LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-08-2007, 09:11 AM   #1
Roosta21
Member
 
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55

Rep: Reputation: 15
Not sure if I have hacker or hardware problem


My web server keeps going down I reboot it and then it may work for 5 mins then it down again.

I thought it may be a hacker I closed all port except to my Ip address, but it keeps going down, first the apache soon after I can't get access to root.

I have read in other forums disable root login via SSH, will this stop myself form logging in..

Can anyone make any sugestions on how to track down the error?

A help would be greatly appreciated
 
Old 01-08-2007, 10:22 AM   #2
avallach
Member
 
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Blog Entries: 2

Rep: Reputation: 31
It can be a hardware problem. But you should disable login as root by ssh. Login as normal user then do su - to become root.

If it is going down normally (it shuts down all the deamons, and the system), then it is rather some hacker problem. I suggest to change more often your root password and make it quite long.

Last edited by avallach; 01-08-2007 at 10:23 AM.
 
Old 01-08-2007, 10:30 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
First of all fill in your user info like distro and such so we know what you're talking about.


I have read in other forums disable root login via SSH, will this stop myself form logging in..
Next add an unprivileged account with which you can log in through ssh (use a passphrase not a password) and with which you can su/sudo to root.


My web server keeps going down I reboot it and then it may work for 5 mins then it down again.
And crackers usually don't crave attention. So (w/o "evidence") I'd say it should classify as a hardware / process checker / watchdog problem and not as a breach of security. Anyway.
When did this behaviour start ocurring?
What changes where made leading up to the first ocurrance?
What does syslog say?
 
Old 01-08-2007, 11:55 AM   #4
Roosta21
Member
 
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55

Original Poster
Rep: Reputation: 15
Thanks for the advice, it completly stopped working now.. cant't connect via ssh or via a serial consol, still a few thing I need to extract for the the server.. I have to mount drive in rescue mode..

I inputed the following command

mount /dev/hda1 /mnt

and is not a valid block device

could this be an indication that the Hard drive has gone?


i will update my info now

im using fedora core 4
 
Old 01-08-2007, 02:21 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
mount /dev/hda1 /mnt
and is not a valid block device
could this be an indication that the Hard drive has gone?

If /dev/hda1 is meant to be a partition on the HD then I'd run a fsck on the partitions.
 
Old 01-08-2007, 04:36 PM   #6
Roosta21
Member
 
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55

Original Poster
Rep: Reputation: 15
Thanks

I did and that didn't work.. I think there was a hadware fault as when I put in a request to re-image basically it didn;t work and is unreachable

Could you point me in the right direction for more info su - to become root..
 
Old 01-10-2007, 08:46 AM   #7
Roosta21
Member
 
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55

Original Poster
Rep: Reputation: 15
This issue just seems to get more confusing as time goes by.. I ordered a new server fearing that the old one was develpoing a hardware fault..

I copied/migrate half of the domians although I had not changed the dns yet.. and the new server was displaying caracteristic of the old one.

Is it possible I have a malicous program in one of my web directories an have copied it over..

Or anybody with any suggetions of what it may be?

Thanks
 
Old 01-10-2007, 10:17 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
You haven't even started to answer the questions in post #2 and #3.
 
Old 01-10-2007, 11:12 AM   #9
Roosta21
Member
 
Registered: Aug 2004
Distribution: Fedora core 4
Posts: 55

Original Poster
Rep: Reputation: 15
Sorry!

The behaviour started two days ago & have not made significant changes to the machine just updated info on a couple of websites..

I have checked the access_log and cannot see anything suspicious although i'm not 100% sure of what to look for...are there any other logs I should check

The orginal server that had the problem seems ok now but the new server (which domain has been tranfered to) is repeating the problems server hangs up at different times.. (I migrated the serve using plesk migration tool.

I have perform a root kit search and nothing was detected..

any advice would be greatly appreciated

Last edited by Roosta21; 01-10-2007 at 11:13 AM.
 
Old 01-10-2007, 03:25 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
First thing I'd do is stop all daemons that are publicly accessable (related to serving content and such) and keep those you need for accessing the box (SSH). Then look at *all* the logs. This:
Code:
/usr/sbin/lsof -w -n +D /var|grep [0-9]w | awk '{print $NF}' | while read f; do [ -f "${f}" ] && echo "${f}"; done | sort | uniq
should show which ones are opened for writing, any missing you get from reading /etc/syslog.conf.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Could it be a hacker? Madone_SL_5.5 Linux - Server 19 12-15-2006 10:31 AM
internet hardware causing problem with sound hardware anindyanuri Linux - Networking 0 02-07-2006 08:50 AM
bots maybe a possible hacker?? nepcw Linux - Security 3 10-04-2004 05:41 AM
hacker attack? firestomper41 Mandriva 8 05-09-2004 04:35 PM
Hacker Forums Volcom Slackware 1 05-26-2003 05:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration