httpd restart fails with no access to cPanel/WHM

[saqur]

Hi there

I don't have access to cPanel/WHM and any website on the server. When I try to restart httpd service this error appears:

[[email protected] ~]# service httpd restart
Syntax error on line 11 of /usr/local/apache/conf/modsec2.conf:
ModSecurity: Failed to open the audit log file: /usr/local/apache/logs/modsec_audit.log

Anybody can help me solve it?

Thanks

 

[cPanelTristan]

The error message indicates that the /usr/local/apache/logs/modsec_audit.log cannot be opened. Does the file exist?

ls -lah /usr/local/apache/logs/modsec_audit.log

If it doesn't exist, try creating it:

touch /usr/local/apache/logs/modsec_audit.log

 

[saqur]

I tried to use the first command but it says:

[[email protected] ~]# ls -lah /usr/local/apache/logs/modsec_audit.log
ls: invalid option -- h
Try `ls --help' for more information.

I checked this with sftp but the "logs" dir does not exist!
Should I create it?

 

[cPanelTristan]

Try instead to use ls -l:

ls -l /usr/local/apache/logs/modsec_audit.log

Also, please use SSH to log into the machine rather than using sFTP.

 

[saqur]

[[email protected] ~]# ls -l /usr/local/apache/logs/modsec_audit.log
ls: /usr/local/apache/logs/modsec_audit.log: No such file or directory
[[email protected] ~]# touch /usr/local/apache/logs/modsec_audit.log
touch: cannot touch `/usr/local/apache/logs/modsec_audit.log': No such file or directory

What should I do now?

 

[cPanelTristan]

Now try:

ls -l /usr/local/apache/logs

 

[saqur]

[[email protected] ~]# ls -l /usr/local/apache/logs
ls: /usr/local/apache/logs: No such file or directory

It seems that my logs folder is lost!

 

[cPanelTristan]

Does /usr/local/apache itself exist?

 

[saqur]

Yes it is, with some folders in it.
I think only the logs folder is lost & I don't know why?!

 

[saqur]

[[email protected] ~]# ls -l /usr/local/apache
total 88
drwxr-xr-x   2 root     root         4096 Sep 21 04:55 bin
drwxr-xr-x   2 root     root         4096 Apr  1 00:48 build
drwxr-xr-x   2 root     root         4096 Mar 31 22:45 cgi-bin
drwxr-xr-x   9 root     root         4096 Sep 21 18:30 conf
drwxr-xr-x   9 root     root         4096 Dec 23  2008 conf_pre_ea3
drwx--x--x  42 root     wheel       28672 Sep 21 23:31 domlogs
drwxr-xr-x   3 root     root         4096 Mar 31 22:45 error
drwxr-xr-x   6 root     root         4096 Apr  1 00:48 htdocs
drwxr-xr-x   3 root     root         4096 Mar 31 22:45 icons
drwxr-xr-x   2 root     root         4096 Apr  1 00:48 include
drwxr-xr-x   2 root     root         4096 Apr  1 00:48 lib
drwxr-xr-x   4 root     root         4096 Mar 31 22:45 man
drwxr-xr-x  14 root     root        12288 Sep 21 04:55 manual
drwxr-xr-x   2 root     root         4096 Apr  1 01:04 modules

This is the list of /usr/local/apache

 

[cPanelTristan]

You are going to have to create the folder:

cd /usr/local/apache
mkdir logs

After that, create any files it notes don't exist when you try to start Apache

touch /pathtofilename

Where pathtofilename is the path and name of the file.

 

[saqur]

I did it. but now I see all of my websites are hacked. I think the attack was on the server and some cpanel files are deleted, because I still can not access to WHM.
What can I do to repair cpanel/WHM?

 

[cPanelTristan]

The first thing you should do is check for any backups you have, then format a new machine with cPanel on it to transfer those backups for restoring them. A hacked machine at the level you are talking about (/usr/local/apache) means a root level compromise in all likelihood. They could end up leaving a backdoor on that machine to allow them access again. The best idea is to get a fresh machine up and running from backups, then check the old machine to determine how they managed to compromise it.

 

[saqur]

Thank you for all useful helps.