Koozali.org formerly Contribs.org

Cannot access console and server manager

Re: Cannot access console and server manager
« Reply #15 on: January 10, 2014, 02:40:50 PM »
I have already discussed with management about a donation, they agreed, so it is going to take place soon!

I feel that the more experienced I become, the more I can participate. At the moment I am still learning the basics, but it is always my pleasure to help people with the experience I get.
« Last Edit: January 10, 2014, 03:19:49 PM by antystein »

Offline stephdl

  • *
  • 1,511
    • Linux et Geekeries
Re: Cannot access console and server manager
« Reply #16 on: January 10, 2014, 06:46:21 PM »
so go on and never stop to learn :)

This page is for you then
http://wiki.contribs.org/SME_Server:Volunteering

Do not be shy to ask what you can do, where you can find something...

A big part of works in bugzilla is in the skill you did on your server, read, test, think, find, report...no more

@+

See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline janet

  • ****
  • 4,812
Re: Cannot access console and server manager
« Reply #17 on: January 11, 2014, 01:36:25 AM »
antystein

Quote
Fixed!

You mean you fixed two problems you found.
That could still be more "hidden" or as yet undetected problems.

Quote
It seems that somehow all (or many) permissions on the server were changed to 777 resulting on several services not to work.

I would be very concerned about that & how it happened.

Quote
Based on the fact that the server during the period that this happened, which is actually 3 days, was not in use (meaning that no users were connected etc, i.e. it was just running "idle") I don't have any clues of what could have caused it. Looking now at most of the access logs for that period I can't see any strange activity, that is, evidence of hackers.

Hackers will usually delete the logs (or log entries) that their activities create.
This "not in use" period is ideally what the hackers want, a time period where their activities will go unnoticed.
There may still be other problems with that server.
If you have been hacked by "schoolies" then it may be best to install & a new OS & restore from a known good backup (from before the "hacking").

I do not think you can just fix those permission issues & leave it at that, you need to determine what actually happened & how those permissions came to be changed, then you will know what the best course of action is.
Perhaps all passwords should be changed, perhaps any configuration changes you have made needs to be assessed for security & vulnerability etc etc etc.
I would also do thorough tests on the hard disks to rule out disk problems.
While you say there is no external access, there is access allowed from the LAN, so anyone on the LAN could attack your server.

Any backdoor or exploit could have been installed some time ago, waiting for the appropriate time to be used.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Re: Cannot access console and server manager
« Reply #18 on: January 16, 2014, 07:56:58 AM »
Hello,
Thank you for your response.

Of course it is almost certain that there are other “problems” with the server, in case something or someone did a “chmod –R 777” on everything! For now if something is not causing a problem is not a problem. I have also noticed that in many cases the system restores rights on most files.

About the “hackers”, I doubt it. This is a backend server (LAN file server in essence), containing nothing of interest for a “hacker”. The way the server is set up makes it hard to get unauthorized access on it from outside (in essence it’s out of sight), and from the LAN the days of the supposed attack most of the switches (and wireless access points) were turned off due to vacations. There is a frontend server that it could be hacked, with much more benefit for the “hacker”. So considering the effort needed compared to the benefit (for example use the server to send spam) or the pleasure (self-verification) it does not worth it. Now having a real hacker wasting his time making extra effort to clean up all log files, makes the hacking incident more unlike. In other words, there must be a more defined goal for someone to get through the trouble.

If by “schoolies” you mean our students, it would be a great pleasure and surprise to discover that we have someone that has the knowledge and intelligence (compared to their age) required to do something like that! It is a medium in size school unit, I know each student personally, and most of them are children!

To be clear, I totally agree with you about determining the cause and reinstall everything because I have seen hackers in action in different cases. I know exactly the chaos that is usually left behind and I would feel much more confident if everything was freshly reinstalled in those cases, but not in this one.

The reason for the above is that, when I installed the server I had not experience at all on LINUX/UNIX systems. I did several trial and error attempts in order to achieve the goals. This means that there are tweaked files where it is not needed to. I actually used chmod –R 777 at the time (that is two years ago)! From the other hand I did document extensively all the “clean” changes and steps needed in order to bring the server to an operational state, meeting my needs. So a clean re-installation (not a restore from backup that contains all my “redneckish” experiments) was on schedule from the beginning (after getting some more experience with the system), and now that the server is not a “black box” to me (at least to the state it was) maybe is the time to do it anyway. The thing is that because the school has vacations, and the server can actually shut down for days, I prefer to do it at that time. Now if the server decides that it has to be done earlier, it is not a big deal. I can always in an emergency restore from backup or, in a couple of days, do a fresh install. It will depend on the timing.

Finally I want to mention that the server is still running perfectly until now (a week) and that I actually learned useful procedures that, without this incident, I would never had the chance (and the time, because there is always time for an emergency!) to learn. In the next (inevitable) failure, I am going to learn more!