Results 1 to 20 of 20
  1. #1

    Dedicated Server - Weird Issue - Please guide

    Hello,

    I have a dedicated server from a DATA CENTER (FULLY MANAGED), Do not wish to use the name.

    We have taken all security measures and made sure we have hardware as well as software firewall.

    We closed SSH for all users except root (su login) , we run php as cgi.

    We regularly scan for root kits, and logs too.

    All of a sudden we faced a weird issue where in the home directory on the disk has been deleted.

    The system administrators did not find any traces or logs of deletion or anything as such.

    We use Cpanel/WHM and even noticed that the password DID NOT CHANGE.

    We regularly clean up TMP directory .

    We are very much sure that we have not deleted it and we got a confirmation from the system administrators of D.C. that they have not done either.

    Please some one who is aware of these issues, Please let us know how to prevent this from happening.

    If the same continues, we will be loosing our valuable name in this field. I have searched a lot about this issue on the google search engine and found not even a single link who is facing this issue.

    Please let us know.

    Thanks.
    Prads.

  2. #2

    Dedicated Server - Severe Problem - Urgent help

    Hello,

    I have a dedicated server from a DATA CENTER (FULLY MANAGED), Do not wish to use the name.

    We have taken all security measures and made sure we have hardware as well as software firewall.

    We closed SSH for all users except root (su login) , we run php as cgi.

    We regularly scan for root kits, and logs too.

    All of a sudden we faced a weird issue where in the home directory on the disk has been deleted.

    The system administrators did not find any traces or logs of deletion or anything as such.

    We use Cpanel/WHM and even noticed that the password DID NOT CHANGE.

    We regularly clean up TMP directory .

    We are very much sure that we have not deleted it and we got a confirmation from the system administrators of D.C. that they have not done either.

    Please some one who is aware of these issues, Please let us know how to prevent this from happening.

    If the same continues, we will be loosing our valuable name in this field. I have searched a lot about this issue on the google search engine and found not even a single link who is facing this issue.

    Please let us know.

    Thanks.
    Prads.

  3. #3
    This is definitely weird. If I'm reading this right, your /home directory containing all your cPanel accounts is deleted?
    Antony Mascarenhas How can I help? antony_m@zysek.com
    Zysek Technologies Pvt. Ltd. - Indian Datacenter ¦ Hyderabad & Mumbai
    Web Hosting · Virtual Servers · Dedicated Servers · Colocation · Managed Services

  4. #4
    Join Date
    Mar 2006
    Posts
    434

    Paging Sherlock Holmes

    Quote Originally Posted by TeamPradeep View Post
    Hello,

    <SNIP>

    We closed SSH for all users except root (su login) , we run php as cgi.

    <SNIP>

    Thanks.
    Prads.
    I would start with the possibility either the root password was compromised or someone who had root was responsible for the issue.

    So change the root password immediately and find out everyone who has access to root

    Also, we recommend you require admins to login as a user and su to root, only as required, as an additional security precaution. Allowing direct root login is not good policy. Logins should be done at the lowest perm level, which allows a user to complete the tasks required. Always logging in as root inherently exposes you to higher risks.

    Consult your server admins for additional security hardening and further information, as necessary.
    Last edited by Autolycus; 01-07-2010 at 03:24 PM.
    AUTOLYCUS

  5. #5
    Check if the server is hacked, also who logged in with ssh during the time. If no hacker logins, it must be you or your server admin accidentally deleted.

  6. #6
    Join Date
    Jan 2010
    Location
    United Kingdom
    Posts
    15
    Chances are your system was compromised home directories don't go walkabout. If you haven't secured PHP an attacker could easily upload a shell then a kernel exploit and get root access to your system.

    If you need any help securing your the system once you have got it back up I will be more than happy to give you a hand.

  7. #7

    Thanks for the reply

    Quote Originally Posted by antony_m View Post
    This is definitely weird. If I'm reading this right, your /home directory containing all your cPanel accounts is deleted?
    Yes, we have found each every domains data deleted .

  8. #8

    No,

    Hello,

    I guess its not the problem because we changed the root passwords so many times, re installed OS also once, but the same is happening !!

    I am sure no one is deleting from our end.

    Please advice.


    Quote Originally Posted by Autolycus View Post
    I would start with the possibility either the root password was compromised or someone who had root was responsible for the issue.

    So change the root password immediately and find out everyone who has access to root

    Also, we recommend you require admins to login as a user and su to root, only as required, as an additional security precaution. Allowing direct root login is not good policy. Logins should be done at the lowest perm level, which allows a user to complete the tasks required. Always logging in as root inherently exposes you to higher risks.

    Consult your server admins for additional security hardening and further information, as necessary.

  9. #9
    Well, only root can delete /home so see who was logged into your server at the time /home was deleted. You can check the logged in people by executing the command

    last
    It will show you the IPs logged in to your server via SSH as root or using other users, the date and time when they logged in.
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  10. #10
    Found our IPS and Cpanel.net Ips.

  11. #11
    Right, so it's either your team OR cPanel team (though I don't think they would have deleted it). Match the date and time when those IPs logged into your server and the time /home was deleted.
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  12. #12
    Let me make one more thing very sure. This is not once or twice this happened.

    1) once we gave an issue to cpanel it happened .(sure they have not done this.)

    2) Once it happened we have moved to other server and we left few accounts on this server and not deployed high security and did not login to root for many days including ssh. THE SAME HAPPENED AGAIN

  13. #13
    If it is happening again and again, it must be hacker, who is able to access your server. It may be your local computer is compromised, hacker getting new password from your computer. Check your computer for malware, keyloggers etc..

    Get some experienced server admin to secure your server. Install csf, change ssh port, disable ssh login with password (key login), only allow your ip to connect to ssh, may help.

  14. #14
    Install csf - Done at start

    change ssh port - SSH is closed , hardware firewall enabled, disabled ssh login with password (key login), only allow your ip to connect to ssh, may help.

    We allow only one ip to login .

    If this is local system problem, what software do you suggest us to use ? I mean antivirus?

  15. #15
    Join Date
    Mar 2004
    Location
    UK
    Posts
    215
    This is definitely an odd issue, first thing you should do is put /home on a separate partition and have it mount at boot time. Once that is done, it will not be possible to delete the home directory.

    My guess is that some software configuration issue is causing this to happen. Just as a guess, you don't have cpanel set to backup to /home/backup do you ? or have the backup directory for cpanel anywhere under /home ? I have seen that issue cause strange problems when the backups run.

    If not, once you have a separate partition for home, keep an eye on the logs for error messages and you'll probably be able to track down the offending program.
    Martin

  16. #16
    If MARTIN,

    If it is a VPS how to proceed then ?

    Please advice.

  17. #17
    Hi martin,

    Thanks for the reply but if it is a VPS ?, We have made sure the BACKUP Is nothing as such /home/backup it is on the disk as /backup

    If the issue is happening with a VPS how to proceed.

  18. #18
    Join Date
    Mar 2004
    Location
    UK
    Posts
    215
    In that case, you would need help from your provider. If this is happening on a VPS, I would be very suspicious of the provider, as they have full access to your machine whatever you do security wise.
    Martin

  19. #19
    No problem, they can be trusted no doubt.

    Please let us know what to tell them to do.

  20. #20
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    1,307
    Do you have a dedicated on a VPS? It's not clear for me reading your posts.
    Enterprise Consultant
    CCNP Enterprise - CCNP Security
    .:. Travels From West to East .:.

Similar Threads

  1. Weird issue
    By NameSniper in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-30-2007, 05:49 PM
  2. weird issue - unable to connent to my server now..
    By MartynD in forum Hosting Security and Technology
    Replies: 1
    Last Post: 10-14-2007, 10:13 PM
  3. Guide to manage a Dedicated Server
    By FrzzMan in forum Dedicated Server
    Replies: 11
    Last Post: 09-17-2003, 03:09 AM
  4. WHM Dedicated Server Quick Start Guide
    By daveL in forum Running a Web Hosting Business
    Replies: 10
    Last Post: 09-12-2003, 06:23 PM
  5. WHM Dedicated Server Quick Start Guide
    By daveL in forum Other Offers & Requests
    Replies: 1
    Last Post: 09-10-2003, 03:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •