I have recently brought a VPS hosting package. At the moment I am going through the tutoritals on the net that I have researched before getting a VPS package to give me some understanding on what I need to do to securior the server and also how to install the software that I require.
For most of today, I have been trying to sort out a problem that I am currently having.
Of which is I am trying to sort out a part of the tutorial from a website that requires the use of apt commands.
But for every command I am getting the message back apt..... Command not found. I am currently using the ubuntu operating system. And through some research, I have got the feeling that I might have the bare installation done on my server to just make it work.
Would I be right, and with the bare installation apt commands wouldn't be installed?
If I am, how would I go about installing the Apt commands and anything else that I might require?
root@server [~]# /etc/init.d/ipaliases start /etc/init.d/ipaliases: line 37: cat: command not found Not sure why that's happening, but 4 of 5 IPs are down and I cannot restart the network. Centos 4 / Cpanel The file is there in /etc/init.d/ -rwxr-xr-x 1 root root 2.6K Sep 26 21:54 ipaliases* Line 37 is case "$1" in
I just bought new DS 3 days ago : Intel Core2Duo 2.33 GHz, 2GB DDR2 RAM , 250 GB.
Today mysql automatic stop and not auto restart :|
I checked cron job: has no cron job there. I have just only one site on this server.
I check Check mysql error log:
081115 10:47:52 [Note] /usr/sbin/mysqld: Normal shutdown 081115 10:47:52 InnoDB: Starting shutdown... 081115 10:47:54 InnoDB: Shutdown completed; log sequence number 0 72782 081115 10:47:54 [Note] /usr/sbin/mysqld: Shutdown complete 081115 10:47:54 mysqld ended 081115 10:47:55 mysqld started /usr/sbin/mysqld: File '/var/log/mysql-slow-queries.log' not found (Errcode: 13) 081115 10:47:55 [ERROR] Could not use /var/log/mysql-slow-queries.log for logging (error 13). Turning logging off for the whole duration of the MySQL server process. To turn it on again: fix the cause, shutdown the MySQL server and restart it. 081115 10:47:55 InnoDB: Started; log sequence number 0 72782 081115 10:47:56 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.51a-community-log' socket: '/var/lib/mysql/mysql.sock' port: 3306 MySQL Community Edition (GPL)
I've got a strange situation here. We have some software which we run on multiple servers. As of today the software is using 100 percent (sometimes more) of the cpus.
Here is the result from top. It's usually far worse using 100 percent of both cpu's almost all of the time. I just restarted, but the server load is climbing to 20+. Any idea how I can figure out what is going on? The same software on two other identically configured servers runs fine. This server has had no problems for over 6 months, but suddenly this started today. The server is a dual opteron with 4GB of ram. The databases are innodb thus the high memory usage for mysql (innodb buffer pool size)
My server was having a high load so I stop httpd and mysqld. I tried to restart both service but only httpd is starting and mysqld failed. It keeps timing out.
service mysqld start Timeout error occurred trying to start MySQL Daemon. Starting MySQL: [FAILED]
It was working and I only trying to restart it.
The load on my server now is 0 because the website is down.
1.) I have a user that's kinda knows a lot about linux. More than me. He has a lot of stuff on the system which I have no idea what it is. Is there any way I can install a SSH log, so I can monitor what he does in shell?
2.) My server seems REALLY sluggish. I ran a top in shell, and mysqld was taking up from 70% to 110% of the cpu. Is there any way to fix this or find out why? I've restarted the server, and it's fluctuating between 50% and 90% now.
3.) I think this MIGHT be related to the sqld issue, but I've received about 12 emails saying Quote:
"[statscheck] Stats/Server Overload on my server". "MPORTANT: Do not ignore this email.
This is cPanel stats runner on server1.cewxp.com!
While processing the log files for user cewxp, the cpu has been maxed out for more than a 6 hour period. The current load/uptime line on the server at the time of this email is 15:49:16 up 5 days, 10:52, 2 users, load average: 27.59, 31.36, 31.83"
and also another email
Quote:
IMPORTANT: Do not ignore this email.
This is cPanel stats runner on server1.cewxp.com!
While processing the log files for user vegapunk, the cpu has been maxed out for more than a 6 hour period. The current load/uptime line on the server at the time of this email is 12:34:26 up 5 days, 7:37, 2 users, load average: 19.90, 17.59, 17.97
Is there a command i can type into the ssh console to stop a current transfer that i started wit the wget command?
the file im wgeting always stuffs up at 51% but then the server just retries and starts again, its done it 3 times so far and i just want to completely cancle the process if possible....
We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was delivering malicious code with an email from Google.
This website owner had tried removing the code himself and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome, were greeted with a big warning:
This site may harm your computer.
After about a week of trying to rectify the problem himself, he contacted us.
He provided us FTP access to his site so we could tackle it.
After downloading his site (which literally took 3 hours) we started scanning. We grep'd for the word "base64_decode" and found over 228 php files all with the following malscript (spaces added to protect the innocent):
For the first time after running a server for about a year I decided to buy a new server and in it I found out that there is a some sort of infection in it. What should I do next. The logs are attached in a n attachment.
I cant visit my website! <snipped> everytime I go it says server not found. So I told some friends to go and they are able to see and visit <snipped> How is that possible?? They could and I cant? Yesterday same thing but then couple hours later it worked I could visit hmlegends.com but i didnt do anything and now today same thing server not found! i cleaned my history everything and still server not found!
So what I did is used a proxy <snipped> and then it worked!
But then I dont use a proxy SERVER NOT FOUND! Its like my IP cant reach hmlegends.com
I dont know how to solve this?!?? It just says server not found!
But it looks like everyone else could access it!
Anyways im using Firefox 2 but then maybe i thought it was my browser so switched to 3 so currently on firefox 3 and no its not its something with my IP cuz when i use proxy i could go to my site
but point is i dont wanna use proxy i wanna use my IP to go to hmlegends.com
<Directory "/usr/local/apache/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all
</Directory>
And the error logs say..
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] File does not exist: /home/goewowc/public_html/404.shtml [Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] script not found or unable to stat: /usr/local/apache/cgi-bin/first.txt
The CGI-bin directory is chmodded correctly, the files are also chmodded and belong to the correct group
After going back and forth with the folks that are supposed to be managing my server they finally checked and found an irc bot. Here is their message:
I have found a irc bot running on your server. The binaries are located at /var/lib/texmf/.dat/. You can see the tar file which the hacker uploaded at /var/lib/texmf/. I have changed the permissions to 000 so that you can verify the files.
The user of the files are nobody. Hence it is clear that the files were uploaded via url injection using some vulnerable script under some domain. Unfortunately there are no helpful logs to find the exact domains and the vulnerable script. It is certain that the files were first uploaded to /tmp and then moved from there. You can see some similar hack files at /tmp/.dat, /tmp/var and /tmp/.dev12. Also the permission of /var/lib/texmf/ was 777.
You should update all your web softwares to latest version so that they will include latest security patches. Also I will recommend you to enable mod_security in your server to prevent further hacks.
Our Security Technician found yesterday a 200 user botnet on a hidden IRC server and was able to quickly email the compromised systems information (just hostname) to our abuse email. So today i spent the last 2 hours sending emails off to web hosting companies, educational institutions and corporate companies telling them that their systems have been compromised, we regulary email out systems we have found compromised. The thing that stuns me is that most of the systems we found compromised on IRC are dedicated lines between 10MBPS to 1GBPS... I found a few hosting companies and will list them so they can be found by them:
lvps212-241-192-85.vps.webfusion.co.uk wp056.webpack.hosteurope.de wp097.webpack.hosteurope.de wp049.webpack.hosteurope.de wp055.webpack.hosteurope.de m2.wrango.com - Dedicated Server with NetworkSolutions server1.hostfree.com.br
