Hi, I have a Perfect setup Debian 5 ISPConfig 2 that was running a little over a year, but over the last couple of days I see some strange behaviour like spontaneous blackouts etc. nothing seems to be wrong then, but I cannot access the server via SSH or whatever, so ending up in restarting. This morning from checking the email at 9 or so, found out that the mail server was not responding and on further looking also the sites was out ... (again) sop I thought that like before with a quick reset the thing should be up and running again... Yeah right. I have allready spended all day figuring out what is wrong, reading varius error messages that I found in mail.warn etc, but now I found in the Apache error log a refference that I can lead back to the system hangups... But the question is what is causing it, so my Question if any of you guys can make anything from these log file, am i under attack of some kind or what... Let me know please, cuz I am not receieving my mail also... Thanks ia Etienne
The lines in the log are attacks. Please check your server with rkhunter. Also make sure that you have all Linux updates installed.
Wonderful, I was already afraid of that, but the next Question is, what to do, I scanned with CHKROOT and RKHUNTER without any compromises on the site and have the most updates in place just dont know if I have the latest update for ISPConfig But what is the best way to get back in the sadle at the moment I cannot connect to the site, neither remote or local and I would like to get it up again... without blue pill Any suggestions besides reinstalling a Perfect Setup again. Thanks in advance, Etienne
Any errors in your mail log? what's the output of Code: netstat -tap ? Did you check your system load with Code: top ?
The output of Netstat -tap is: Code: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:51813 *:* LISTEN 1666/rpc.statd tcp 0 0 *:mysql *:* LISTEN 1968/mysqld tcp 0 0 *:sunrpc *:* LISTEN 1655/portmap tcp 0 0 *:81 *:* LISTEN 2294/ispconfig_http tcp 0 0 server.web-world:domain *:* LISTEN 2631/named tcp 0 0 localhost:domain *:* LISTEN 2631/named tcp 0 0 *:ssh *:* LISTEN 1890/sshd tcp 0 0 *:smtp *:* LISTEN 24569/master tcp 0 0 localhost:953 *:* LISTEN 2631/named tcp 0 0 server.web-worlds.c:ssh 192.168.123.9:1410 ESTABLISHED 17996/0 tcp 0 0 localhost:36556 localhost:www TIME_WAIT - tcp6 0 0 [::]:imaps [::]:* LISTEN 2059/couriertcpd tcp6 0 0 [::]:pop3s [::]:* LISTEN 2077/couriertcpd tcp6 0 0 [::]:pop3 [::]:* LISTEN 2065/couriertcpd tcp6 0 0 [::]:imap2 [::]:* LISTEN 2047/couriertcpd tcp6 0 0 [::]:www [::]:* LISTEN 3628/apache2 tcp6 0 0 [::]:ftp [::]:* LISTEN 24404/proftpd: (acc tcp6 0 0 [::]:ssh [::]:* LISTEN 1890/sshd tcp6 0 0 [::]:smtp [::]:* LISTEN 24569/master tcp6 0 0 localhost:953 [::]:* LISTEN 2631/named tcp6 0 0 [::]:https [::]:* LISTEN 3628/apache2 And what I am supposed to look at with top? Thanks, Etienne
Funny, if I read through the last couple of postings here, it almost looks like the ISP config was compromised, i cannot find any other type of way... no bash files no logs of people entering the site, maybe I am wrong but it looks like there is a security bug in ISPconfig 2, so maybe it is time to move on to ISPconfig 3.0 and hope this is safer.
There's no known security bug in ISPConfig 2. Your mail, POP3, and IMAP daemons seem to be running. Are there any errors in the mail log?
