Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-08-2007, 09:11 AM
|
#1
|
Member
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55
Rep:
|
Not sure if I have hacker or hardware problem
My web server keeps going down I reboot it and then it may work for 5 mins then it down again.
I thought it may be a hacker I closed all port except to my Ip address, but it keeps going down, first the apache soon after I can't get access to root.
I have read in other forums disable root login via SSH, will this stop myself form logging in..
Can anyone make any sugestions on how to track down the error?
A help would be greatly appreciated
|
|
|
01-08-2007, 10:22 AM
|
#2
|
Member
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Rep:
|
It can be a hardware problem. But you should disable login as root by ssh. Login as normal user then do su - to become root.
If it is going down normally (it shuts down all the deamons, and the system), then it is rather some hacker problem. I suggest to change more often your root password and make it quite long.
Last edited by avallach; 01-08-2007 at 10:23 AM.
|
|
|
01-08-2007, 10:30 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
First of all fill in your user info like distro and such so we know what you're talking about.
I have read in other forums disable root login via SSH, will this stop myself form logging in..
Next add an unprivileged account with which you can log in through ssh (use a passphrase not a password) and with which you can su/sudo to root.
My web server keeps going down I reboot it and then it may work for 5 mins then it down again.
And crackers usually don't crave attention. So (w/o "evidence") I'd say it should classify as a hardware / process checker / watchdog problem and not as a breach of security. Anyway.
When did this behaviour start ocurring?
What changes where made leading up to the first ocurrance?
What does syslog say?
|
|
|
01-08-2007, 11:55 AM
|
#4
|
Member
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55
Original Poster
Rep:
|
Thanks for the advice, it completly stopped working now.. cant't connect via ssh or via a serial consol, still a few thing I need to extract for the the server.. I have to mount drive in rescue mode..
I inputed the following command
mount /dev/hda1 /mnt
and is not a valid block device
could this be an indication that the Hard drive has gone?
i will update my info now
im using fedora core 4
|
|
|
01-08-2007, 02:21 PM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
mount /dev/hda1 /mnt
and is not a valid block device
could this be an indication that the Hard drive has gone?
If /dev/hda1 is meant to be a partition on the HD then I'd run a fsck on the partitions.
|
|
|
01-08-2007, 04:36 PM
|
#6
|
Member
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55
Original Poster
Rep:
|
Thanks
I did and that didn't work.. I think there was a hadware fault as when I put in a request to re-image basically it didn;t work and is unreachable
Could you point me in the right direction for more info su - to become root..
|
|
|
01-10-2007, 08:46 AM
|
#7
|
Member
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55
Original Poster
Rep:
|
This issue just seems to get more confusing as time goes by.. I ordered a new server fearing that the old one was develpoing a hardware fault..
I copied/migrate half of the domians although I had not changed the dns yet.. and the new server was displaying caracteristic of the old one.
Is it possible I have a malicous program in one of my web directories an have copied it over..
Or anybody with any suggetions of what it may be?
Thanks
|
|
|
01-10-2007, 10:17 AM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
You haven't even started to answer the questions in post #2 and #3.
|
|
|
01-10-2007, 11:12 AM
|
#9
|
Member
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55
Original Poster
Rep:
|
Sorry!
The behaviour started two days ago & have not made significant changes to the machine just updated info on a couple of websites..
I have checked the access_log and cannot see anything suspicious although i'm not 100% sure of what to look for...are there any other logs I should check
The orginal server that had the problem seems ok now but the new server (which domain has been tranfered to) is repeating the problems server hangs up at different times.. (I migrated the serve using plesk migration tool.
I have perform a root kit search and nothing was detected..
any advice would be greatly appreciated
Last edited by Roosta21; 01-10-2007 at 11:13 AM.
|
|
|
01-10-2007, 03:25 PM
|
#10
|
Moderator
Registered: May 2001
Posts: 29,415
|
First thing I'd do is stop all daemons that are publicly accessable (related to serving content and such) and keep those you need for accessing the box (SSH). Then look at *all* the logs. This:
Code:
/usr/sbin/lsof -w -n +D /var|grep [0-9]w | awk '{print $NF}' | while read f; do [ -f "${f}" ] && echo "${f}"; done | sort | uniq
should show which ones are opened for writing, any missing you get from reading /etc/syslog.conf.
|
|
|
All times are GMT -5. The time now is 08:23 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|