i have my server on a T1 line at a school, and it has been running since feb 27th, hosting a phpnuke website and a 16 slot battlefield:vietnam server. i have been administrating it via ssh and ocasionally webmin. it has been running fine.

today, a friend called me and said he couldnt connect to the BFV server, so i tried to connect via ssh to see what was up. but ssh timed out while trying to connect (using putty, and windows xp) i tried the same thing with my laptop (mandrake 9.2) and same thing. so then i tried to conect to webmin, but IE and mozilla timed out while trying to connect. the strange thing is that the website (apache 1.3) is still working and i can still connect via ftp (proftp). i went to the school and restarted the machine, but still the same story. any thoughts?

and also, there is no firewall.

somebody HELP!!

You are really going to have to sit in front of that computer and dig out some details. You say that ssh isn't answering. Well, is sshd even running? Are there any log entries that would help? Since this is connected to a school T1 and doesn't have a firewall, have you considered the possibility that you've been hacked? Can you tell us who has logged in and when?

If you want help, you are going to have to provide more detail than you have.

thanks for responding,

yes of course sshd was running, just suddenly ssh, webmin, and the BFV servers stopped, but apache and proftp were still running, but now this morning nothing is running.

and where are these logs you are talking about? where can i find them and which ones would be helpful?

right now getting hacked sounds like whats happening, cuz none of this makes sense. and if i did get hacked, what can i do to prevent this? put a software firewall on the machine?

thanks.

The logs are usually found in /var/log and the more important ones tend to be syslog and messages.


If that is indeed what has happened, the only thing to do at this point is unplug the machine from the network and start reading in the security forum on how to determine if you have been hacked or not. Do not put the machine back on the network until you have determined if you have been hacked or not. Just having daemons shut down isn't necessarily evidence of being hacked. It could be that you have a memory leak in one of the programs and processes are being shut down as the machine runs out of memory. That sort of information would be in the logs. However, the log files may not be trustworthy if you have been hacked since they are frequently altered to cover up the intrusion. I'd look to see who has logged in recently and if there are any users that you didn't create. Am I right in assuming that you weren't running an IDS like Snort or a file integrity checker like Aide or Tripwire?


Again, head over to the security forum and start reading. Putting a completely unsecured machine on a public network is not a good idea and could really land YOU in hot water.

server was hacked, and taken over to host some gambling or UT serv, and the school shut it down........

thanks guys, now i just gotta read up on security.