PDA

View Full Version : Disk space



incka
12-17-2004, 06:21 AM
I just got this from my server:

Drive Warning: /hda2 (/usr) is 88% full

3 days ago it was 78%.

I haven't uploaded anything in that time. What the heck is the /hda2 drive anyway?

Chris
12-17-2004, 06:38 AM
Possibly the location of a log file or the mail spool.

moonshield
12-17-2004, 07:32 AM
I dont know... Logs and mail are usually kept under /var. /usr contains mostly just installed programs shared over that computer...

Which distro are you using?

MarkB
12-17-2004, 08:06 AM
Are you using a caching system which stores files, and doesn't clean itself out?

AndyH
12-17-2004, 08:24 AM
SSH into the server

cd /usr/local/apache/domlogs

rm *

"y" to every file.

Go into WHM -> Server Settings, then make the log files be deleted every time tehy are ran.

incka
12-17-2004, 08:59 AM
OK, now I need to find some technical wiz kid to do that for me for a fiver...

MarkB
12-17-2004, 09:25 AM
Or, do it yourself (he posted instructions, even!).

incka
12-17-2004, 10:37 AM
Yeah, but it sounds boring and I've turned into a technophobe recently...

moonshield
12-17-2004, 11:30 AM
a technophobe? Already?

chromate
12-17-2004, 11:53 AM
I'll do it for £5 :) pm me if you really want.

MarkB
12-17-2004, 11:57 AM
Incka, if you're running your own server without a maintenance contract on it, then you really should learn. What if the kid who'll do it for a fiver doesn't KNOW what he's doing? (Or will happily compromise your system?)

Although I'm sure chromate isn't that kid :D

incka
12-17-2004, 12:32 PM
Nah, I've got a guy from Estonia who likes Kraftwerk and has long gray hair but is only 18 to do it... And I'm not lieing...

moonshield
12-18-2004, 08:15 AM
lol, doing it yourself would save money. A penny saved is a dollar made in my books.

Yes I cook my books.. :)

AndyH
12-19-2004, 05:58 AM
It really doesn't get any easier than the directions I posted...

incka
12-19-2004, 06:53 AM
Yeah, but SSH scares me, I'm sure I could easily ruin my server using it...

chromate
12-19-2004, 09:57 AM
Have you never used DOS ? It's not that different.

incka
12-22-2004, 05:28 AM
I've used dos prompt.....

Chromate, can you still do fix the problem for a fiver?

chromate
12-22-2004, 05:31 AM
No, I'll do it for free. Wouldn't feel right charging for it. It's too easy :) PM me with the server details.

incka
12-22-2004, 08:46 AM
Infact, that Estonian guy is back now and has done it. He also updated my php at the same time, for free...

MarkB
12-22-2004, 09:20 AM
Did you ask him to?

incka
12-22-2004, 09:36 AM
Estonian guy, yeah, he was on my server upgrading all my forums for some reason, so I got him to do that at the same time.

MarkB
12-22-2004, 09:58 AM
Wow, seems like a hell of a guy... :-|

The New Guy
12-22-2004, 10:07 AM
Installing one hell of a backdoor ;)

MarkB
12-22-2004, 10:17 AM
I didn't want to say that :p

incka
12-22-2004, 03:20 PM
I wouldn't trust him unless I knew a guy who owns a forum with over 2 million posts who uses him to do all the technical stuff for it...

moonshield
12-22-2004, 04:38 PM
Speaking of upgrades... everybody has remebered to upgrade php right?

incka
12-23-2004, 02:59 AM
My server provider have emailed me about unusual ssh to my server... Think it's just the drive changing and the upgrading of php?

AndyH
12-23-2004, 04:04 AM
My server provider have emailed me about unusual ssh to my server... Think it's just the drive changing and the upgrading of php?

Paste the email they sent?

Upgrading PHP via SSH prompt is not classed as "unusual SSH" so no, no I don't think it would be.

What does "drive changing" mean?

MarkB
12-23-2004, 04:56 AM
Very interesting... Perhaps they're concerned about an Estonian IP being logged for SSH access (he didn't log into SSH with root, did he? But su-ed once he was in there with a standard login?)

incka
12-23-2004, 05:39 AM
Here is support ticket:

(awood-12/22/04-20:58):
We have received reports of unauthorized SSH access attempts coming from your server at 67.19.162.98. Please investigate and address this issue immediately. I have attached report.txt to this ticket for your review, which details the unauthorized traffic.

If you need assistance in this matter, please let us know. We are happy to help.

Please update us as soon as this has been resolved, thanks!
--------------------------------------
(c20321inck-12/23/04-03:49):I'm not very technical so I don't understand from report.txt what the problem is. Could you give me a simple description of the problem. I did recently get someone to do something in shell to stop one of my drives, hda2 or something, becoming full. Perhaps that is what happend, or perhaps it was when he updated PHP.
--------------------------------------
(c20321inck-12/23/04-06:32):I contacted the guy on msn messenger and this was what he said:

PHP-5.0.3 voila says:
nope
ok
it doesn't sem to be me
those login attempts are too close for me
and i laready had the right addresses and codes yesterday
--------------------------------------
(c20321inck-12/23/04-06:32):Does this mean there is a security problem on my server?

incka
12-23-2004, 05:41 AM
Here is the first half of the report they sent me:






The remote system 98.67-19-162.reverse.theplanet.com was found to have exceeded acceptable login failures on host178.holyou.net. As such the attacking host has been banned from further accessing this system; for the integrity of your host you should investigate this event as soon as possible.



The following are event logs for exceeded login failures from 98.67-19-162.reverse.theplanet.com on service sshd (all time stamps are GMT +0800):

----

- Executed actions:

/etc/apf/apf -d 98.67-19-162.reverse.theplanet.com



- Log events from /var/log/messages:

Dec 22 20:53:59 host178 sshd(pam_unix)[11006]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:53:59 host178 sshd(pam_unix)[11008]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:00 host178 sshd(pam_unix)[11010]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:01 host178 sshd(pam_unix)[11012]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:01 host178 sshd(pam_unix)[11014]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:02 host178 sshd(pam_unix)[11016]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:02 host178 sshd(pam_unix)[11018]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:03 host178 sshd(pam_unix)[11020]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:04 host178 sshd(pam_unix)[11022]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:04 host178 sshd(pam_unix)[11024]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:04 host178 sshd(pam_unix)[11026]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:04 host178 sshd(pam_unix)[11028]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:05 host178 sshd(pam_unix)[11030]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:06 host178 sshd(pam_unix)[11032]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:06 host178 sshd(pam_unix)[11034]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:07 host178 sshd(pam_unix)[11036]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:07 host178 sshd(pam_unix)[11038]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:08 host178 sshd(pam_unix)[11040]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:08 host178 sshd(pam_unix)[11042]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:09 host178 sshd(pam_unix)[11044]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:09 host178 sshd(pam_unix)[11046]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:09 host178 sshd(pam_unix)[11048]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:10 host178 sshd(pam_unix)[11051]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:11 host178 sshd(pam_unix)[11054]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:11 host178 sshd(pam_unix)[11056]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:12 host178 sshd(pam_unix)[11059]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:12 host178 sshd(pam_unix)[11061]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:12 host178 sshd(pam_unix)[11067]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:13 host178 sshd(pam_unix)[11070]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:13 host178 sshd(pam_unix)[11076]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:14 host178 sshd(pam_unix)[11078]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:14 host178 sshd(pam_unix)[11080]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:15 host178 sshd(pam_unix)[11090]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:16 host178 sshd(pam_unix)[11092]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:16 host178 sshd(pam_unix)[11094]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:17 host178 sshd(pam_unix)[11096]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:17 host178 sshd(pam_unix)[11098]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:17 host178 sshd(pam_unix)[11103]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:18 host178 sshd(pam_unix)[11105]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:18 host178 sshd(pam_unix)[11107]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:19 host178 sshd(pam_unix)[11109]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:19 host178 sshd(pam_unix)[11111]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:20 host178 sshd(pam_unix)[11114]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:21 host178 sshd(pam_unix)[11116]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:21 host178 sshd(pam_unix)[11118]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:21 host178 sshd(pam_unix)[11120]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:22 host178 sshd(pam_unix)[11122]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:22 host178 sshd(pam_unix)[11125]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:23 host178 sshd(pam_unix)[11128]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:23 host178 sshd(pam_unix)[11130]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:24 host178 sshd(pam_unix)[11132]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:24 host178 sshd(pam_unix)[11134]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:25 host178 sshd(pam_unix)[11136]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:26 host178 sshd(pam_unix)[11138]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:26 host178 sshd(pam_unix)[11140]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

Dec 22 20:54:26 host178 sshd(pam_unix)[11143]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=98.67-19-162.reverse.theplanet.com

MarkB
12-23-2004, 05:56 AM
What did report.txt say?

incka
12-23-2004, 05:58 AM
thats what i posted above.

incka
12-23-2004, 05:58 AM
That's a hacker script trying to guess the password isn't it...

r2d2
12-23-2004, 06:37 AM
With several attempts per second, that would seem to be a likely candidate...

MarkB
12-23-2004, 07:11 AM
Sorry, didn't see the thread had gone to another page.

Definitely summat fishy there. My guess is someone's using another server to try and use brutal force methods to get into other servers. (I get at least 1 brutal force attack on my server a day; my firewall just boots the connection and blocks the IP)

incka
12-23-2004, 08:26 AM
Stupid hackers, why can't they learn to make websites for profit instead of ruining them for fun, or if they hack websites, make hacking gangs that only hack other hacking gangs websites..

MarkB
12-23-2004, 08:44 AM
Put some security systems in place on your server and you needn't worry (as much).

moonshield
12-23-2004, 10:27 AM
thats unfortunate, same with your htmlforums.

moonshield
12-23-2004, 10:28 AM
my ssh boots people off after 2 missed passwords... Interesting that your didnt

incka
12-23-2004, 10:30 AM
'_Seri4l_Kill3r_ ownz ur server, aedin um abraco' is what it says.

moonshield
12-23-2004, 10:32 AM
typical hacker, more properly cracker name. I really do hate crackers.

Blue Cat Buxton
12-23-2004, 10:35 AM
Was this the phpbb vunerability?

moonshield
12-23-2004, 10:38 AM
it was the vunerability within PHP itself, something to do with the Searlize() function... Upgrading to PHP 4.3.10+ should do the trick, or at least I hope!

incka
12-23-2004, 10:54 AM
My php is version 5.0.3 I think.

r2d2
12-23-2004, 11:01 AM
'_Seri4l_Kill3r_ ownz ur server, aedin um abraco' is what it says.

Is what what says?

MarkB
12-23-2004, 12:13 PM
It's unfortunate that we must take seriously people who choose to call themselves _Seri4l_Kill3r_ :)

incka
12-23-2004, 01:57 PM
http://www.htmlforums.info

Seen as though I don't use that site I made a parody of the hacker :P

Top post is his, second is mine...

moonshield
12-23-2004, 02:42 PM
somewhat dangerous thing to do Sean...