Find the answer to your Linux question:
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 11 to 20 of 23
Originally Posted by Irithori Well, nobody but you can tell. Can you please grep your history file for rm, like asked above? Also, this apache is not reachable. So whereever ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Just Joined!
    Join Date
    Mar 2011
    Posts
    11

    Quote Originally Posted by Irithori View Post
    Well, nobody but you can tell.
    Can you please grep your history file for rm, like asked above?

    Also, this apache is not reachable.
    So whereever you got your mainpage from, it is most probably not from 86.120.148.140


    Which brings me back to error logs.
    Did you look in /var/log ?

    If they are not there, you need to find out the location in apache and mysql confs.
    So apache is not running, mysql is not running.
    I can't seem to find the apache logs in var/log or is it called something else.
    All I got in var logs are security logs
    LDF, SECURE, and MESSAGES, exim mail logs, boot log and a few other files.
    There is no apache folder or log. in var/log
    How is it called, error.log, apache.log ?



    I'm thinking that it's not from TMP and maybe they trashed my server with an exploit, but one single restart and some deleted TMP content and nothing is working anymore.

    I'm desprete, I can't even find the logs. When I run etc/init.d/httpd start
    I get could not open error log file, usr/local/apache/logs/error_log.

    But maybe it's relocated somewhere else, moved.
    Can you please grep your history file for rm, like asked above?
    I ran the command in the terminal but it's not showing anything
    So how do I use this command : history|grep rm ?
    All it does it returns the command.

    It returns this: 33 history|grep rm

  2. #12
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,387
    Ok, so apache expects its error logs there:
    I get could not open error log file, usr/local/apache/logs/error_log.
    What is in there?
    Code:
    ls -la /usr/local/apache/
    ls -la /usr/local/apache/logs/
    You must always face the curtain with a bow.

  3. #13
    Just Joined!
    Join Date
    Mar 2011
    Posts
    11
    Quote Originally Posted by Irithori View Post
    Ok, so apache expects its error logs there:


    What is in there?
    Code:
    ls -la /usr/local/apache/
    ls -la /usr/local/apache/logs/
    There is the apache directory in local/apache but no logs folder in apache directory/folder.
    Maybe they deleted the logs folder ? or the logs were in the tmp folder(impossible in my view) Can I give you access over putty ? I just don't know what to do.


    Also as I said.
    I ran the command 'history|grep rm' in the terminal but it's not showing anything
    So how do I use this command ?
    All it does it returns the command.

    It returns this: 33 history|grep rm

  4. #14
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,387
    That seems a bit too desperate.

    You mentioned an intrusion several times now.
    This may or may not be the case.
    But I donīt think it looks too good, if you additionally give root to a random guy from a forum.

    Is there a sysadmin colleague and/or contractor you can call?

    The most important is your database.
    Usually in /var/lib/mysql
    Save it.

    Is this server backuped?
    You must always face the curtain with a bow.

  5. #15
    Just Joined!
    Join Date
    Mar 2011
    Posts
    11
    Quote Originally Posted by Irithori View Post
    That seems a bit too desperate.

    You mentioned an intrusion several times now.
    This may or may not be the case.
    But I donīt think it looks too good, if you additionally give root to a random guy from a forum.


    Is this server backuped?
    Yes they made a backdoor in the TMP folder, several files not just one and they ran it as binary, I had 777 on the tmp folder, I found the backdoor files but I wanted to make sure I got everything so I deleted everything with the timestamp 2011. I thought it's just TMP, restarted the server then found out nothing is working anymore. The exploit seems to have only modified some html pages, adding code to the bottom of the pages.


    Is there a sysadmin colleague and/or contractor you can call?
    There is no one who can help me for several weeks.

    The most important is your database.
    Usually in /var/lib/mysql
    Save it.
    I took notice and looked there early, are all the databases there from the shared virtual hosts/sites ?

    Maybe it's just a glitch and I can't find it. Now I find out that there is no logs for apache or I can't find them.

    Is apache cracked ? and no I don't have a backup for the server


    Maybe you can give me some advice tomorrow ? on what I can possibly do. I do have to go now it is very late and I am very tiered and upset I did not solve anything.

    Thank you for all the help so far.
    Last edited by cretudaniel78; 03-19-2011 at 01:06 AM.

  6. #16
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,387
    Yes they made a backdoor in the TMP folder, several files not just one and they ran it as binary
    If you are *sure* about that, then thatīs it.

    It wouldnīt make sense to somehow fix the machine, because you cannot be sure, what was replaced/changed/corrupted.

    - Shut it down.
    - Boot it with a livecd.
    - Look for your data.
    - Install a new machine.
    - Copy the data from the compromised machine.
    - Inspect the data. This might be tricky..
    - Configure the new machine.

    Sorry

    What makes you so sure?
    You identified these processes how?
    You must always face the curtain with a bow.

  7. #17
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,387
    Just a bad hunch..

    - Your logfiles are missing
    - You said: "so I deleted everything with the timestamp 2011."
    - there is no rm in history

    Was that a recursive search and delete for files from 2011?
    Because.. if you would have started such a search&delete in the wrong directory, it could explain the missing logs.
    You must always face the curtain with a bow.

  8. #18
    Just Joined!
    Join Date
    Mar 2011
    Posts
    11
    Quote Originally Posted by Irithori View Post
    If you are *sure* about that, then thatīs it.

    It wouldnīt make sense to somehow fix the machine, because you cannot be sure, what was replaced/changed/corrupted.

    - Shut it down.
    - Boot it with a livecd.
    - Look for your data.
    - Install a new machine.
    - Copy the data from the compromised machine.
    - Inspect the data. This might be tricky..
    - Configure the new machine.

    Sorry

    What makes you so sure?
    You identified these processes how?
    What should I save ?
    They only modified the html pages I think, I did the rest, deleted the content from the tmp, I would prefere to think it's not the exploit but me deleting the files in the tmp folder.


    - You said: "so I deleted everything with the timestamp 2011."
    Only in the tmp folder, I have not deleted anything outside of it.

    At this point if I give you access to take a look what would it hurt ?


    Also what data can I save, and what can I copy over ? can't I just reinstall apache without reinstalling linux ?
    Last edited by cretudaniel78; 03-19-2011 at 10:06 AM.

  9. #19
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,387
    Reinstalling apache would probably undo manual changes to the setup.

    If you decided to work on this box rather than build a new one,
    then I would:
    1) start mysql on the commandline
    2) see what it complains about, (either sttandardout or its errorlog. errorlog should be defined in /etx/my.cnf or /etc/mysql/my.cnf)
    3) fix the first error
    4) mysql starts? ok. If not: Goto 1)

    Same procedure with apache.
    As an example: you have this error
    "could not open error log file, /usr/local/apache/logs/error_log"
    So:
    make sure the path exists, anc create an empty error_log.
    I would also make sure, the apache user (defined in apache.conf or httpd.conf) owns the files and directorys under /usr/local/apache.
    You must always face the curtain with a bow.

  10. #20
    Just Joined!
    Join Date
    Mar 2011
    Posts
    11
    Quote Originally Posted by Irithori View Post
    Reinstalling apache would probably undo manual changes to the setup.

    If you decided to work on this box rather than build a new one,
    then I would:
    1) start mysql on the commandline
    2) see what it complains about, (either sttandardout or its errorlog. errorlog should be defined in /etx/my.cnf or /etc/mysql/my.cnf)
    3) fix the first error
    4) mysql starts? ok. If not: Goto 1)

    Same procedure with apache.
    As an example: you have this error
    "could not open error log file, /usr/local/apache/logs/error_log"
    So:
    make sure the path exists, anc create an empty error_log.
    I would also make sure, the apache user (defined in apache.conf or httpd.conf) owns the files and directorys under /usr/local/apache.
    I managed to get apache and msql to run, put the log file like you told me and I got something in the log file. Sites are running now, I really don't understand what is going on anymore.

    So I restarted the machine once again and I started it with:
    etc/init.d/httpd start

    This time it worked.

    Apache log file reads after the start:
    [Sat Mar 19 14:56:16 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
    [Sat Mar 19 14:56:17 2011] [notice] Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 configured -- resuming normal operations


    But there are still errors, it tells me that there are no virtual hosts, but the virtual hosts are running now, it's what I get in the terminal.
    Here it is:
    [Sat Mar 19 15:17:10 2011] [warn] NameVirtualHost 86.120.148.140:80 has no VirtualHosts



    Also for mysql I ran 'etc/init.d/mysql start'

    Result was that it started ok.
    Starting MySQL [ OK ]

    I did check a dynamic connection from the data base on a site on the server and
    it's pulling out information out of the database to the site.

    Strange enough I could not find the logs for mysql.
    There is no mysql folder in etc, so where is mysql located, if it';s running it's there but where ? I could not find the folder for it, I wanted to see the logs.

Page 2 of 3 FirstFirst 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •