Solved

Linux Security: Mysterious Server Corruption- How to track it down with log files

Posted on 2013-06-14
3
745 Views
Last Modified: 2013-06-20
Dear Experts,
I have had the following mysterious problem that has completely corrupted my godaddy server twice in the last two weeks.

Godaddy's tech support gave us this explanation:

"We reviewed the account as to why we couldn't connect via ssh after a reboot and we discovered that all of your files and directories in your server have been modified to 777 permissions. This basically broke you server entirely and this will require a re-provision of your server".

Do you have any advice about how to stop this happening in the future by doing some of the following:

a) Examining the existing log files
b) Raising the detail level of the log files
c) Using a server Telnet client other than PuTTY.exe
d) Some other strategy

We rent our own dedicated server from godaddy "Dedicated Hosting Economy Linux CentOS - i3" .  We also pay a monthly fee for cPanel on top of that.
Best Wishes,
Phil
0
Comment
Question by:PTRUSCOTT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39249990
Before moving forward and look at other option. First, check /var/log/secure, it should tell you last log on and other important information.
0
 
LVL 6

Expert Comment

by:Jelcin
ID: 39254040
Hello,

I think that your server could have a security issue.....

If you cannot connect to the corrupted server anymore i would ask goddady for a complete snapshot of the entire harddisk... Than run it in as a VM to exmine the server for security holes...

What services is running your server? I would first check there for security holes...

Also maybe one of your office computers could be infected so someone could steal the credentials of that server...

All that is possible but hard to verify if you don't have the possibility to check what happend on that corrupted server....

Once you have access to that corrupted server you can verify:

1. Firewall
2. CMD history
3. Log Files
4. root kit hunter
5. You could also send the snapshot to a security company for analysis if it's very important for you
0
 
LVL 19

Accepted Solution

by:
jools earned 500 total points
ID: 39254732
If you server has been compromised and who ever did it knows what they are doing you may not see anything in the logs, but you need to be checking the log files in /var/log daily, check out entries in the httpd logs as well as this may give you a clue in the first case.

The server needs to be kept up to date and locked down (DONT USE TELNET!!). There may be vulnerabilities in the software you run on the server so keep up to date with patches and updates on any web apps, if possible disable or review any third party addons as well.

It may even be that someone just did a typo on the server and did a recursive 777 from the wrong directory, in any case you need to make sure permissions are correct and perhaps consider using SELinux for some added (though not complete) protection.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question