Server and mail down, but why?

[Etienne]

Hi,

I have a Perfect setup Debian 5 ISPConfig 2 that was running a little over a year, but over the last couple of days I see some strange behaviour like spontaneous blackouts etc. nothing seems to be wrong then, but I cannot access the server via SSH or whatever, so ending up in restarting.

This morning from checking the email at 9 or so, found out that the mail server was not responding and on further looking also the sites was out ... (again) sop I thought that like before with a quick reset the thing should be up and running again... Yeah right.

I have allready spended all day figuring out what is wrong, reading varius error messages that I found in mail.warn etc, but now I found in the Apache error log a refference that I can lead back to the system hangups...

But the question is what is causing it, so my Question if any of you guys can make anything from these log file, am i under attack of some kind or what...

Let me know please, cuz I am not receieving my mail also...

Thanks ia
Etienne

[till]

The lines in the log are attacks. Please check your server with rkhunter. Also make sure that you have all Linux updates installed.

[Etienne]

Wonderful, I was already afraid of that, but the next Question is, what to do, I scanned with CHKROOT and RKHUNTER without any compromises on the site and have the most updates in place just dont know if I have the latest update for ISPConfig

But what is the best way to get back in the sadle at the moment I cannot connect to
the site, neither remote or local and I would like to get it up again... without blue pill

Any suggestions besides reinstalling a Perfect Setup again.

Thanks in advance,
Etienne

[falko]

Any errors in your mail log?

what's the output of

Code:

netstat -tap

? Did you check your system load with

Code:

top

?

[Etienne]

The output of Netstat -tap is:

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:51813                 *:*                     LISTEN      1666/rpc.statd
tcp        0      0 *:mysql                 *:*                     LISTEN      1968/mysqld
tcp        0      0 *:sunrpc                *:*                     LISTEN      1655/portmap
tcp        0      0 *:81                    *:*                     LISTEN      2294/ispconfig_http
tcp        0      0 server.web-world:domain *:*                     LISTEN      2631/named
tcp        0      0 localhost:domain        *:*                     LISTEN      2631/named
tcp        0      0 *:ssh                   *:*                     LISTEN      1890/sshd
tcp        0      0 *:smtp                  *:*                     LISTEN      24569/master
tcp        0      0 localhost:953           *:*                     LISTEN      2631/named
tcp        0      0 server.web-worlds.c:ssh 192.168.123.9:1410      ESTABLISHED 17996/0
tcp        0      0 localhost:36556         localhost:www           TIME_WAIT   -
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      2059/couriertcpd
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      2077/couriertcpd
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      2065/couriertcpd
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      2047/couriertcpd
tcp6       0      0 [::]:www                [::]:*                  LISTEN      3628/apache2
tcp6       0      0 [::]:ftp                [::]:*                  LISTEN      24404/proftpd: (acc
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      1890/sshd
tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      24569/master
tcp6       0      0 localhost:953           [::]:*                  LISTEN      2631/named
tcp6       0      0 [::]:https              [::]:*                  LISTEN      3628/apache2

And what I am supposed to look at with top?

Thanks,
Etienne

[Etienne]

Funny, if I read through the last couple of postings here, it almost looks like the ISP config was compromised, i cannot find any other type of way... no bash files
no logs of people entering the site, maybe I am wrong but it looks like there is
a security bug in ISPconfig 2, so maybe it is time to move on to ISPconfig 3.0 and hope this is safer.

[falko]

Quote:

Originally Posted by Etienne

Funny, if I read through the last couple of postings here, it almost looks like the ISP config was compromised, i cannot find any other type of way... no bash files
no logs of people entering the site, maybe I am wrong but it looks like there is
a security bug in ISPconfig 2, so maybe it is time to move on to ISPconfig 3.0 and hope this is safer.

There's no known security bug in ISPConfig 2.

Your mail, POP3, and IMAP daemons seem to be running. Are there any errors in the mail log?