Results 1 to 20 of 20
-
01-07-2010, 10:57 AM #1Newbie
- Join Date
- Jan 2010
- Posts
- 19
Dedicated Server - Weird Issue - Please guide
Hello,
I have a dedicated server from a DATA CENTER (FULLY MANAGED), Do not wish to use the name.
We have taken all security measures and made sure we have hardware as well as software firewall.
We closed SSH for all users except root (su login) , we run php as cgi.
We regularly scan for root kits, and logs too.
All of a sudden we faced a weird issue where in the home directory on the disk has been deleted.
The system administrators did not find any traces or logs of deletion or anything as such.
We use Cpanel/WHM and even noticed that the password DID NOT CHANGE.
We regularly clean up TMP directory .
We are very much sure that we have not deleted it and we got a confirmation from the system administrators of D.C. that they have not done either.
Please some one who is aware of these issues, Please let us know how to prevent this from happening.
If the same continues, we will be loosing our valuable name in this field. I have searched a lot about this issue on the google search engine and found not even a single link who is facing this issue.
Please let us know.
Thanks.
Prads.
-
01-07-2010, 01:39 PM #2Newbie
- Join Date
- Jan 2010
- Posts
- 19
Dedicated Server - Severe Problem - Urgent help
Hello,
I have a dedicated server from a DATA CENTER (FULLY MANAGED), Do not wish to use the name.
We have taken all security measures and made sure we have hardware as well as software firewall.
We closed SSH for all users except root (su login) , we run php as cgi.
We regularly scan for root kits, and logs too.
All of a sudden we faced a weird issue where in the home directory on the disk has been deleted.
The system administrators did not find any traces or logs of deletion or anything as such.
We use Cpanel/WHM and even noticed that the password DID NOT CHANGE.
We regularly clean up TMP directory .
We are very much sure that we have not deleted it and we got a confirmation from the system administrators of D.C. that they have not done either.
Please some one who is aware of these issues, Please let us know how to prevent this from happening.
If the same continues, we will be loosing our valuable name in this field. I have searched a lot about this issue on the google search engine and found not even a single link who is facing this issue.
Please let us know.
Thanks.
Prads.
-
01-07-2010, 03:17 PM #3Web Hosting Evangelist
- Join Date
- Nov 2009
- Posts
- 452
This is definitely weird. If I'm reading this right, your /home directory containing all your cPanel accounts is deleted?
Antony Mascarenhas How can I help? antony_m@zysek.com
Zysek Technologies Pvt. Ltd. - Indian Datacenter ¦ Hyderabad & Mumbai
Web Hosting · Virtual Servers · Dedicated Servers · Colocation · Managed Services
-
01-07-2010, 03:21 PM #4Aspiring Evangelist
- Join Date
- Mar 2006
- Posts
- 434
Paging Sherlock Holmes
I would start with the possibility either the root password was compromised or someone who had root was responsible for the issue.
So change the root password immediately and find out everyone who has access to root
Also, we recommend you require admins to login as a user and su to root, only as required, as an additional security precaution. Allowing direct root login is not good policy. Logins should be done at the lowest perm level, which allows a user to complete the tasks required. Always logging in as root inherently exposes you to higher risks.
Consult your server admins for additional security hardening and further information, as necessary.Last edited by Autolycus; 01-07-2010 at 03:24 PM.
AUTOLYCUS
-
01-07-2010, 03:37 PM #5Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 1,400
Check if the server is hacked, also who logged in with ssh during the time. If no hacker logins, it must be you or your server admin accidentally deleted.
-
01-07-2010, 03:56 PM #6Newbie
- Join Date
- Jan 2010
- Location
- United Kingdom
- Posts
- 15
Chances are your system was compromised home directories don't go walkabout. If you haven't secured PHP an attacker could easily upload a shell then a kernel exploit and get root access to your system.
If you need any help securing your the system once you have got it back up I will be more than happy to give you a hand.
-
01-08-2010, 09:19 AM #7Newbie
- Join Date
- Jan 2010
- Posts
- 19
-
01-08-2010, 09:23 AM #8Newbie
- Join Date
- Jan 2010
- Posts
- 19
-
01-08-2010, 09:25 AM #9Web Hosting Master
- Join Date
- Jul 2009
- Posts
- 1,568
Well, only root can delete /home so see who was logged into your server at the time /home was deleted. You can check the logged in people by executing the command
last| LinuxHostingSupport.net
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
| MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux
-
01-08-2010, 09:29 AM #10Newbie
- Join Date
- Jan 2010
- Posts
- 19
Found our IPS and Cpanel.net Ips.
-
01-08-2010, 09:35 AM #11Web Hosting Master
- Join Date
- Jul 2009
- Posts
- 1,568
Right, so it's either your team OR cPanel team (though I don't think they would have deleted it). Match the date and time when those IPs logged into your server and the time /home was deleted.
| LinuxHostingSupport.net
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
| MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux
-
01-08-2010, 09:37 AM #12Newbie
- Join Date
- Jan 2010
- Posts
- 19
Let me make one more thing very sure. This is not once or twice this happened.
1) once we gave an issue to cpanel it happened .(sure they have not done this.)
2) Once it happened we have moved to other server and we left few accounts on this server and not deployed high security and did not login to root for many days including ssh. THE SAME HAPPENED AGAIN
-
01-08-2010, 09:49 AM #13Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 1,400
If it is happening again and again, it must be hacker, who is able to access your server. It may be your local computer is compromised, hacker getting new password from your computer. Check your computer for malware, keyloggers etc..
Get some experienced server admin to secure your server. Install csf, change ssh port, disable ssh login with password (key login), only allow your ip to connect to ssh, may help.
-
01-08-2010, 09:51 AM #14Newbie
- Join Date
- Jan 2010
- Posts
- 19
Install csf - Done at start
change ssh port - SSH is closed , hardware firewall enabled, disabled ssh login with password (key login), only allow your ip to connect to ssh, may help.
We allow only one ip to login .
If this is local system problem, what software do you suggest us to use ? I mean antivirus?
-
01-08-2010, 09:53 AM #15Junior Guru
- Join Date
- Mar 2004
- Location
- UK
- Posts
- 215
This is definitely an odd issue, first thing you should do is put /home on a separate partition and have it mount at boot time. Once that is done, it will not be possible to delete the home directory.
My guess is that some software configuration issue is causing this to happen. Just as a guess, you don't have cpanel set to backup to /home/backup do you ? or have the backup directory for cpanel anywhere under /home ? I have seen that issue cause strange problems when the backups run.
If not, once you have a separate partition for home, keep an eye on the logs for error messages and you'll probably be able to track down the offending program.Martin
-
01-08-2010, 09:55 AM #16Newbie
- Join Date
- Jan 2010
- Posts
- 19
If MARTIN,
If it is a VPS how to proceed then ?
Please advice.
-
01-08-2010, 09:59 AM #17Newbie
- Join Date
- Jan 2010
- Posts
- 19
Hi martin,
Thanks for the reply but if it is a VPS ?, We have made sure the BACKUP Is nothing as such /home/backup it is on the disk as /backup
If the issue is happening with a VPS how to proceed.
-
01-08-2010, 10:08 AM #18Junior Guru
- Join Date
- Mar 2004
- Location
- UK
- Posts
- 215
In that case, you would need help from your provider. If this is happening on a VPS, I would be very suspicious of the provider, as they have full access to your machine whatever you do security wise.
Martin
-
01-08-2010, 10:09 AM #19Newbie
- Join Date
- Jan 2010
- Posts
- 19
No problem, they can be trusted no doubt.
Please let us know what to tell them to do.
-
01-08-2010, 02:23 PM #20Web Hosting Master
- Join Date
- Nov 2004
- Location
- Switzerland
- Posts
- 1,307
Do you have a dedicated on a VPS? It's not clear for me reading your posts.
Enterprise Consultant
CCNP Enterprise - CCNP Security
.:. Travels From West to East .:.
Similar Threads
-
Weird issue
By NameSniper in forum Hosting Security and TechnologyReplies: 2Last Post: 12-30-2007, 05:49 PM -
weird issue - unable to connent to my server now..
By MartynD in forum Hosting Security and TechnologyReplies: 1Last Post: 10-14-2007, 10:13 PM -
Guide to manage a Dedicated Server
By FrzzMan in forum Dedicated ServerReplies: 11Last Post: 09-17-2003, 03:09 AM -
WHM Dedicated Server Quick Start Guide
By daveL in forum Running a Web Hosting BusinessReplies: 10Last Post: 09-12-2003, 06:23 PM -
WHM Dedicated Server Quick Start Guide
By daveL in forum Other Offers & RequestsReplies: 1Last Post: 09-10-2003, 03:32 PM