The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

911 !! One account reverted to default on its own!

Discussion in 'General Discussion' started by ryno267, Apr 20, 2004.

  1. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    We first started to notice that we had email problems, where every email on our site was not working in Outlook, yet outgoing was working fine.
    Then we noticed that our SITE WAS DOWN!

    I logged into ftp and there was NO MORE public_html folder and the link from /www to /public_html was no longer valid.
    ALL of the email addreses on the domain were gone, yet the databases remained intact. The cpanel contact info thing up top was deleted and asking to be updated as if it were a new account.
    There was nobody in the cpanel or whm today either. Only myself and my head programmer have those passwords. We work closely and were not in there at all messing with anything.
    All other accounts on our server were working and untouched - all emails and everything fine.

    How the Hell could this happen? Luckily I was just able to create a new /public_html folder and reupload everything since the databases were still intact and untouched.

    PLEASE can somebody help with any ideas of why this could happen and what we can do to STOp this from EVER happening again?


    edit / I did just change all my passwords too btw...

    rYno
     
    #1 ryno267, Apr 20, 2004
    Last edited: Apr 20, 2004
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Somebody probably accidentally deleted public_html. Either they don't know it or they're too embarrassed to admit it. I've had clients do this before.
     
  3. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    the thing is - myself and my lead programmer are the ONLY ones to touch it. This was our site - not a clients.

    Is there any chance of a hack maybe?

    Without knowing the cause - I'm nervous to the fact that it could happen again? :confused:
     
  4. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Sure, there's always a chance you were hacked. Easy password? Have you run chkrootkit and checked tmp for suspicious files? If public_html was simply missing, though, my gut feeling is that somebody accidentally deleted it.
     
  5. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    ok...

    questions

    root: /tmp

    That temp dir? If ya.. all thats in there is my mmcache/ temp stuff and a handful of sess_00-longnumbers- unexpired sessions i'm assuming.

    And in the directory of the account that this happened too - /home/username/ the /tmp dir has the same stuff in it.


    i'm also not too familiar with the 'chkrootkit' either. I tried ./chkrootkit in the /scripts dir but I must be dumb. :rolleyes:

    < EDIT:::>
    I researched chkrootkit and installed the latest tarball into my /usr/local/ dir and ran it... Nothing was infected and no suspect files found... This makes me a little more happy but none-the-less confused... sheesh...
    </ EDIT>

    thnx for all the help btw!

    rYno
     
    #5 ryno267, Apr 21, 2004
    Last edited: Apr 21, 2004
  6. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    I can't claim to be an expert. I'm just a newbie myself, but if your loads and memory usage are normal and chkrootkit doesn't show anything then I still say that public_html was deleted accidentally either by ftp or a faulty script.
     
  7. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    well - i'm keeping my eyes peeled...

    thanks again for the help man. :D

    rYno
     
Loading...

Share This Page