Linux System Compromised, Hacker In As "root"
Mar 16, 2007
I've been trying to fight off a hacker's attack for the past 24 hours. Chronologically, this is how the events evolved:
- Yesterday, I tried SSH-ing into my server as usual and I got an error saying that the host's key was not recognized, which made a bit suspicious
- I tried logging into my VPS' PowerPanel, but my root password did not work, which I found disturbing. I reached out to support and they reset the password
- I ignored Putty's warning and SSH-ed into the server and was greeted by this, which I've never seen before:
Code:
Last login: Wed Mar 14 2007 14:13:35 -0500
No mail.
This made even more conscious and I started actively searching for indicators of a breach.
- The following processes were running, and I did not recognize them:
Code:
named 15756 0.0 0.4 36088 2256 ? S Mar14 0:00 /usr/sbin/named -u named -t /var/named/chroot
dmorg 26360 0.0 0.1 2264 872 pts/2 T 20:40 0:00 sh -c (cd /usr/share/man && (echo ".ll 14.2i"; echo ".pl 1100i"; /usr/bin/gunzip -c '/usr/share
dmorg 26361 0.0 0.1 2264 512 pts/2 T 20:40 0:00 sh -c (cd /usr/share/man && (echo ".ll 14.2i"; echo ".pl 1100i"; /usr/bin/gunzip -c '/usr/share
- Then I found a user called 'pma' in the /home directory, which I had never created. I could not find any suspicious files in the user's directory
- I finally spotted the point of breach in /var/log/messages:
Code:
Mar 15 15:05:25 xxxxxxxxx passwd(pam_unix)[28121]: password changed for root
Mar 15 15:06:34 xxxxxxxxx su(pam_unix)[30182]: session opened for user news by (uid=0)
Mar 15 15:07:16 xxxxxxxxx su(pam_unix)[30182]: session closed for user news
Mar 15 15:22:04 xxxxxxxxx sshd[20118]: Listener created on port 22.
Mar 15 15:22:04 xxxxxxxxx sshd[20119]: Daemon is running.
Mar 15 15:28:01 xxxxxxxxx su(pam_unix)[32568]: session opened for user pma by (uid=0)
Mar 15 15:28:45 xxxxxxxxx su(pam_unix)[32568]: session closed for user pma
Somehow they had gotten in as root and then opened sessions for news and pma.
- This morning I finally found where the hacker's files are hiding. He had created a new user overnight and a directory in there called "...". The folder contains various files:
Code:
[root@xxxxxxxxx root]# ls -al
total 445
drwxr-x--- 8 root root 1024 Mar 16 15:48 .
drwxr-xr-x 20 root root 1024 Mar 16 15:48 ..
drwxr-xr-x 2 1004 1004 1024 Dec 17 08:57 ...
-rw-r--r-- 1 root root 1126 Aug 23 1995 .Xresources
-rw------- 1 root root 14641 Mar 16 15:47 .bash_history
-rw-r--r-- 1 root root 24 Jun 10 2000 .bash_logout
-rw-r--r-- 1 root root 234 Jul 5 2001 .bash_profile
-rw-r--r-- 1 root root 176 Aug 23 1995 .bashrc
-rw-r--r-- 1 root root 210 Jun 10 2000 .cshrc
-rw------- 1 root root 38 Jul 26 2005 .mysql_history
drwx------ 2 root root 1024 Mar 15 18:01 .ssh
drwxr-xr-x 2 root root 1024 Mar 15 15:21 .ssh2
-rw-r--r-- 1 root root 196 Jul 11 2000 .tcshrc
Code:
[root@xxxxxxxxx root]# cd "..."
[root@xxxxxxxxx ...]# ls -al
total 420
drwxr-xr-x 2 1004 1004 1024 Dec 17 08:57 .
drwxr-x--- 8 root root 1024 Mar 16 15:48 ..
-rwxr-xr-x 1 1004 1004 141817 Sep 3 2001 init
-rw-r--r-- 1 1004 1004 113482 Mar 15 15:09 log
-rw------- 1 1004 1004 640 Feb 18 05:34 messages
-rw-r--r-- 1 1004 1004 664 Feb 27 01:12 muhrc
-rwxr-xr-x 1 1004 1004 165596 Nov 2 2004 pico
-rw------- 1 1004 1004 5 Mar 15 15:09 pid
[root@xxxxxxxxx ...]#
- Here's what's in the log file:
Code:
[root@xxxxxxxxx ...]# less log
[Thu 08 May 08:03:27] + ---------- NEW SESSION ----------
[Thu 08 May 08:03:27] + muh version 2.05d - starting log...
[Thu 08 May 08:03:27] + listening on port 6667.
[Thu 08 May 08:03:27] + muh's nick is 'StefanG'.
[Thu 08 May 08:03:27] + trying server 'geneva.ch.eu.undernet.org' on port 6667...
[Thu 08 May 08:03:28] + tcp-connection to 'geneva.ch.eu.undernet.org' established!
[Thu 08 May 08:03:29] + connected to 'Geneva.CH.EU.Undernet.org'.
[Thu 08 May 08:03:30] + caught client from 'pcp02588223pcs.shlb1201.mi.comcast.net'.
[Thu 08 May 08:03:45] + authorization successful!
[Thu 08 May 08:03:45] + reintroducing channels...
[Thu 08 May 08:07:54] + ---------- NEW SESSION ----------
[Thu 08 May 08:07:54] + muh version 2.05d - starting log...
[Thu 08 May 08:07:54] + listening on port 6667.
[Thu 08 May 08:07:54] + muh's nick is 'StefanG'.
[Thu 08 May 08:07:54] + trying server 'eu.undernet.org' on port 6667...
[Thu 08 May 08:07:55] + tcp-connection to 'eu.undernet.org' established!
[Thu 08 May 08:08:05] + connected to 'Diemen.NL.EU.Undernet.org'.
[Thu 08 May 08:08:05] + caught client from 'pcp02588223pcs.shlb1201.mi.comcast.net'.
[Thu 08 May 08:08:05] + authorization successful!
[Thu 08 May 08:08:05] + reintroducing channels...
There is a whole lot of these in that log file, and the timestamps look odd. I am not sure what all this is.
- This is where I am at right now. Can you guys help figure this thing out?
How did they get in? What sort of vulnerability are they using? How can I patch things up?
- Here is my server info:
Code:
[root@xxxxxxxxx ...]# uname -a
Linux xxxxxxxxx.org 2.6.9-023stab033.9-enterprise #1 SMP Tue Dec 5 14:40:57 MSK 2006 i686 athlon i386 GNU/Linux
[root@xxxxxxxxx httpd]# vmstat 5 5
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
r b swpd free buff cache si so bi bo in cs us sy id wa
1 0 0 390688 0 0 0 0 0 0 0 8365 1 0 99 0
0 0 0 390524 0 0 0 0 0 0 0 0 0 0 100 0
0 0 0 390524 0 0 0 0 0 0 0 0 0 0 100 0
0 0 0 390528 0 0 0 0 0 0 0 0 0 0 100 0
0 0 0 390528 0 0 0 0 0 0 0 0 0 0 100 0
- I have Apache & MySQL & PHP running. I host 3 websites. They run Simple Machines Forum 1.1.2, phpMyAdmin, phpcollab, awstats and that's about it.
View 11 Replies
ADVERTISEMENT
May 18, 2009
I'm still trying to figure this one out. I got an email last night about 10:30pm that a weird IP had logged with root. I thought it was a guy that helps with tech things but I ran the IP... it came back from Korea and I knew I was in trouble. I immediately logged into WHM and changed the root password then sent the server down for a reboot. He was only in there for about 3 minutes before I nailed him. I've banned the IP from the server and have been watching it for nearly 12 hours now and they haven't came back yet.
Now comes the task of trying to figure out how he got the password. This is mind boggling to me. He knew the password, like someone gave it to him... there were no incorrect guesses or brute force. The password was a series of random letters, both upper and lower case. Is it possible he got it through getting to /etc/passwd via a PHP script? I have open basedir restrictions in place, can they get around that? I noticed at the time he logged in there were several IPs trying to exploit PHP scripts on my server, you know, setting the parameters to txt files but I assumed with shell functions disabled (except exec) and with open basedir this wouldn't be possible. Is there a hole in cpanel / PHP / kernel recently I may have missed?
View 14 Replies
View Related
Jun 6, 2007
Linux Fedora 5
I just got a letter from my dedicated host stating we had just been compromised. These servers just were set up last week! And there is nothing on them yet. The only thing I have done is modified the /etc/hosts file via SSH.
My servers are not even public yet. Can SSH'ing in from an unsecured wireless network make me vulnerable?
What do you guys think? Best way not to let this happen again?
Oh this is great :-| He's still logged in!
[root@server~]# who
root pts/0 2007-06-06 07:12 (xxx)
test pts/2 2007-06-06 03:08 (81.89.10.92)
View 14 Replies
View Related
Nov 1, 2014
my VPS hosted by Strato was hacked and seems to be part of a botnet now. Until now I thought that the automatic backups of the provider would be enough and I did no separate backups using pleskbackup. Unfortunately the hacker attack was earlier than my oldest backup.
Now I want to move the complete server content including the configuration of approx. 10 domains to a new one. Therefore I want to make a backup of the plesk 9.5 server using pleskbackup to import it on the new server running plesk 12.I can access the old server in recovery mode only, which means, that a recovery system runs with the content of the old server mounted under /repair. Is there a possibility to tell pleskbackup, that the content to backup is mounted under /repair? Otherwise it seems, that I have to move the content manually...(I tried starting the old server in normal mode, but it immediately starts doing evil things, so this doesn't seem a good option...)
View 4 Replies
View Related
Jan 3, 2007
I am planning to start linux hosting but don't have much knowledge about linux Operating system... can I do this without having sufficient knowledge of linux background?
Also please suggest me some good links from where I can get basic linux command and some kind of flash tutorials from which I get to know how to do work in Appache and dns etc.
how to download tar file using Terminal,
View 6 Replies
View Related
May 7, 2009
Does rapidswitch and poundhost offer Rescue Linux System on their portal?
I want to load a linux distro on server RAM and do my own FreeBSD installation.
View 7 Replies
View Related
Jan 5, 2008
Where would someone go to learn Linux System Administration?
Are the Redhat courses worthwhile?
View 3 Replies
View Related
Nov 15, 2007
Without having all of the operating systems at my disposal for testing, I would like to figure out a way to determine the operating system of a remotely accessed Linux machine.
It seems pretty strange though, since cPanel reports both machines I am using as being
CENTOS Enterprise 4.5 i686, yet one's uname -a reports:
Code:
Linux hostsentry.crucialwebhost.com 2.6.9-023stab044.4-enterprise #1 SMP Thu May 24 17:41:23 MSD 2007 i686 i686 i386 GNU/Linux
Code:
Linux main.7kb.org 2.6.9-55.0.6.ELsmp #1 SMP Tue Sep 4 21:36:00 EDT 2007 i686 i686 i386 GNU/Linux
I'm assuming there is a way to determine the OS from this information. Anyone know how?
View 8 Replies
View Related
Mar 8, 2008
I can resolve this situation I have.
I sent a server I have with a provider to have a RAM upgrade yesterday at 15:33 UTC, and ever since then I have had no access to my server.
SSH has been changed back to port 22, from a random high port.
root password has changed
RSA key has changed too.
I can see 3 possable reasons for this:
1) It's a different server plugged into the rack/router or a stolen IP
2) My provider "kindly" formatted and reinstalled my OS.
3) I have a compromised server, I very much doubt this as the server was offline.
I informed my provider about 18 hours ago that I had a "possable compromised server" and since then I have been given the run around as to what is happening.
For the last couple hours or so I have been trying to get them on live chat, which shows as online, but no-one answers. Thats another pet hate of mine.
I also have a couple tickets open asking for an update as they are not answering my origional ticket with updates.
Am I just being impaitent wanting a resolution to this in less than 18 hours or am I correct to complain?
View 8 Replies
View Related
Oct 6, 2007
I am trying to determine if i am hacked, here is details:
I just got a message from softlayer support: ABUSE - 66.228.xxx,xxx - HACKING/MALICIOUS ACTIVITY - IMMEDIATE ACTION REQUIRED. with some log like this:
Quote:
Connection attempt to TCP IP.IP.IP.34:80
>from 66.228.xxx.xxx:41212 flags:0x02 Sep 28 14:05:55 PDT kernel:
Also, I did a rkhunter scan and found:
Quote:
cat /var/log/rkhunter.log | grep Warning
[18:26:29] /usr/bin/GET [ Warning ]
[18:26:29] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[18:26:29] /usr/bin/groups [ Warning ]
[18:26:29] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[18:26:30] /usr/bin/ldd [ Warning ]
[18:26:30] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[18:26:35] /usr/bin/whatis [ Warning ]
[18:26:35] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[18:26:36] /sbin/ifdown [ Warning ]
[18:26:36] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[18:26:36] /sbin/ifup [ Warning ]
[18:26:36] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[18:27:43] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/smtp_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[18:27:44] Checking for enabled xinetd services [ Warning ]
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
[18:27:59] Checking for hidden files and directories [ Warning ]
[18:27:59] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[18:27:34] Checking running processes for deleted files [ Warning ]
[18:27:34] Warning: The following processes are using deleted files:
[18:27:34] Process: /usr/libexec/mysqld PID: 4773 File: /tmp/ib2RpbEj
[18:27:34] Process: /usr/sbin/httpd PID: 8449 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 8452 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 12102 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 12950 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 13044 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 13046 File: /tmp/.apc.PGGxew
So does that mean my server was compromised?
View 6 Replies
View Related
Sep 5, 2007
Basic question: does it matter where I set the document root for apache on a Linux system? I've googled this but haven't found a good answer.
This is for a VPS server running the Ubuntu (Debian) server os that I'm configuring. I'd prefer to simply create a new directory off the root and set that as the document root in the apache config file. Would this present any kind of security issue?
If that's no good, what's the best choice -- stick to the default?
View 3 Replies
View Related
May 31, 2015
Are some days that in the root of my server there is a folder without a name. I think it is fail2ban to create this folder? Only I have access to the server.
View 11 Replies
View Related
Aug 6, 2008
I would like to know which Linux family Operating System is more stable and have a better support for a Dedicated Server .....?
View 8 Replies
View Related
May 28, 2008
How to install ASSP on linux system without cpanel.
View 2 Replies
View Related
Oct 29, 2009
I have a few shred hosting servers I run. One of them keeps getting listed on CBL. It is very frustrating. Does anyone have an tools, tips, or tricks on finding the compromised?
So far I have confirmed that a script is using PHP to send mail out bypassing the MTA. It is faking the HELO and impersonating a well known ISP.
I used a combination of tshark and netstat. tshark can show me the HELO and EHLO. When I see the wrong entry I cross check that with netstat to see what. So Netstat only shows that it was PHP not the script path.
Here are the commands I'm running:
Code:
nohup netstat -c -p -n -e | grep -i ":25" > /var/log/monitor/netstat-smtp.log &
nohup tshark -f "port 25 and src host XX.XX.XX.XX" > /var/log/monitor/tshark-smtp.log &
Then I grep for what I'm looking for:
grep -i "HELO" /var/log/monitor/tshark-smtp.log
Is there a way to get Netstat to show the script path or complete command that is establishing the connection? Currently these scripts are eating up memory to a point that other process or getting killed off.
I also tried to force all mail through the MTA, but When I enable SMTP_BLOCK in my firewall config I get and error:
*WARNING* Cannot use SMTP_BLOCK on this VPS as the Monolithic kernel does not support the iptables module ipt_owner - SMTP_BLOCK disabled.
If there is a better way I'm game. Maybe some IDS that can tell me more of what is going on with the server?
View 14 Replies
View Related
Dec 15, 2008
I have read many helpful feedbacks regarding choosing a reliable web host. Most of the concerns are centered around costs. However, I am more particular about the relative security of my website in addition to other perks such as space, speed and bandwidth. I rate my concerns on a 1-10 scale:
Security 9/10
Bandwidth 7.5/10
Disk space 6/10
E-mails, backups, etc: 8/10
Cost: 7/10
View 10 Replies
View Related
Sep 17, 2007
Ok...posting this here to hopefully get someone's attention at gnax.net.
I've written their abuse@gnax.net and engineer@gnax.net multiple times and even called into their support line and spoke with Stephen (or Steven). No one there seems to care.
They have a group of Vietnamese hackers on their network that are launching attacks from several of their servers. They also have a google phising site on one of the servers.
Spoke with Stephen at Gnax support and his answer was that it wasn't his job and I needed to send a e-mail to abuse. After telling him that I'd done that multiple times he basically said oh well that he didn't know what to do.
Seems like the admins of gnax.net are either very irresponsible, stupid or just ignorant.
Here are the URL's.
[url]
[url]
Just replace the 1's with t's and you can see for yourself. The fwooshnet.com attempts to download a trojan to your system so if you don't know what your doing don't visit either URL.
Hopefully admins from Gnax watch this forum.
View 6 Replies
View Related
Aug 22, 2007
I receive reports from my DC that my server is launching some hacking / malicious activity. This is the log that they provide:
Quote:
>
> Aug 20 12:34:35 ensim sshd[30628]: Did not receive identification
> string from MY.SERVER.IP
>
> Aug 20 12:44:23 ensim sshd[444]: Failed password for admin from
> MY.SERVER.IP port 57896 ssh2
>
> Aug 20 12:44:23 ensim sshd[444]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:26 ensim sshd[445]: Failed password for root from
> MY.SERVER.IP port 58029 ssh2
>
> Aug 20 12:44:26 ensim sshd[445]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:28 ensim sshd[446]: Failed password for root from
> MY.SERVER.IP port 58141 ssh2
>
> Aug 20 12:44:28 ensim sshd[446]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:31 ensim sshd[449]: Failed password for root from
> MY.SERVER.IP port 58276 ssh2
>
> Aug 20 12:44:31 ensim sshd[449]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:33 ensim sshd[450]: Failed password for root from
> MY.SERVER.IP port 58421 ssh2
>
> Aug 20 12:44:33 ensim sshd[450]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:36 ensim sshd[453]: Failed password for root from
> MY.SERVER.IP port 58565 ssh2
>
> Aug 20 12:44:36 ensim sshd[453]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:38 ensim sshd[455]: Failed password for root from
> MY.SERVER.IP port 58672 ssh2
>
> Aug 20 12:44:38 ensim sshd[455]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:41 ensim sshd[456]: Failed password for root from
> MY.SERVER.IP port 58787 ssh2
>
> Aug 20 12:44:41 ensim sshd[456]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:43 ensim sshd[457]: Failed password for root from
> MY.SERVER.IP port 58961 ssh2
>
> Aug 20 12:44:43 ensim sshd[457]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:46 ensim sshd[458]: Failed password for root from
> MY.SERVER.IP port 59132 ssh2
>
> Aug 20 12:44:46 ensim sshd[458]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:48 ensim sshd[459]: Failed password for root from
> MY.SERVER.IP port 59348 ssh2
>
> Aug 20 12:44:48 ensim sshd[459]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:51 ensim sshd[465]: Failed password for root from
> MY.SERVER.IP port 59495 ssh2
>
> Aug 20 12:44:51 ensim sshd[465]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:53 ensim sshd[466]: Failed password for admin from
> MY.SERVER.IP port 59622 ssh2
>
> Aug 20 12:44:53 ensim sshd[466]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:56 ensim sshd[467]: Failed password for admin from
> MY.SERVER.IP port 59803 ssh2
>
> Aug 20 12:44:56 ensim sshd[467]: Received disconnect from
> MY.SERVER.IP: 11:
View 2 Replies
View Related
Feb 10, 2008
Get ready for another round of patching and reboots. See:
[url]
Linux vmsplice Local Root Exploit
By qaaz
Linux 2.6.17 - 2.6.24.1
Debian also has a report but I'm trying to avoid linking to the source of the exploit. It works on 2.6.24, but only once. Then the box kernel panics (did for me). 2.6.24.1 is out as of couple days ago, but I'm not sure if it's still vulnerable. Seems like it is.
luki@tester:/tmp$ gcc t.c -o t
luki@tester:/tmp$ ./t
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e6f000 .. 0xb7ea1000
[+] root
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@tester:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@tester:/tmp#
View 15 Replies
View Related
Feb 9, 2015
Are that possible to change root password on plesk?
I have a man so work for me on my server and install double php version on my server and maybe it`s best and change password to root!
So no one have access to my root more.
View 5 Replies
View Related
Aug 30, 2014
I am trying to change color of directories. I can do that for root by editing .bashrc under /root. How can I do that for other users created under parallels? Their home directories are /var/www/vhosts/domain.com Using root account, I created .bashrc under those directory and chown to the user. But colors are not changing. I also adding the color in /etc/bashrc system wide file and it does not work either.
View 2 Replies
View Related
May 14, 2015
I tried to setup a cronjob to run a php script. Something simple like this:
php /var/www/vhosts/onlinehome-server.info/mydomain.co.uk/script.php
didn't worked. So I used the terminal as root and I noticed that php is not running script not even as root.
not even commands like php -v works. I don't get any error back.
Plesk version 12.0
View 5 Replies
View Related
Sep 20, 2014
My root partition has been growing slowly but steadily over the last weeks, which makes me uncomfortable being now at 60%.
We are running V 12.0.18
Looking into possible causes found in /root/parallels/ all these packages:
4 drwxr-xr-x 2 root root 4096 Sep 20 04:03 APACHE_2.2.27
4 drwxr-xr-x 2 root root 4096 Sep 20 04:03 BILLING_12.0.18
4 drwxr-xr-x 2 root root 4096 Sep 20 04:03 MYSQL_5.5.37
4 drwxr-xr-x 2 root root 4096 Sep 20 04:03 NGINX_1.6.0
[Code] ....
View 1 Replies
View Related
May 18, 2014
i have installed phpMyAdmin becouse I don't like the limitation of db management of Plesk, but I can't find the root password to access in it. I read that Plesk rename "root" user in "admin", but I can't find the password. Where is it?
View 4 Replies
View Related
Sep 5, 2014
I think it is possible, but just to be sure...
Default document root is:
var/www/vhosts/www.mysite.com/httpdocs/
Can I change it to:
var/www/vhosts/www.mysite.com/web/
A simple "yes" or "no" will do...
View 3 Replies
View Related
Sep 19, 2012
I do not know how this happened though. When I use find command on shell, I got the following error.
find: File system loop detected; `/var/named/chroot/var/named' is part of the same file system loop as `/var/named'.
It is minimal CentOS6.3 install with plesk 11.
View 15 Replies
View Related
Sep 20, 2014
I enabled rkhunter in Plesk 12 to check the system weekly. I get a warning now, which I never got in older versions of Plesk:
The current hash function (/usr/bin/sha1sum) or package manager (DPKG) is incompatible with the hash function (Unset) or package manager (Unset) used to store the values. Debian 7.6 x64
View 6 Replies
View Related
Jun 28, 2015
in CENTOS 6.6 / PLESK 12 when I use the find command I get this notice:find: File system loop detected; "/var/named/chroot/var/named" is part of the same file system loop as "/var/named".
View 2 Replies
View Related
