Opened 7 days ago

Closed 4 days ago

#13632 closed Bug/Something is broken (fixed)

SSH login details

Reported by: Owned by:
Priority: Urgent Component: Tech
Keywords: Cc:
Sensitive: no



We are currently fixing the site and updating the security patch. Is it possible to get the current SSH login details to complete the task.

Many thanks


Change History (12)

comment:1 Changed 7 days ago by

  • Priority changed from High to Urgent

comment:2 Changed 7 days ago by

  • Owner set to
  • Status changed from new to assigned

Hi, I've just re-enabled ssh access for the workersliberty user. You can see the list of users with ssh access here.

ssh access is password based however you can edit the user to add an ssh key. There appear to be a few keys added to the ~/.ssh/authorized_keys file already so you may want to check that these are all valid and under your control.

Let me know if you need any additional help.

comment:3 Changed 7 days ago by

Thanks. Hopefully this should be enough to get it resolved.

comment:4 Changed 6 days ago by

I'm seeing some files that look suspicious and at least two drupal install within the same web directory which is a security risk. Also seeing a mix of different file ownership. It looks like a cleanup of the web directory might be necessary before trying to enable the site again.

comment:5 Changed 6 days ago by

Thanks Jaime

Yes our team is going through it all and trying to stop this from ever reocurring. Can we get ROOT access as well so that they can create the virtual host domain file?

Thanks Stephen

comment:6 Changed 6 days ago by

Can we also have the FTP Host, Username and password - We have details for sftp but these are not the same.

comment:7 Changed 6 days ago by

Hi Stephen, sorry we don't allow root access for members on our shared servers however you can edit a web configuration that will be automatically inserted into your virtual host domain file through the control panel in the web configuration tab.

Also there is no ftp acess, but you should be able to access your files through an sftp connection. Make sure all files inside the web directory are owned by the workersliberty user as this is the user assigned to own and execute your files in the web configuration tab.

comment:8 Changed 5 days ago by

  • Cc added

Somehow the workersliberty has been injecting spam into the mail queue again even though the web configuration is disabled.

Checking the process tree if it looks like old processes were still open.

workers+ 20426  0.0  1.0 491148 82236 ?        S    Apr15   0:01  \_ php-fpm: pool
workers+ 20784  0.0  0.0      0     0 ?        Z    Apr15   0:00  |   \_ [sh] <defunct>
workers+ 20489  0.0  0.9 488496 81700 ?        S    Apr15   0:04  \_ php-fpm: pool
workers+ 21567  0.0  0.0      0     0 ?        Z    Apr15   0:00  |   \_ [sh] <defunct>
workers+ 24400  0.0  0.9 488100 79996 ?        S    Apr15   0:01  \_ php-fpm: pool
workers+ 24974  0.0  0.0      0     0 ?        Z    Apr15   0:00      \_ [sh] <defunct>
workers+ 20788  0.0  0.0  25132  6200 ?        S    Apr15   0:33 /usr/sbin/sshd
workers+ 21571  0.0  0.0  25132  6108 ?        S    Apr15   2:27 /usr/sbin/sshd
workers+ 24980  0.0  0.0  25128  6088 ?        S    Apr15   0:34 /usr/local/apache/bin/httpd -DSSL
workers+ 21090  0.0  0.0  25132  6224 ?        S    Apr15   1:39 /usr/sbin/sshd
workers+ 21099  0.0  0.0  25132  6144 ?        S    Apr15   1:38 /usr/sbin/sshd
workers+ 21311  0.0  0.0  25132  6216 ?        S    Apr15   0:58 /usr/sbin/sshd
workers+ 21318  0.0  0.0  25132  5752 ?        S    Apr15   2:22 /usr/sbin/sshd

I've restarted php5-fpm and they have disappeared. I think we should change the workersliberty password and check on the .ssh/authorized_keys file.

comment:9 Changed 5 days ago by

From our developers:

Today we managed to get the old site live and cleaned it up, but it has gone offline again with an error.

Can you ask MayFirst to check this issue and put the site back as we have found no issues from our side. Can you also find out from them as to why this has happened?

The virus

Can you ask

comment:10 Changed 5 days ago by

Referencing ticket ##13627 This has happened because your site was not updated with an important drupal security update that was announced widely on drupal lists. ​

I can see that the version your developers have restored has still not been updated it is at version 8.3.5 and must be at least version 8.5.1 to include the security update.. It will likely be immediately hacked again. I am disabling the web configuration again until this can be done.

It is very important that you apply the security updates to your site. Let us know if you want us to attempt to do this for you.

comment:11 Changed 5 days ago by

From the developers:

They took the site down without giving us time to install our upgraded version.

If you can tell mayfirst that we will be installing the upgraded version tomorrow morning and to allow us access to do this.

comment:12 Changed 4 days ago by

  • Resolution set to fixed
  • Status changed from assigned to closed

Looks like you figured out how to enable the site and have ugpraded - thank you! I'm going to close this ticket but feel free to let us know if there are any other problems.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.