Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 15th September 2008, 19:58
BorderAmigos BorderAmigos is offline
Senior Member
 
Join Date: Apr 2008
Location: San Diego & Tijuana
Posts: 302
Thanks: 26
Thanked 33 Times in 31 Posts
Send a message via MSN to BorderAmigos Send a message via Yahoo to BorderAmigos
Default Suggestions for securing server?

On 9/11 many of the scripts in /etc/init.d/ got rewritten to zero bytes. This wasn't noticed until a reboot on the next day when so many things suddenly weren't working (no network, no external disk drive or USB connections, etc.). Luckily, copying the scripts from a Debian Live CD got the network and connections running. Then copying the rest from a backup brought the system back. So all was saved with a few hours work.

My big question is how the scripts were modified/deleted?

No work was done on the system on 9/11 so I can only think I was hacked into or some malicious script was able to run as root. Looking at the logs I can only find the usual suspects trying to insert known-hackable page names into the websites. All show as denied though.

There is a hardware firewall running in my router with port forwarding of only the ports used. I changed my passwords to something even longer and more obscure. What other suggestions do you all have for preventing this from happening again?
__________________
System6Hosting.com, ISPConfig 3, Debian.
Reply With Quote
Sponsored Links
  #2  
Old 16th September 2008, 18:18
chipsafts chipsafts is offline
Senior Member
 
Join Date: Nov 2007
Posts: 184
Thanks: 2
Thanked 6 Times in 6 Posts
Default

do you have logwatch installed ?
Reply With Quote
  #3  
Old 16th September 2008, 18:26
BorderAmigos BorderAmigos is offline
Senior Member
 
Join Date: Apr 2008
Location: San Diego & Tijuana
Posts: 302
Thanks: 26
Thanked 33 Times in 31 Posts
Send a message via MSN to BorderAmigos Send a message via Yahoo to BorderAmigos
Default

No, I'll check it out. I'm really curious how someone got in if that is what happened.

Also, logs often show that there are http accesses to the var/www/localhost directory. I don't know how that is done either. By domain name should go to the /var/www/web(1,2...) and by IP should go to /var/www/sharedip.
__________________
System6Hosting.com, ISPConfig 3, Debian.
Reply With Quote
  #4  
Old 16th September 2008, 18:28
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

Quote:
Originally Posted by BorderAmigos View Post
What other suggestions do you all have for preventing this from happening again?
I'd install fail2ban to block brute-force attacks.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 16th September 2008, 20:01
ralic ralic is offline
Member
 
Join Date: Jun 2008
Posts: 69
Thanks: 0
Thanked 11 Times in 11 Posts
Default

Quote:
Originally Posted by BorderAmigos View Post
My big question is how the scripts were modified/deleted?
Setting scripts to 0 size seems to me to be unusual hacker type activity. Perhaps a rogue backup/restore script?

Also give your disks a thorough checking out. And look in /lost+found for any recovered data. Might not be a hack attempt, but could be a sign of impending disk failure.

Good luck!
Reply With Quote
  #6  
Old 16th September 2008, 20:20
BorderAmigos BorderAmigos is offline
Senior Member
 
Join Date: Apr 2008
Location: San Diego & Tijuana
Posts: 302
Thanks: 26
Thanked 33 Times in 31 Posts
Send a message via MSN to BorderAmigos Send a message via Yahoo to BorderAmigos
 
Default

Thanks for the response. Lost+Found is empty. fsck says the disk is ok. Only certain files in one directory were affected.
__________________
System6Hosting.com, ISPConfig 3, Debian.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
Moving to new server - lessons learned wpwood3 Tips/Tricks/Mods 0 5th November 2007 05:12
Problems with Postfix Mysql Courier PatrickAdrichem Installation/Configuration 3 13th April 2007 15:44
550-The recipient cannot be verified email problem safoo Installation/Configuration 7 29th November 2006 19:55
Webmail Relay Error palkat General 17 23rd April 2006 18:12


All times are GMT +2. The time now is 14:29.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.