[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Strange RaQ3 Crash...PHP???

Subject: RE: [cobalt-users] Strange RaQ3 Crash...PHP???
From: Bradley Caricofe <caricofe@xxxxxxxxxxx>
Date: Mon Mar 11 14:06:07 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> -----Original Message-----
> Can you list the names of some of these files?  Are they config files in
> /etc, webpages, etc.?  Were they files that existed beforehand?  It would
> probably be helpful if you posted a list with file names, paths, ownership
> and permissions and possibly links to a few on the web so we can take a
> look.  What you found is *very* suspicious.

The files containing new strings of garbage are scattered all over the
computer.  The httpd conf had them in it as did html pages in /home/sites
and interchange configuration files at /usr/local/interchange.  I haven't
checked the whole server but I'm assuming that files all over it have these
characters in them.

> Ask if they restored from the OS restore CD.  If they did and
> your sites and
> users are still there, they must have backed them up first or already had
> them backed up somewhere.  If they're not backing the server's files up
> regularly I hope you are.  Be proactive.  Don't create and test a
> backup and
> recovery system after you need it.  Have one in place before you need it.

Luckily I backed up 3 times last week, rebuilding the server should be a
much easier hassle.

> Any possibility that the server's connection to the internet went
> down for 2
> hours?  That someone pulled the connection out of the back of the server
> accidentally?  Was cron still running?  See /var/log/cron.  If you're just
> referring to the Apache logs, that may just mean that Apache was down.  If
> the ISP reloaded the OS from the OS restore CD none of the logs should be
> there.  I suggest you find out exactly what this restore they did
> entailed.

All the logs on the server, cron, message, lastlog, httpd access and error,
and a few others, all stop recording at 9:30:00 am, and do not start again
until the server cam back online around noon. Strangely, the server didn't
go down until approximately 9:41am.

> I'd start by getting better explanations from your ISP.  You may want
> someone with troubleshooting and security experience to take a peek in the
> box too.  I do this kind of thing all the time.  If I were in
> your shoes and
> thought there may have been a security vulnerability I'd strongly consider
> re-installing the OS.  But at this point you really don't have enough good
> information to know what happened.

Oh we're definitely going to reload the entire os, but I'd really like to
know what happened before we do, so we can hopefully prevent it in the
future.  The ISP was helpful in that they got the machine back up and
running, but as is their nature they have answered none of my requests
since.

thanks Steve,

Brad

Follow-Ups:
- Re: [cobalt-users] Strange RaQ3 Crash...PHP???
  - From: Jeff Lasman

References:
- Re: [cobalt-users] Strange RaQ3 Crash...PHP???
  - From: Steve Werby

Prev by Date: RE: [cobalt-users] Strange RaQ3 Crash...PHP???
Next by Date: Re: [cobalt-users] Cobalt Raq's and UPS.
Previous by thread: Re: [cobalt-users] Strange RaQ3 Crash...PHP???
Next by thread: Re: [cobalt-users] Strange RaQ3 Crash...PHP???

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index