Lost/overwritten data in EHCP managed files (caused by file corruption?)

Asked by Rebecca O'Connell on 2011-12-25

It appears that everything in all of our websites has spontaneously rolled back to 10/31/11. The database tables are all intact, but everything in the file spaces is as it was back in October.

Also, one of the custom skins in our Mediawiki site was overwritten with email connection data.
("
<email address hidden>: connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection timed out
<email address hidden>
offset=1042
status=4.4.1
action=delayed
reason=connect to alt4.gmail-smtp-in.l.google.com[209.85.229.27]:25: Connection timed out)
")

We had an incident where the server was exposed to high heat, but it appeared to be okay. Could that have triggered this? If not, what can we do to figure out what did happen?

Question information

Language:
English Edit question
Status:
Answered
For:
Easy Hosting Control Panel for Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
2011-12-25
Last reply:
2012-06-14
ehcpdeveloper (ehcpdeveloper) said : #1

possibilites:
* hacking into your site, and changing content all over your server,
* problematic vps, some vps's are problematic and causes memory
corruption, resultin gin unpredictable results.
* even if not vps, memory corruption, resultin gin unpredictable results.
* problematic software/scripts in your server, if any
* backdoors, rootkits, that may cause data corruption.

Exaclty what just happend to me! It happend in the weekend.. I thought the hardware RAID had made a mistake when mirroring. But now it happened again! After I tirelessly recoded everything. What is this ??? PLS someone answer. It just rolled back files ! To an earlier stage! This ruins me! Is there some backup/rollback feature installed when installing ehcp????

Even this email thing which was written to some configfile was the same situation here at the first unintended rollback. PLS someone help!

ehcpdeveloper (ehcpdeveloper) said : #4

the email above has no relevance with this situation. that is an "email sending" log, which failed.
no rollback feature exists in ehcp, at filesystem level.

ehcp has backup restore feautre, if your admin password is weak, or if somebody has access to your ehcp interface with admin rights, it can restore your existing backup. check also version of ehcp. in old versions, there may be some security leaks.

ehcpdeveloper (ehcpdeveloper) said : #5

is your system files overwriten? or files under /var/www ?
ehcp restore does restore only files in /var/www/, not system files

Thank you for your quick reply. The desaster from today is fortunatly resolved. What remains is an event in the weekend, where multiple systemfiles where overridden by unrelated mails or unreadable byte code. Furthermore all customer websites where rolled back to a state of about 1 or 2 weeks earlier. My provider garantueed me that all hardware, such like raid1 and hard disks are without error and functioning. That leaves software.

Yes, files under /var/www/ and also the databases were overwritten. Is it logical to assume a hacker attack, where an attacker messed up the system so bad that it is more than apparent that something happend and even rolled back customer websites to an earlier state? When I saw this thread the situation looked something like mine, and so I answered. My version before the crash/attack was 30.7 so not the latest but one of the latest releases. My password was about 8 random characters and I at that point had not used the ehcp backup-, thus nor the restore feature. If ehcp, which I love very much and which opened many opportunities for me, does not have some kind of automatic backup/restore feature then it must be something else. Strange thing is except for the hardware raid, which is apparently working fine, I did not have any software/device which could be a logical explanation as to why files from several days or even weeks back should suddenly appear back on the system, overwriting the current ones. Thank you anyway, as said, ehcp is something very special to me, respect to you!

Rebecca O'Connell (rebecca321) said : #7

We found out that the problem was that our system rebooted, and when it did it rebooted from an out of date backup on another server. Our original files were still intact. We changed settings to tell it never to boot from the external drive, and that solved our problem. Unfortunately, I wasn't the person who ultimately solved the problem, so it is difficult for me to give you more information than that.

ehcpdeveloper (ehcpdeveloper) said : #8

nice to see it is solved.
just info: if you haven't taken any backup, then a restore would not be issued also. so, a resotre is nothing without a backup.

ehcpdeveloper (ehcpdeveloper) said : #9

version 0.30.7 has no known security issue as of now.

Can you help with this problem?

Provide an answer of your own, or ask Rebecca O'Connell for more information if necessary.

To post a message you must log in.