Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: ergozd on April 24, 2006, 09:00:07 PM

Title: SME6.x on Compaq 3000 (SmartArray 3200) is just died!!!
Post by: ergozd on April 24, 2006, 09:00:07 PM

Hi everyone!

Strangest thing happened and I really hope I can salvage some data.

I've had my Compaq 3000 (SmartArray 3200 with RAID5) running over 3 years now and everything were running just fine. Lately I've had plans of upgrading everything to a ML530.

Anyway, last week it stopped responding, on console svc was complaining about not being able to write logs to a file.

I tried to stop it with CTL-C and CTL-Z and tried to login for 15-20 mins but messages kept coming. I tried Clt-Alt-Del to boot server that didn't work either.

I then hard booted server and got kernel panic.

Code: [Select]

Kernel panic no init found Try passing init=

I tried a few things to see if I have any files left
1- RedHat 7.3 Rescue mode - It says there are no Linux partitions so it quits. When I check

Code: [Select]

# fdisk /dev/ida/c0d0
I see 3 Linux partitions (boot, sap and root-partition)

Found some info about cpqarray in the page
http://www.isg.rhul.ac.uk/~nessim/technical/rh7.3_on_proliant_1500.html

2- I tried with Knoppix 3.3 and 4.02, I can mount boot-partition but there are almost no files in partition.

3- I started server with SmartStart 5.0 and it looks like both array-card and battery are OK.

Anyone has any sugestions? Appriciate any help.

Title: SME6.x on Compaq 3000 (SmartArray 3200) is just died!!!
Post by: ergozd on April 25, 2006, 09:02:58 AM

I found these in my firewall logs, looks like the server was hacked. Anyone has a clue?

Code: [Select]

192.168.XXX.YYY - - [20/Apr/2006:17:57:53 +0200] "GET http://81.58.26.26/libsh/ping.txt HTTP/1.1" 200 358
192.168.XXX.YYY - - [20/Apr/2006:17:57:56 +0200] "GET http://81.58.26.26/libsh/ping HTTP/1.1" 200 15808
192.168.XXX.YYY - - [20/Apr/2006:17:57:56 +0200] "GET http://81.58.26.26/libsh/ping HTTP/1.1" 304 16087
192.168.XXX.YYY - - [20/Apr/2006:17:57:57 +0200] "GET http://81.58.26.26/libsh/ping.txt HTTP/1.1" 304 633

192.168.XXX.YYY - - [20/Apr/2006:18:15:59 +0200] "GET http://linuxb0x.netfirms.com/loginx.tar.gz HTTP/1.1" 200 195822

[20/Apr/2006 18:15:59] VIRUS charset="en" file="http://linuxb0x.netfirms.com/loginx.tar.gz" hostip="192.168.XXX.YYY" hostname="ergin.dyndns.org" protocol="HTTP" time="Thu Apr 20 18:15:59 2006" username="-" virus="McAfee verdict: Linux/Exploit-LDT"
[20/Apr/2006 18:15:59] Virus: McAfee verdict: Linux/Exploit-LDT, client - 192.168.XXX.YYY, http://linuxb0x.netfirms.com/loginx.tar.gz
[20/Apr/2006 18:15:59] Virus: Suspicious file http://linuxb0x.netfirms.com/loginx.tar.gz stored into quarantine as c:\program\kerio\winroute firewall\quarantine\http_060420_181559-53621.tmp

192.168.XXX.YYY - - [20/Apr/2006:18:16:01 +0200] "GET http://linuxb0x.netfirms.com/loginx.tar.gz HTTP/1.1" 206 986

Title: SME6.x on Compaq 3000 (SmartArray 3200) is just died!!!
Post by: warren on April 25, 2006, 06:21:19 PM

[/quote]192.168.XXX.YYY - - [20/Apr/2006:17:57:53 +0200] "GET http://81.58.26.26/libsh/ping.txt HTTP/1.1" 200 358

Quote

Or a user on the local LAN is infected with
a backdoor Trojan ?