[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Strange RaQ3 Crash...PHP???
- Subject: Re: [cobalt-users] Strange RaQ3 Crash...PHP???
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Mon Mar 11 07:02:04 2002
- Organization: nobaloney.net
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Bradley Caricofe wrote:
> One of my RaQ 3's is dedicated to a single somewhat busy ecommerce site.
> I've had this site on the RaQ for almost 3 months with no problems. The box
> is secured as tightly as I can make it with all Cobalt patches applied,
> ports trimmed and services like ftp running only when they need to be. Over
> the weekend, I installed the latest mySQL pkg from pkgmaster and then PHP
> 4.1.2 from source. Both seemed to be working as flawlessly as they can and
> I had vBulletin board running quite smoothly.
> My isp apparently ran into some problems
> bringing the server back up but two hours later it is up and running,
> however all traces of my php installation are GONE.
This sounds like they did a restore from a backup made before you
upgraded your RaQ. Can you look at your bbs posts to see if there are
any made after you upgraded your RaQ; the absence wouldn't prove
anything, but the presence would prove my theory wrong <wry grin>.
> I haven't been able to determine the exact cause of the crash yet, I just
> know I was messing with a php based application when it happened. Has
> anyone had any similar issues with php or with a RaQ3? I remember thinking
> to myself that I needed to order an additional IP for the bulletin board, as
> it was the only login on the site that was not ssl secured and all my other
> ip's were being used. Is it possible that someone sniffed my bulletin board
> password and exploited something within php which resulted in it
> uninstalling or corrupting itself?
Anything's possible. Even breakins/hacks that aren't found by
chkrootkit.
> The server is probably in need of rebuilding, many, many files located
> throughout the system have strings of
> UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU all throughout them. I'm told by
> the isp that these are artifacts of a disk restore they had to do?
Much more likely artifact of a broken hard disk? I think the hard disk
is in need of replacement; certainly complete restore from format up
<frown>.
> My
> system was never backed up by these folks that I know of, so I'm not sure
> what the disk restore process they are referring to entails.
I presume you'll ask them. That's the only way to find out.
> I don't want
> to rebuild this system until I know what happened. Logs on the server don't
> show much at all, they just stop recording when it crashed and start again
> when it came up 2 hours later. I did run the latest version of chkrootkit,
> it says all good. Can anyone tell me where else to look for info on what
> caused this?
At your ISP for information on what they rebuilt it from, for starters.
My guess is they'll tell you they simply did an fsck and the system came
back up.
Sounds like you will be down for long enough to do a complete restore
<frown>.
You can use cmu to migrate the sites, then tar up the cmu's directory
structure and save it somewhere, then move it back and restore... but if
so you risk loosing a lot of data from those funny looking files.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484