On 9/11 many of the scripts in /etc/init.d/ got rewritten to zero bytes. This wasn't noticed until a reboot on the next day when so many things suddenly weren't working (no network, no external disk drive or USB connections, etc.). Luckily, copying the scripts from a Debian Live CD got the network and connections running. Then copying the rest from a backup brought the system back. So all was saved with a few hours work. My big question is how the scripts were modified/deleted? No work was done on the system on 9/11 so I can only think I was hacked into or some malicious script was able to run as root. Looking at the logs I can only find the usual suspects trying to insert known-hackable page names into the websites. All show as denied though. There is a hardware firewall running in my router with port forwarding of only the ports used. I changed my passwords to something even longer and more obscure. What other suggestions do you all have for preventing this from happening again?
No, I'll check it out. I'm really curious how someone got in if that is what happened. Also, logs often show that there are http accesses to the var/www/localhost directory. I don't know how that is done either. By domain name should go to the /var/www/web(1,2...) and by IP should go to /var/www/sharedip.
Setting scripts to 0 size seems to me to be unusual hacker type activity. Perhaps a rogue backup/restore script? Also give your disks a thorough checking out. And look in /lost+found for any recovered data. Might not be a hack attempt, but could be a sign of impending disk failure. Good luck!
Thanks for the response. Lost+Found is empty. fsck says the disk is ok. Only certain files in one directory were affected.
