Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 11th October 2007, 18:22
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default machine hacked ...

hi friends, i have a problem at the time of entering the machine remotly with ssh ex.:

:~# ssh username@www.domain.cl

it appears the following error

:~# ssh_exchange_identification: Connection closed by remote host

I approached the machine to see what happened physically, and it surprised to me
that it could not either enter from the same machine, what it makes me think that they did
to crack to /etc/shadow and /etc/passwd files.

the problem is how entering to the machine because i not have the root user or another one ...

please i need help because this machine is a production server, with to much email account's and resellers, etc ....

ahhh.. the email accounts don't work, the reseller account either...

thank

i dont know resolve the problem .... the machine is a Gnu/Linux Debian 4.0 with all updates and ispconfig 2.2.14 like only resource...

Last edited by albertux; 11th October 2007 at 18:41.
Reply With Quote
Sponsored Links
  #2  
Old 11th October 2007, 19:56
mlz mlz is offline
Senior Member
 
Join Date: Dec 2006
Posts: 189
Thanks: 16
Thanked 9 Times in 9 Posts
Default

Boot into single user mode, which automatically puts you in as root, then set your password with the passwd command.
Reply With Quote
  #3  
Old 11th October 2007, 20:48
ebal ebal is offline
Member
 
Join Date: Aug 2007
Posts: 36
Thanks: 0
Thanked 2 Times in 2 Posts
Default

you can always use a live cd
and then mount / chroot to your linux partition

but keep close a live cd (always helpful)
__________________
http://ebalaskas.gr/wiki
Reply With Quote
  #4  
Old 11th October 2007, 21:01
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default

ok, but the problem is that two users only exist the root and ispconfig that they can modify this files, then can i to control the ispconfig user so that it does not have east permission???,
Reply With Quote
  #5  
Old 12th October 2007, 11:00
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,357
Thanks: 810
Thanked 5,175 Times in 4,057 Posts
Default

The ISPConfig user (admispconfig) can not modify /etc/passwd and I dont think that your server has been hacked through ISPConfig. You should use a rescue cd to start the server, mount the harddisk and have a look at /etc/passwd and /etc/shadow and check if the yare correupted, also check the syslog and auth.log what caused your SSH connection to fail. There are may other possible reasons, e.g. a full harddisk partition that has the same symptoms that you described.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 12th October 2007, 15:44
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default

it already fixes the problem, in any case what they did it was to modify the shadow, password, gshadow and group files, for that reason I think that it can have been through ispconfig server, because no other user has the possibility of modifying these files.

The other errors that appeared they were by the same problem, i solved the problem entering in single mode, and replacing the archives modified with those of backups old files, but now it appears in the name of session, to initiate the session in ssh for example, a messages as :

I have no name!@machinename:~$

I did not solve this problem yet ...

well my friend i will continue analyzing this and other problems and i'm writing them ... thank you for all the answers ...

greetings
albertux
Reply With Quote
  #7  
Old 16th October 2007, 16:51
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default

the problem of ihavenoname! it was simple question of permissions to the files

grettings to all
Reply With Quote
  #8  
Old 5th January 2008, 21:56
Melchior Melchior is offline
Junior Member
 
Join Date: Jul 2007
Location: Germany, Darmstadt
Posts: 25
Thanks: 5
Thanked 1 Time in 1 Post
Default crashed

exactly same problem.

I just updated some email data. After that, I couldn't login to
my imap accounts. Login by ssh also failed for every user with:

:~# ssh_exchange_identification: Connection closed by remote host

Rebooting the machine failed. The remote-hand-on by data center also...

tomorrow (Sunday) I've to get up early ..
driving to the datacenter in Frankfurt/Main

Version: 2.2.14
worked always fine upto now


could it be that if you perform many changes in near time, the
"systemmanger" (the smart-guy who changes the passwd and
shadow file) gets little bit "confused" by doing his job?

otherwise I cannot explain to myself what there was going wrong.

but the most curious thing is, that all this problems happend coextensive.

hoping my forum members are goint to excuse the offline time


// STATUS UPDATE: sunday 1pm
machine is on the net again.
Had to restore passwd, shadows and group
thx for the tutorial "how to knoppix with lvm and raid" - was a real help to me!

if I can help tracing the failure to his roots, I will mail all needed logs to ispconfig mods.
best, give me some commands like: tail -5000 /var/log/auth.log > auth.log.txt
thereby, I can collect all you want

I'm on Debian etch,
/root/ispconfig and /home/adminispconfig are the dirs

what else attracts my attention:
- the file local-host-names lost settings beyond "#### MAKE MANUAL ENTRIES BELOW THIS LINE! ####"
- the shadow file was cropped. It only contents some webxx_* accounts. System account weren't there anymore.

greetings,
melchior

Last edited by Melchior; 6th January 2008 at 13:31.
Reply With Quote
  #9  
Old 6th January 2008, 13:43
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,357
Thanks: 810
Thanked 5,175 Times in 4,057 Posts
Default

Please have a look at the file /home/admispconfig/ispconfig/ispconfig.log for errors and any unusual entrys around the time where the problem started. You can also mail me the logfile to dev [at] ispconfig [dot] org if you like.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 6th January 2008, 13:57
Melchior Melchior is offline
Junior Member
 
Join Date: Jul 2007
Location: Germany, Darmstadt
Posts: 25
Thanks: 5
Thanked 1 Time in 1 Post
Default

thx, I just sent you a cropped logile.

would be nice to get the problem tracked down. I've
to do some mail account settings, and don't want to
drive to the datacenter again

regards,
melchior
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Copy compiled php5 to another machine cooljai Installation/Configuration 4 11th October 2007 16:15
Migration from a virtual machine to physical sonoffett Technical 3 15th September 2007 16:09
How to connect to a Linux machine using VB rocket1356 Programming/Scripts 4 24th June 2007 19:48
connecting to windows machine sudha General 0 29th January 2007 13:38
I cannot resolve www.example.com on the local machine braakiss Installation/Configuration 5 12th January 2007 15:58


All times are GMT +2. The time now is 18:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.