Incorrect Document Root , how to fix it?

M

melsy

New member
Joined
Dec 28, 2008
Messages
3
Dear Support Staff,

Unfortunately we have faced with a strange issue, please help us. The server experienced a very hard DDOS attack last night, we had no choice except with removing the client's host account. We removed the hosting account of target site. We also changed the DNS values in domain control panel (we had the control on Domain Settings as well). After the server came up, we found that the mysql was crashed. We repaired the crashed tables manually.

The problem is that we have already removed the hosting account of target site but it is still showing in DirectAdmin Site List. There is no VirtualHost running in ListeSpeed control Panel related to this domain. This hosting account (or what seems to be) cannot be removed through DirectAdmin Site Manager, also when I have surfed via File Manager (for the target site) it shows several files and directory are related to system, instead of correct document root data. Also there is no folder about removed website in /home/ directory where all sites root documents are in.

There is not configuration regarding VirtualHost about the target website in httpd.conf as well.

Please help us, how can we fix this problem? :confused:

Regards,
 
This hosting account (or what seems to be) cannot be removed through DirectAdmin Site Manager
Click to expand...

Why not? Do you get some kind of error? Please post the error.
 
I did not try anymore!

Thanks for reply,

I actually have to mention that I feared removing it once more because it contains sensitive files and folders such "dev", "boot", "etc", "home", ... now.
But when I try to suspend the account it says : "unable to lock user USERID:"

How do you think about this issue?

Regards,
 
Perphas it was more than a DDOS attack? perhaps your server is compromised?

Why should your site contain dev, boot, etc, home files?

I think you might want to either completely rebuild, or have some forensic specialist log into your server and look into the issue.

Jeff
 
No, I could not any glue of a Compromised Server!

However I have check all processes are running on the server by using command of "top", but no strange process was running. The only process that is using CPU more than others is "mysqld". It is about 50% but not all the time, however the litespeed server shows the CPU usage about 0.4%. Do you know how can I check it more?

Also the username and password for the Target Website is inactive and does not work. It contains those folder when I login as Admin into that account.

Please guide me how can I check that my server is compromised or not?

Thanks
 
If your server has been compromised then you cannot trust any of the commands that were on the server at the time. You need to get the commands from a cd or another server and run those instead.
 
You must log in or register to reply here.
Back
Top