We've had someone starting nobody PERL procs on a box and we can't quite track it down or read the file to see what it is. What he does is to create a folder in /tmp, execute the script from there and delete the folder as soon as it's running (yes, /tmp is mounted noexec, makes no difference). We've managed to discover and block the IP that was doing this, but that's no fix. He hasn't been back since banning the IP...so far.
What we would like to do is see if anyone knows of (or can help create) a script that can watch the /tmp folder and copy newly created directories and thier contents to another dir (also notifying via email would be helpful) in order to see what the heck it's doing, and hopefully be able to figure out how it's getting in. Nothing in any logs this time, and the PERL process seems to be able to hide itself from PS. That bit worries me quite a lot, but none of the binaries appear to have been changed, and it doesn't appear we've been rooted in any way.
Thoughts on this, ideas and suggestions welcome.
Failing that, is it possible without breaking the box to prevent the creation of new directories in /tmp? This I seriously doubt, but if all they need to do is create a folder and work from there, noexec is a joke.
I am designing a site for a client and in all the years I've done design etc, I've come up against a phenomenon with their VPS server they have. It's linux and uploading files I am using WS_FTP Home.
I am uploading files and folders to their public_html/domain.com/ (*I use domain here for their privacy) and in some folders (directories) after doing so, a mystery folder suddenly appears that is named 5" and as you enter that folder, you see the path directory show up "public_html" and if you go into that one, you come up to the domain.com folder again, and if you deeper into that one you start to see this phenomenon of mirroring folders of the one you go into. Example:
public_html/domain.com/images/5"/public_html/domain.com/images/file ***the file whether it's an image jpg, png, etc is created as the last directory as a folder, not a file. I should also mention that as you go deeper in the 5" mystery directory folder, you no longer see the path in the FTP anything past the 5" one even as you go further in.
Oh, and it doesn't allow you to delete these 5" folders regardless of what permissions. And this folder seems to show up in many areas of this website's directory structure...mostly where images are (don't know if that is just a coincidence).
So hope all this makes sense....anyone seen this before and what the cause could be? Their host doesn't seem to know the reason and says they cannot see it even though others can. They said it's the FTP program as the cause and not their server.
My comeback to that is that I've used this FTP for years and never before seen this happen. It's only with this one client's server.
In previous thread we made few manual transfer of our domains.
We also made some automated migration of few domains/sites using Web Host Manager's Copy an account from another server feature.
All the files and other settings were properly transferred from old server to new server, but only the mysql database is not visible on new server. I am unsure if the same got copied to new server.
I have created a reseller account on my Cpanel dedicated and have 2 IPs to my customer to register them as name server. He has just done so. How can I make sure that he can use these new name servers on his customers' domains.
The name servers and the IPs are these: ns4.exeperu.com 69.65.121.203 ns3.exeperu.com 69.65.118.79
I recently purchased a dedicated server with Godaddy, I also registered a domain with same Godaddy.
Now when I tried to add a new domain in plesk, I got a warning message that "the domain is pointed to 192.198.XX.XX" which is different from my dedicated server IP. The message also says I should edit the DNS.
Now my question is What do I need to edit from the default dns plesk has assigned to my domain? Do I need to use the domain's default IP. I want to be able to host multiple website on my server...
After some yum updates last night one user and group called xfs were created on my dedicated server. Does anyone know what this group/user is used for?
I'm in the process of configuring my company's new server and I've hit a slight stumbling block. What's happening is that PHP is creating its sessions like normal with the exception of no permissions being set for them. This then means that errors are thrown up when PHP attempts to open the session files. Can anybody tell me why this is happening? I have set the sessions directory to octal 0777 for the time being.
How can I find out who created an account in CPanel? Where in the logs?
I have a new account on my server but I don't know who created it, it's possible one of my resellers lost his password, but how can I find more about it?
I recently got a dedicated server (CentOS with WHM and cPanel) and I am a newbie when it comes to server admin.
I had a hard time with the proper configuration so that Fantastico would work (it took their admin a week to figure out their own installation).
In any case now I can use Fantastico to install scripts and the one I use the most is Joomla. There is a major problem though. So I create a new account in WHM (with root access or not), go to domain.com/cpanel, go to Fantastico and install Joomla. Then if I access files or folders through FTP using CoreFTP I can't change permissions (most of files or folders) and I can't edit files. (that's the case even for the accounts with root access).
I can perform those actions if I log into WHM with my main root account and change what I need using a module called Configserver Explorer that shows all the files on the server (without that module I would be lost - I don't know all those shell commands)
So can anyone help me with some proper configuration tips so that if I create user accounts (other then myself) they would have those permissions to edit or change stuff in their account?
I come from shared hosting and never had these problems. They were allowing add-on domains and I could copy entire sites to other domain names with one click. Now WHM says it's not a good idea to allow add-on domains. No idea why. Any advise one that?
This is twice I have found email addresses on the web that I have never created. Both domain names are the new extensions and I purchased them the first day they become public. .biz the other is .US
One of the domains I never even created a web page until yesterday. And today I find a German site using my domain as an email address. One note on this, this domain name is extremely unique and related to certain German ideas or thoughts.
I am thinking someone at the server created them and used them for their personal use. Is this possible?
Not only that, but I have sent email to these addresses and there was no bounce back. No bounce back meaning these are valid email addresses?
We are getting the below message in Apache's error.log when accessing from mobile application & updated apache from 2.4.9 to 2.4.10 also.Trailing dot is created after the URL.
I can able to hit [URL] ..... and I can't able to hit [URL] ....
Since a week ago or so, in one of our Plesk 12.0.18 / Centos 6.6 servers, when we create subdomains the process seems to stop half-way without being finished.
To reproduce the error:
Select a subscription (e.g. example.com) and go to "Domains and subdomains" Select "add new subdomain" and enter a value (e.g. new.example.com). The directory will live in parallel to httpdocs Click Accept
Expected result:
The subdomain should be created: Filesystem diirectory with default contents, DNS entry, Apache VirtualHost, etc.
Actual result:
After several minutes Plesk responds with Internal Errror (in a red area in the panel).
Things done right:
The file space in parallels with httpdocs is created fine with the default site. DNS entries are created under /var/named/chroot infrastructure. The subdomain menu appears fine in the Plesk panel.
Things wrong/missing:
The filesystem directory is not mapped by Apache. Even after changing its contents the default server templeate appears in the browser, (all precautions taken, apache restart, browser in private session and different browsers).
- /var/log/httpd/access_log records the access with 200 OK codes although I don't find them in neither subscription logs under /var/www/vhost/system/*/logs/access_log nnn.nnn.nnn.nnn - - [27/May/2015:18:38:35 +0200] "GET <deleted_content_in_the_subdomain_directory> HTTP/1.1" 200 14036 "http://<new_subdomain>" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
I don't find the Apache VirtualHost .conf files for subdomains, where can I look for them up...
I've currently installed webmin on my vps and i want to know ive followed this tutorial and is there away for me to setup my dns name servers for my domain how can i do that with webmin? .......
All our email account on our server work fine ! (Cpanel/whm)
As soon as we create a new account on any domain name, and we try to send a test mail from any email address (hotmail, yahoo, our internet provider etc.. ) we get a bounce back email with the following:
keywords: ?L=, cecen hacked, cecen, hacked, phpizabi hacked, How to hack phpizabi
Hacking mechanism: 1. this is not hacking indeed. This is usage of phpizabi engine imperfection
Usually the path till the admin area looks like this: ?L=admin.general.configure
If changing the path to ?L=admin//general//configure Then anyone can obtain full access to the admin area and can do everything he wants.
Similarly changing the path till any keyword file on the web site you can freely get the access to the database.
HOW TO CORRECT THIS ERROR:
mechanism: 1. Below Ill show an example on how to correct the imperfection of phpizabi engine. This is only example and I recommend all the programmers to code by themselves their own mechanism of this error correction. Unque character of this mechanism will be one more obstacle against hacking.
So, in the very beginning of the script index.php we should put the following code:
It cleans everything from the query except dots, letters and digits.
2. All the folders in main directory of the web site which are located under the path /pages/ should not be accessible for opening! The easiest and fastest way is to set password access for all the folders in /pages/ through ĞPassword Protect Directoriesğ - this is clients admin area on the hosting. You should set password to all except chat and gallery.
3. File upload:
By default any file can be uploaded for scripts phpizabi for dating web sites. They could be uploaded like a picture for gallery or attached file for other web site elements. Specially created *.php file which will be loaded at the server, can give full access to hacker and finally to walk away it from you!
I do not enclose the correction code of this error as you should restrict file uploading on the server by the class objects jpg/jpeg, gif and png.
Code: General ============================= Domain name: bernhardlinz.de Owner's contact name: Bernhard Linz (admin) Domain status: OK
[Code] ....
I can see the domain under "Mails" and also create new mail accounts. There are no Errors for this under
Code: /usr/local/psa/admin/logs/panel.log
As i try to add the domain first i got a
Code: [11-Jul-2014 21:41:35 Europe/Berlin] PleskUtilException: mailmng-outgoing failed: ERROR:outgoing:database disk image is malformed
Which I removed with the
Code: /usr/local/psa/admin/sbin/mchk
Command I found in the Plesk forum. After that i could add the domain.
I try a add another fantasy domain - also works but alos not displaying in Panel "Websites & Domains"
I take a look at the Plesk-Database "psa" with the Build-In "phpMyAdmin"
I take a look at the table "domains" and it looks like the other entries.
The Server was restored a few days before from a Backup. After the restore i had have the problem the "mysql" service did not start. I fixed the problem with the description from [URL] ... (Start mysql in recoverymode, export all data, delete the content of the whole mysql folder /var/lib/mysql folder, init new database and import the exported data). After that all looks fine.
Well I finally got around to getting my IIS up and running which will save some time with uploading various files to check that they are working correctly but now I have run into a new problem. What used to happen with my IIS is it would list out all of the folders which I had in the wwwroot and I would simply navigate through and select which site needed to be tested.
At the moment, I have cleared out the wwwroot folder entirely since all of the stuff in there was to do with a "Windows XP Professional" page which appeared upon installation.
However, now that I don't need it anymore, I decided to clear it out and test IIS out by making a new folder called "sites" into wwwroot. Now though, it simply comes up with a "Directory Listing Denied. This Virtual Directory does not allow contents to be listed." error message, even though I have changed the permissions on the wwwroot folder to allow writing etc.
Could this be because it's IIS 5.1 and I need to install IIS 6.0 instead or is something else wrong? I know for a fact that my operating system (Windows Media Center Edition 2005) will do this list as I have had it before, back before I installed Vista and then decided to come back to MCE.
