httpd restart fails with no access to cPanel/WHM

saqur

Member
Oct 10, 2008
22
0
51
Hi there

I don't have access to cPanel/WHM and any website on the server. When I try to restart httpd service this error appears:

[[email protected] ~]# service httpd restart
Syntax error on line 11 of /usr/local/apache/conf/modsec2.conf:
ModSecurity: Failed to open the audit log file: /usr/local/apache/logs/modsec_audit.log
Anybody can help me solve it?

Thanks
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
The error message indicates that the /usr/local/apache/logs/modsec_audit.log cannot be opened. Does the file exist?

Code:
ls -lah /usr/local/apache/logs/modsec_audit.log
If it doesn't exist, try creating it:

Code:
touch /usr/local/apache/logs/modsec_audit.log
 

saqur

Member
Oct 10, 2008
22
0
51
I tried to use the first command but it says:

[[email protected] ~]# ls -lah /usr/local/apache/logs/modsec_audit.log
ls: invalid option -- h
Try `ls --help' for more information.
I checked this with sftp but the "logs" dir does not exist!
Should I create it?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Try instead to use ls -l:

Code:
ls -l /usr/local/apache/logs/modsec_audit.log
Also, please use SSH to log into the machine rather than using sFTP.
 

saqur

Member
Oct 10, 2008
22
0
51
Code:
[[email protected] ~]# ls -l /usr/local/apache/logs/modsec_audit.log
ls: /usr/local/apache/logs/modsec_audit.log: No such file or directory
[[email protected] ~]# touch /usr/local/apache/logs/modsec_audit.log
touch: cannot touch `/usr/local/apache/logs/modsec_audit.log': No such file or directory
What should I do now?
 

saqur

Member
Oct 10, 2008
22
0
51
Code:
[[email protected] ~]# ls -l /usr/local/apache/logs
ls: /usr/local/apache/logs: No such file or directory
It seems that my logs folder is lost!
 
Last edited:

saqur

Member
Oct 10, 2008
22
0
51
Yes it is, with some folders in it.
I think only the logs folder is lost & I don't know why?!
 

saqur

Member
Oct 10, 2008
22
0
51
Code:
[[email protected] ~]# ls -l /usr/local/apache
total 88
drwxr-xr-x   2 root     root         4096 Sep 21 04:55 bin
drwxr-xr-x   2 root     root         4096 Apr  1 00:48 build
drwxr-xr-x   2 root     root         4096 Mar 31 22:45 cgi-bin
drwxr-xr-x   9 root     root         4096 Sep 21 18:30 conf
drwxr-xr-x   9 root     root         4096 Dec 23  2008 conf_pre_ea3
drwx--x--x  42 root     wheel       28672 Sep 21 23:31 domlogs
drwxr-xr-x   3 root     root         4096 Mar 31 22:45 error
drwxr-xr-x   6 root     root         4096 Apr  1 00:48 htdocs
drwxr-xr-x   3 root     root         4096 Mar 31 22:45 icons
drwxr-xr-x   2 root     root         4096 Apr  1 00:48 include
drwxr-xr-x   2 root     root         4096 Apr  1 00:48 lib
drwxr-xr-x   4 root     root         4096 Mar 31 22:45 man
drwxr-xr-x  14 root     root        12288 Sep 21 04:55 manual
drwxr-xr-x   2 root     root         4096 Apr  1 01:04 modules
This is the list of /usr/local/apache
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You are going to have to create the folder:

Code:
cd /usr/local/apache
mkdir logs
After that, create any files it notes don't exist when you try to start Apache

Code:
touch /pathtofilename
Where pathtofilename is the path and name of the file.
 

saqur

Member
Oct 10, 2008
22
0
51
I did it. but now I see all of my websites are hacked. I think the attack was on the server and some cpanel files are deleted, because I still can not access to WHM.
What can I do to repair cpanel/WHM?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
The first thing you should do is check for any backups you have, then format a new machine with cPanel on it to transfer those backups for restoring them. A hacked machine at the level you are talking about (/usr/local/apache) means a root level compromise in all likelihood. They could end up leaving a backdoor on that machine to allow them access again. The best idea is to get a fresh machine up and running from backups, then check the old machine to determine how they managed to compromise it.