Hello,
When I want to login to Virtualmin I get this error:
Error - Missing Content-Type Header
Reinstall Virtual min was no sollution.
Martin
Status:
Active
Hello,
When I want to login to Virtualmin I get this error:
Error - Missing Content-Type Header
Reinstall Virtual min was no sollution.
Martin
Comments
Submitted by andreychek on Sun, 09/19/2010 - 13:16 Comment #1
Hi Martin -- is there any chance we could take a look? I'm not sure what might cause that, but I'd like to take a peek and do some troubleshooting.
Also, when did that start occurring? Was anything on your server changed recently?
Andrey Can I send you al login ?
Martin
Andrey,
It started today. And there are also some index.html files changed.
Hacked by C4uR message on some the index.html files. Other have a error 500.
Martin
Submitted by andreychek on Sun, 09/19/2010 - 14:08 Comment #4
I can certainly take a look at why Virtualmin is giving you missing header errors. It sounds like you may have recently had a breakin, though I'm not sure if that's related or not.
If you could email me your root login details and the hostname I can use to connect to your server, that'd be super. You can send that to eric@virtualmin.com. Thanks!
Submitted by andreychek on Sun, 09/19/2010 - 15:28 Comment #5
With Postfix being down on your server, I suspect you're not receiving my emails... they appear to be going to your backup server. I'll repeat the info I've sent in here --
Hmm... it looks like you had a fairly serious system compromise.
The problem with the logs is that the logs dir has been completely
deleted (for Apache and everything else).
Take a look in /var/log -- nothing is in there anymore except for the
recent changes you made via yum.
I'm going to re-create your Apache logs dir, and restart Apache.
However, the problem appears to be a lot more serious than that... if
they were able to delete all your logs, that means your root user was
compromised... at that point, you can no longer trust your server, they
could have setup any sort of rootkit.
So, you can review your server and attempt to clean it up, but my
suggestion would actually be to start with a fresh server, and migrate
your Virtual Servers over to it. That's the only way to be sure that
root on your server isn't currently compromised.
I noticed an IRC daemon running on port 23232 by the user "sassendonk".
I killed that program, as it was masquerading as a Postfix process.
That may suggest that the attackers initially broke in through that
account.
It looks like your Postfix config file, /etc/postfix/main.cf, was
overwritten when the server was compromised.
That's what is preventing Postfix from starting.
At this point, I really can't recommend trying to continue with your
current server, it really looks like a lot was damaged by the attacker...
If you wish to try however, you'd need to restore your main.cf from a
backup.
I'm not sure what's causing the issue with Webmin/Virtuamin, it's
possible one of the dependencies was broken in some way. I'll work with
Jamie to figure that out if you're hoping to continue using this server.
Submitted by andreychek on Sun, 09/19/2010 - 15:35 Comment #6
Jamie discovered that the attackers overwrote your Virtualmin theme files. He fixed that by running:
yum reinstall wbt-virtual-server-theme
Hello,
I'm busyy with installing a new clean server. Right now I 'll ask the sassendonk account top update their scripts etc....
How can I restore the backup's to get the server still running for a few days..... Now I get an error in Virtualmin.
I replaced main.cf with a new default version.
I think they found a 777 folder in that website and they've run a script that replaces all index.* files and some critical config files.......
I've found a strage user on the server: ntp (id 38) with shell sbin/nologin. Is this a system user ?
Martin
Submitted by andreychek on Sun, 09/19/2010 - 16:11 Comment #8
Now I get an error in Virtualmin.
At what point are you receiving an error in Virtualmin? What is the error you're getting?
In poking around a bit, I wasn't able to provoke an error in Virtualmin, and I don't see any recent errors in your Webmin logs.
I've found a strage user on the server: ntp (id 38) with shell sbin/nologin. Is this a system user ?
The "ntp" user is actually normal, that was likely setup for the NTP daemon, which handles keeping your system's time in sync.
How can I restore a complet main.cf ?
Submitted by andreychek on Sun, 09/19/2010 - 16:18 Comment #10
How can I restore a complet main.cf ?
That's only possible if you've setup a backup job to backup files in /etc. The Postfix main.cf file (along with most of the other files in /etc) unfortunately aren't part of any given Virtual Server's backup.
Is there a way to recreate it (manualy) ???
I assume that this file is the reason that postfix isn't running. Clam AV isn't also running...
Whem I try to edit the postfix config in webmin I get the message: postfix: fatal: bad string length 0 < 1: setgid_group =
There is an option to manual edit the config file. this brings me to the alias table.
Martin
Submitted by andreychek on Sun, 09/19/2010 - 16:47 Comment #13
The entire main.cf file was replaced with a .html script, so you need to start with a new and correct main.cf file.
I checked with Joe and Jamie to see if they happen to have an example of what a main.cf file should look like after a fresh Virtualmin install on CentOS, as I don't have one.
If they have one, I may be able to tweak that to get it working on your server. If not, you may need to perform a CentOS and Virtualmin install onto another system, then pull the resulting main.cf file from it.
You can view the current main.cf file by logging in on the command line, and editing /etc/postfix/main.cf, or via Virtualmin by going into Webmin -> Servers -> Postfix -> Edit Config Files.
Postfix is running, but isn’t recieving any external mail. I tried to send an internal email from a webmail account to an other account on the server, that is working.
The email that I send from my gmail account is’nt recieved on the server
Can you look at the main.cf I’ve placed a default one from the virtualmin forum.
I also looked at the Sassendonk Account. I found a few scripts that didn;t suposed to be there. I deleted them….. Also the passwords of that account are changed.
Submitted by andreychek on Sun, 09/19/2010 - 18:01 Comment #15
When sending an email to your account, I was seeing "Relay access denied" errors.
I made some adjustments to your main.cf file, and it seems to be working better now... I was able to send a test without it bouncing.
Give that a try and see if it's working for you.
The mail is flowing again.
I recieve a lot of email that was on our backup servers. Also the test mail i just send is arived.
Right now the server is verry bussy with restoring the index.html files.
The only problem now is that the main database from Clam AV was also replaced by a index.html. Freshclam solved this problem (After I recreated the logfile).
Martin