Server error, please try again later

Divinum Fiat

Divinum Fiat

Well-known member
Hi all,

For some unexplainable reason I got logged out of my forum and when I try logging back in I get the message "server error, please try again later."

The page is frozen at that error page and no matter what tabs I click, I can't move away from the error page.

Does anyone have an idea of what this could be related to (my other domains, that share the same server, are up and running fine)?
 
Sort by date Sort by votes
??? if the server has been compromised and not just from a script-kiddy you will never find any login-data to this, so you can´t be sure that the server is not compromised.

mysql has some security issues witch will be not fixed before the next patch day... wich is ???

ssh access should only be possible thru key-file auth. and only for them who need it.

with some small code you can be informed about ssh logins. i´m not a centos guru but on debian-based systems
you will for ex. add:
Code: 
echo 'ALERT - Root Shell Access on:' $(date) $(who) | mail -s "Alert: Root Access from $(who | cut -d"(" -f2 | cut -d")" -f1)" your@mail.tld
inside your ".profile" file. this will be send directly and long before a attacker can darken his work.

as everthing is totally open/uncleare and you don´t know what was/is going on at the server i personally would never ever set such server online without a serious analysis.

and a info as "we can´t restart your server" would anyway be the "Death shot" for that hoster.


all of you wich try to help Blueprint4Love should think over at that responsibility. server-admin is not a easy task wich i know since more then 2o years with own servers.
 
Upvote 0 Downvote
Hi Cool, thank you for your post. I'm not quite sure my understanding of tech is polished enough to understand what you are saying. Maybe someone else knows?

Jake is looking into things now. It's not just doing the back up restore, it's also fixing the hole they dug so they can't get back in. It seems to have been pretty easy for them to do.
 
Upvote 0 Downvote
Cool said:
??? if the server has been compromised and not just from a script-kiddy you will never find any login-data to this, so you can´t be sure that the server is not compromised.

mysql has some security issues witch will be not fixed before the next patch day... wich is ???

ssh access should only be possible thru key-file auth. and only for them who need it.

with some small code you can be informed about ssh logins. i´m not a centos guru but on debian-based systems
you will for ex. add:
Code: 
echo 'ALERT - Root Shell Access on:' $(date) $(who) | mail -s "Alert: Root Access from $(who | cut -d"(" -f2 | cut -d")" -f1)" your@mail.tld
inside your ".profile" file. this will be send directly and long before a attacker can darken his work.

as everthing is totally open/uncleare and you don´t know what was/is going on at the server i personally would never ever set such server online without a serious analysis.

and a info as "we can´t restart your server" would anyway be the "Death shot" for that hoster.


all of you wich try to help Blueprint4Love should think over at that responsibility. server-admin is not a easy task wich i know since more then 2o years with own servers.
Click to expand...
I've added that to .bash_profile, and it's now working

root_access.webp

I've set up a forwarder so send a copy of the e-mail to Blueprint4Love

I've also been doing server admin for the last 9 years, and I don't claim to be a security expert. I can set them up, and secure them myself, but beyond what I've already checked, should be left to a proper security expert specifically offering those services.

This VPS has been left basically as it came out of the box from Hostgator. I personally think it was only recently updated by Hostgator when they updated php and mysql.

Cool said:
ssh access should only be possible thru key-file auth. and only for them who need it.
Click to expand...
Exactly. My servers don't allow direct root access, they only allow key-file auth, and SSH is moved to a none-standard port.
 
Upvote 0 Downvote
tenants said:
MattW, can you look through the access logs and search for the offending IP addresses (Blueprint4Love should be able to give you a list of the ip addresses).
From the server access logs, you should be able to determine where the entry point was.. this will give you huge clues of how / what they have done.

If it is a brute force of the admin account from the forum login, then it is what I saw and mentioned a long time ago... It will be fixed, but apparently not outside of a 1.2 release



I take it that's your host that said that, or a forum users post?
Click to expand...
Access logs going back to 30th November

root@blu [/home/corefree/access-logs]# less corefreedom.com | grep admin.php | awk '{print $1}' | sort -n | uniq -c | sort -nr
2750 XXX.XXX.XXX.XXX
587 216.19.26.155
177 124.121.170.5
84 XXX.XXX.XXX.XXX
9 XXX.XXX.XXX.XXX
7 XXX.XXX.XXX.XXX
1 46.119.119.195

I've removed mine, Jakes, Chris and Blueprint4Love's IP addresses with XXX.XXX.XXX.XXX
 
Upvote 0 Downvote
Wow, there were THAT many 'offending' IP addresses?? Assuming these were all proxies and can't be traced anywhere? Sure would love to send that person a Christmas card...:sneaky:

Matt, you're amazing! I'm really speechless at the support and help from everyone here. I wish I was a techie and could repay you and others in gratitude. If there is anything I can do for any of you, please just ASK.

Thank you, thank you, thank you!
 
Upvote 0 Downvote
Well, I'm in Arizona at the moment, so it could be that I logged on from a cafe or the library, not sure. Great Britain, isn't that where Matt is? And the Ukraine? No clue about that one. The one that HostGator found that logged in the night the forum was hacked was an anonymous proxy from Europe somewhere too.
 
Upvote 0 Downvote
Blueprint4Love said:
Well, I'm in Arizona at the moment, so it could be that I logged on from a cafe or the library, not sure. Great Britain, isn't that where Matt is? And the Ukraine? No clue about that one. The one that HostGator found that logged in the night the forum was hacked was an anonymous proxy from Europe somewhere too.
Click to expand...
Correct, I'm from the UK, but my IP is static and I've removed that from the list above.
 
Upvote 0 Downvote
I've read through this thread to try and understand what exactly went wrong with the forum, but I'm a bit lost. Was the admin account brute forced and if so, would that brute force add-on plus changing to a VERY long password help? It would be good to come out of this with some things we can do to pre-empt it happening to someone else.
 
Upvote 0 Downvote
Ingenious said:
I've read through this thread to try and understand what exactly went wrong with the forum, but I'm a bit lost. Was the admin account brute forced and if so, would that brute force add-on plus changing to a VERY long password help? It would be good to come out of this with some things we can do to pre-empt it happening to someone else.
Click to expand...
I still don't know exactly what happened, and I've been on the server nearly all day :cautious:
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

JoyFreak
Not a bug An unexpected error occurred. Please try again later.
Replies
3
Views
182
JoyFreak
JoyFreak
sneakyy
  • Question Question
XF 2.2 An unexpected database error occurred. Please try again later.
Replies
7
Views
236
sneakyy
sneakyy
sam2019
  • Question Question
XF 2.2 An unexpected database error occurred. Please try again later.
Replies
2
Views
503
Paul B
Paul B
Ferdinand
  • Question Question
XF 2.2 An error occurred while connecting with Linkedin. Please try again later.
Replies
7
Views
610
tom3
tom3
vinnymickey
  • Question Question
XF 2.2 An unexpected database error occurred. Please try again later.
2
Replies
22
Views
2K
Suzanne O
Suzanne O
Top Bottom