Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server that has been hacked. I don't trust that the backups aren't compromised. mysql won't start and I'm in the middle of migrating off of a server with one failed drive in a RAID 1 setup. If I try creating a TAR of the web site databases the server load skyrockets to 500+. I don't program in BASH.
I am looking for an example that will create a for/next loop of directories of files whose names are not known and add them one at a time to a TAR. I know had to append to a TAR just not how to for/next or for i in x whatever. I'd like to add a sleep variable so that the server load stays low. What a headache this is.
If tar is indeed the cause of the server load, you will see it when running top or ps.
If an existing tar process is causing the load, then you can use renice to adjust its priority. Or for new processes, you can launch it with nice to cap it from the beginning.
Thank you but TAR isn't the reason for the load.As I wrote drive 0 in the RAID has failed and I'm petrified to power down and replace it then rebuild. I am trying to get files off for customers before going that route.
I have attempted to build a TAR and the server load skyrockets because of the RAID issue. That's why I'd like a script idea so that I may add 1 file at a time to a TAR with a sleep variable so that the server doesn't get overloaded.
Ok if nice and renice don't work for you on the process causing the load, there are several ways. Here's one that appends to a tar archive using the r option:
Code:
while read f;
do
tar rf /another/path/foo.tar "$f";
echo "$f";
sleep 1;
done < <( find /some/path/to/a/directory/ -type f -print );
bzip2 /another/path/foo.tar
Note that you can't compress using this method until all the files are collected into the archive.
Edit: if you want symlinks or other weird things, you'll need to modify the expression for find
Last edited by Turbocapitalist; 05-24-2017 at 09:00 PM.
If I try creating a TAR of the web site databases the server load skyrockets to 500+. I don't program in BASH.
1. What is the database you're wanting to tar/backup?
2. Why do you not trust your backups of the database? How do you think the DB might be corrupted?
You have read through man tar, yes? I'm not familiar with tar, except for extracting, but if you show what you'd do manually to add files to a tarball, I'm sure someone here would help with the bash scripting required.
[I hate it when crises force rapid learning. Hang in there. Good Luck!)
Since the server was hacked we don't know when and can't trust the backups. We may have backed up the hack. Mysql is broken. It is being used to send spam.
Ok if nice and renice don't work for you on the process causing the load, there are several ways. Here's one that appends to a tar archive using the r option:
Code:
while read f;
do
tar rf /another/path/foo.tar "$f";
echo "$f";
sleep 1;
done < <( find /some/path/to/a/directory/ -type f -print );
bzip2 /another/path/foo.tar
Note that you can't compress using this method until all the files are collected into the archive.
Edit: if you want symlinks or other weird things, you'll need to modify the expression for find
Wow. I sure didn't expect you to write it for me but WOW. Thank you. It looks like what I need. I'm not sure that I know how to deal with the symlinks. I found thousands of spam files in /etc/rc.d/init.d that I can delete manually. They appear also in /etc/rc.d and rc0, etc. as symlinks. Trying to use the
Code:
find . -type f -size 315b -delete
but it refused to let me delete them. They are all 315 bytes and 323.
Everything is being moved to a new server but I am manually saving files outside of the OS directories (those in /var/www/html)
Since the server was hacked we don't know when and can't trust the backups. We may have backed up the hack. Mysql is broken. It is being used to send spam.
Aha! mysql!
If you can't trust the backups, how does taking a tar of the mysql files help? Wouldn't that just be another backup of the hack?
Maybe:
1. Kill mysql to prevent the spamming and/or take the server off the 'net
2. Tell us about what's happening...*how* is mysql sending spam (not sure a database can do that without a script/program running against it -- find and kill the script/program?)
2a. Is the spam being sent with your mail server, or with something like php_mail? Kill the thing that's sending the email to gain time and stop the bleeding.
Yeah, the server is toast. It'll have to be reformatted. Hopefully you have an idea how they cracked it so that the new system can be configured to prevent a recurrence.
Quote:
Originally Posted by krazybob
Trying to use the
Code:
find . -type f -size 315b -delete
but it refused to let me delete them. They are all 315 bytes and 323.
You'll want c instead of b for bytes instead of blocks. See the manual page for find.
...but still need to stop them first, or kill the processes they're running, first, IMO
I'd look inside the target of the symlink to be sure what it does and how it behaves and what it launches. I wouldn't trust it enough to run it so I'd say to use kill or pkill to zap what those scripts launched.
[we all be working this at the same time...cross posting...patience]
post the contents of one of those bogus init files?
Might you be able to
Code:
/etc/init.d/lzzxdbjnsk stop
?? THEN remove it.
Don't think removing the init.d file will have any effect on the process it's running...
OK. I can't reply to everyone or I will make it look messy. The files cover a-z and reside in /etc/rc.d/init.d AND in /etc/init.d. They are in /etc/rc.d/rc0..., rc1... etc as symlinks.
The server is toast. Mysql itself - the executable - has been compromised. It won't start and mysql.sock isn't created. I trust that the database files *might* be clean but not mysql itself. I am going to try and reinstall mysql from the rpm's but it seems better to save the user web site content, their mysql databases that are quote small, and I can even save their mail. Once the new server is online I can extract the tars after adding the domains back and they will run fine. Its an old trick that works.
But when it comes to symlinks I'll admit that I am an amateur. And yes, I am fighting a fire.
This is a Virtuozzo server with THREE containers compromised. Each has a small installation of Plesk on-board.
How to I remove the symlink from sendmail to stop using the "alternative MTA"? They are sending and trying to stay under the radar by not maxing out my 100Mbps connection. Some do and I lose control for a bit. We have an external fire wall appliance with good bandwidth but it cannot keep up. We're on a 10Mpbs circuit burstable to 100Mbps and I don't think they put us on a 1Gbps port. So... when we max out bandwidth we're crippled. I installed a telephone rebooter device on the firewall and that usually gets me back in. We have KVM/IP's and APC Power Switches -- that cannot be reached. I didn't set the Cisco switches up to manually turn off a port. I could have but as a rookie I didn't think it important. Plus I didn't have the password. I could have Googled it but didn't. I installed 25 servers, wired in a public IP switch and a private 192.168.x.x for back haul. It cannot be reached either.
I am a non-profit employee. I don't get paid much for this work. We used to have an actual Admin but he took a real job. As a programmer I volunteered and began learning Linux as fast as I could. But with no one to show me the ropes it is kind people such as yourself that help.
Here is the code inside each file of 315 bytes to 323 bytes. I don't see the obvious difference in file size.
Code:
-bash-3.2 clss03 # cat adsosqsdxj
#!/bin/sh
# chkconfig: 12345 90 90
# description: adsosqsdxj
### BEGIN INIT INFO
# Provides: adsosqsdxj
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: adsosqsdxj
### END INIT INFO
case $1 in
start)
/usr/bin/adsosqsdxj
;;
stop)
;;
*)
/usr/bin/adsosqsdxj
;;
esac
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
