, shoddy, beginner admins who only want to use "I worked for XXX host company" on their resume.

    First it was OS reload or nothing.
    This is becoming more and more of the response by the DC themselves, because they want to make more money off of you. Of COURSE they want you to reload the OS, most charge a good $75-$100 to do just that. It's sad, but even if their techs screw something up, in most cases, it's going to cost YOU, not the company.

    Reliability and knowledge is a big factor, as is experience. Unfortunately, in most cases you won't get a tech with experience for what the DC wants to pay (they sell servers cheap, you'd better believe they'll pay the techs next to nighting).
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  21. #21
    Originally posted by Darkanoid
    But i will never and i say never allow a tech from that data center on my server.
    Care to share what DC it was now? Possibly save a few others from this horror story.

  22. #22
    Join Date
    Aug 2001
    Location
    Canada
    Posts
    2,123
    Originally posted by Slidey
    backdoor anyone?

    starting a hidden file, then deleting it..

    'backshell'
    Actually it seems the tech found it and then deleted it. Nowhere do I see the tech actually putting it there (but I don't think you implied that... did you? ).

    926 ls
    927 cat .bs.pl
    928 ls
    929 ./.bs.pl
    930 rm -rf .bs.pl
    931 ls

    So the box had a few problems before the tech came in :|
    www.idologic.com - Reseller, VPS and dedicated hosting - Friendly Customer Service - DirectAdmin - cPanel - InterWorx

  23. #23
    The tech did delete the mysql.sock file, which is quite well known to stop mySQL from running.
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support Web Hosting Reseller Hosting Cloud/VPS Plans Dedicated Servers

  24. #24
    Join Date
    Mar 2004
    Location
    Chicago, IL
    Posts
    384
    Originally posted by Lem0nHead
    didn't the "rm -rf *" deleted this file?
    * won't match with a file that starts with a "." (dot). So no, that wouldn't delete the ".bs.pl" file.

  25. #25
    Join Date
    Jun 2003
    Posts
    673
    926 ls
    927 cat .bs.pl
    928 ls
    929 ./.bs.pl
    930 rm -rf .bs.pl
    931 ls

    "I don't know what this file in /tmp does, so I'll run it to find out."

  26. #26
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    You were indeed hacked, i suggest you hire a qualified admin to take care of this, and have them evaluate the damage.

    linux-tech.net
    wemanageservers.com
    serveradmins.biz

    just soem examples
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  27. #27
    Originally posted by dan_erat


    "I don't know what this file in /tmp does, so I'll run it to find out."


    I suggest you go back to the data center with the history logs and ask them to explain themselves to you. In any case, the tech smacks of amateurism, and I wouldn't let any of them near any of your servers ever.. .which in that case, why are you hosting there?
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  28. #28
    Originally posted by thelinuxguy
    You were indeed hacked, i suggest you hire a qualified admin to take care of this, and have them evaluate the damage.

    linux-tech.net
    wemanageservers.com
    serveradmins.biz

    just soem examples
    Why are you saying that im hacked? Those commands where done by the data centers ADMINS/TECHS notby me or another party.

    Server was working fine and then in 2 minutes when he was in it SQL went down... And he recommended an OS reload.

    What i want to say that they messed up and wanted me to reload but tnx to a few guys here i didnt fell for that...

    btw im with acunett since yesterday and they didnt see anything close to a hacked server.

  29. #29
    He said it because... ask yourself this:

    How did those perl files get there... and what do they do? Those are suspicious files (that should be analysed and not deleted). Since it is deleted, important data is already lost. But it's a fair bet that your system may be compromised and backdoors ran.

    SQL went down simply cos he deleted the sym link to the sock file. But he certainly didn't help by running those files.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  30. #30
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Originally posted by Darkanoid
    Why are you saying that im hacked? Those commands where done by the data centers ADMINS/TECHS notby me or another party.

    Server was working fine and then in 2 minutes when he was in it SQL went down... And he recommended an OS reload.

    What i want to say that they messed up and wanted me to reload but tnx to a few guys here i didnt fell for that...

    btw im with acunett since yesterday and they didnt see anything close to a hacked server.
    Bro, i deal with hacked servers daily. ".bs.pl" is a very commonly used backdoor script written in perl. Usually uploaded through a bad php script. Accunet should have seen that.
    Last edited by Steven; 04-29-2004 at 09:54 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  31. #31
    Join Date
    Jul 2002
    Location
    USA
    Posts
    1,125
    Yes, and the .bs.pl file was removed before we started work on the machine. Security scans ran found nothing wrong with the system.

  32. #32
    Join Date
    Jul 2002
    Location
    USA
    Posts
    1,125
    Darkanoid, I beleive the server is all fine now, correct?

  33. #33
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    all you did was run security scans? Did you bother to trace down the cause and prevent it. Did you tell the client, he has no knowledge.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  34. #34
    Join Date
    Jul 2002
    Location
    USA
    Posts
    1,125
    Originally posted by thelinuxguy
    all you did was run security scans? Did you bother to trace down the cause and prevent it. Did you tell the client, he has no knowledge.
    It looked like a few malacious scripts were uploaded to /tmp and the DC had already deleted the scripts so we just cleaned out and hardened the rest of the server and also mounted /tmp as NOEXEC.

    If the client has any other issues or questions, he can contact us directly.

  35. #35
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,560
    god id be scared of using you guys!

    just out of interest, i dont see you killall -9 .bs.pl (or kill a pid). did you leave it running ?

  36. #36
    Acunett did great work there are no problems anymore and everything runs perfect.

  37. #37
    Originally posted by Slidey
    god id be scared of using you guys!

    just out of interest, i dont see you killall -9 .bs.pl (or kill a pid). did you leave it running ?
    That was the DC working on the server not acunett

  38. #38
    Just a followup Darkanoid, how's your server running now?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •