Hello,
Thank you for your response.
Of course it is almost certain that there are other “problems” with the server, in case something or someone did a “chmod –R 777” on everything! For now if something is not causing a problem is not a problem. I have also noticed that in many cases the system restores rights on most files.
About the “hackers”, I doubt it. This is a backend server (LAN file server in essence), containing nothing of interest for a “hacker”. The way the server is set up makes it hard to get unauthorized access on it from outside (in essence it’s out of sight), and from the LAN the days of the supposed attack most of the switches (and wireless access points) were turned off due to vacations. There is a frontend server that it could be hacked, with much more benefit for the “hacker”. So considering the effort needed compared to the benefit (for example use the server to send spam) or the pleasure (self-verification) it does not worth it. Now having a real hacker wasting his time making extra effort to clean up all log files, makes the hacking incident more unlike. In other words, there must be a more defined goal for someone to get through the trouble.
If by “schoolies” you mean our students, it would be a great pleasure and surprise to discover that we have someone that has the knowledge and intelligence (compared to their age) required to do something like that! It is a medium in size school unit, I know each student personally, and most of them are children!
To be clear, I totally agree with you about determining the cause and reinstall everything because I have seen hackers in action in different cases. I know exactly the chaos that is usually left behind and I would feel much more confident if everything was freshly reinstalled in those cases, but not in this one.
The reason for the above is that, when I installed the server I had not experience at all on LINUX/UNIX systems. I did several trial and error attempts in order to achieve the goals. This means that there are tweaked files where it is not needed to. I actually used chmod –R 777 at the time (that is two years ago)! From the other hand I did document extensively all the “clean” changes and steps needed in order to bring the server to an operational state, meeting my needs. So a clean re-installation (not a restore from backup that contains all my “redneckish” experiments) was on schedule from the beginning (after getting some more experience with the system), and now that the server is not a “black box” to me (at least to the state it was) maybe is the time to do it anyway. The thing is that because the school has vacations, and the server can actually shut down for days, I prefer to do it at that time. Now if the server decides that it has to be done earlier, it is not a big deal. I can always in an emergency restore from backup or, in a couple of days, do a fresh install. It will depend on the timing.
Finally I want to mention that the server is still running perfectly until now (a week) and that I actually learned useful procedures that, without this incident, I would never had the chance (and the time, because there is always time for an emergency!) to learn. In the next (inevitable) failure, I am going to learn more!