2 q's: post-install & doubt about web ID

[vicboy]

Hi everyone.

Last thursday I updated some of my servers' ISPconfig from 2.2.25 to 2.2.26. It seems that everything worked fine. But one of them needed to be restarted yesterday; and when we've done that, the server stopped booting. The problem was that the file /sbin/hwclock was changed (not damaged; before it was a compiled file; and after the install we found a .sh script). We needed to replace the file again. The last modified timestamp of the "bad" file was 2th Oct at the time when I updated ISPConfig. I've looked for information in docs, but I couldn't find anything about modifying this file on FC7. Could somebody tell me if there's any reason for ISPConfig to change that? Or may I look for some kind of "attack" or other kind of problems?

The second question: I've installed ISPConfig in one of my servers in order to manage some websites; but when I created two or three of them; I wanted to use it as a backup-server; replicating via rsync the files from another server. Well, I just wanted to know if, without reinstalling, I can change the ID of the three websites I've already created in order to mantain the IDs from the server I want to backup/replicate. I mean: by now I have web1, web2 and web3. And I would like to "rename them" (and his databases) to web40, web41 and web42 (for example). Is there any way I can do it safely?

Thank you very much!

[till]

I'am pretty sure that ISPConfig did not change that as ISPConfig does not interact with the hwclock. You should check your server with e.g. rkhunter for rootkits.

To your seecond question. Renaming of the ID's will mess up the database. Better to uninstall ISPConfig by running /root/ispconfig/uninstall and then reinstall it again.

[vicboy]

Thank you very much, till. I just wanted to make sure before getting worried. By now I think I must worry about that! I'll try to look for rootkits in the server.

About the second question, that's what I thought, but I got he first question so I used the same post to try

[vicboy]

These are the results of the scan with rkhunter (as found in http://www.howtoforge.com/faq/1_38_en.html):

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 40 seconds


It only told me that there's possible to login as root via SSH (ssh2; and it is necessary because the server is physically far from me; and we have denyhosts installed and look into the ssh logs regularly).

It also told me that I should watch out a file:

Scanning for hidden files... [ Warning! ]
---------------
/dev/.udev /etc/.pwd.lock
---------------
Please inspect: /dev/.udev (directory)

I0'll go on looking for what could be the problem...

Thank you again (just wanted to doc everything here for if someone needed...)

[till]

Quote:

It also told me that I should watch out a file:

Scanning for hidden files... [ Warning! ]
---------------
/dev/.udev /etc/.pwd.lock
---------------
Please inspect: /dev/.udev (directory)

If I remember correctly I have seen this warning on several systems, so I guess its a false positive.