Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: ADG on December 18, 2004, 06:49:05 AM

Title: Bad to worse
Post by: ADG on December 18, 2004, 06:49:05 AM

Well .. can things get any worse?  I ran rkhunter and it found nothing so I can't tell how they got into the machine.  It was definitely someone because they changed stuff and deleted stuff .. but without logs and anything else there is nothing I can do to find out what happened.

So I "upgraded" e-smith and now it doesn't work at all :(  ... all my data is on the hard drive, and there has been about 1000 changes to the database since the last good backup (lost the last backup withe everything else).

It is now just scrolling Error 0x01  if anyone knows that that means ???

Title: Sure, they could get worse.
Post by: MSmith on December 19, 2004, 03:43:29 AM

Your hard drive could physically fail.  Until then, why not use Knoppix to pull your data files from the server, reformat & reinstall?

Title: Bad to worse
Post by: ADG on December 19, 2004, 04:57:12 AM

I don't think it's physically failed, but you certainly can't boot from it.

Title: Bad to worse
Post by: Damian on December 21, 2004, 12:03:03 AM

Didn't catch the earlier parts of this post so just jumping in here ...

The 0x01 errors could be your boot area not set correctly. If you can get hold of a RedHat 7.X CD iso from the web and burn the CD (or if you already have one), then boot it on your SME server and start in system recovery mode, you should be able to chroot to the SME disk and reinstall the lilo boot area from there.

Also if your data is important to you (I would imagine that it is) then get hold of two identical drives and do the SME install using disk mirroring. We never build an SME box without it.

If you need more help then post.

Damian

Title: Re: Bad to worse
Post by: CharlieBrady on December 22, 2004, 04:47:52 AM

Quote from: "ADG"

Well .. can things get any worse?  I ran rkhunter and it found nothing so I can't tell how they got into the machine.  It was definitely someone because they changed stuff and deleted stuff .. but without logs and anything else there is nothing I can do to find out what happened.

By far the most likely cause is due to an insecure PHP application. Did you have any php appliations installed?

Title: Bad to worse
Post by: ADG on December 23, 2004, 10:55:35 AM

Thanks .. all good advice ..

Think I only have phpBB2 and the sitestats program installed...

Title: Bad to worse
Post by: CharlieBrady on January 03, 2005, 05:59:33 AM

Quote from: "ADG"

Think I only have phpBB2 ...

Chances are that's what the problem was.

Title: Bad to worse
Post by: raem on January 04, 2005, 01:50:31 AM

ADG

> ..... I only have phpBB2 and ....

phpBB had a major security vulnerability which in conjunction with a php vulnerability allowed hackers to get root control.
See
http://www.phpbb.com/phpBB/viewtopic.php?t=241300&postdays=0&postorder=asc&start=0

and
http://www.phpbbstyles.com/viewtopic.php?t=1903

and
http://forums.contribs.org/index.php?topic=25275.0

You would be best to rebuild your server from scratch and then copy the databases over (if you really must) and the user data etc.