OVH Community, your new community space.

OVH / kimsufi are one of the worst providers i've ever delt with


pdu
31-01-2010, 18:53
I have my ups and downs with ovh support, but only ever due to response times rather than anything else. I've 21 servers and must say not 1 has even been suspended for any reason, some are even fairly high traffic, I too run various intrusion detecting scripts, run services such as ssh on a nonstandard port and auto firewall anything touching port 22, some running ovh builds, some running proper linux distros i installed manually, some doing hosting/mail normally, some inside VPS containers, so a pretty varied setup and i'm yet to see this kind of issue. Oh, and 3 of my machines are kimsufi as well. I know it can be deeply frustrating when things go wrong, and even worse when support seems to be lacking, but are you absolutely, positively, beyond all doubt, certain that your server is secure? I use nmap to test my boxes between each other inside ovh from time to time, and i use it to scan a couple of machines i have in london + my home, and that level of activity has also never caused a suspension (i run as an average one every 3-4 days i'd say). And!! just to add another scenario into the mix, I run a nagios server monitoring a whole bunch of machines as well, pinging, checking http/ftp/ssh/smtp/pop3/imap every 5 minutes, that's been going for 9 months without an issue. It really does sound like something fishy is going on
reedox
31-01-2010, 18:06
I'm so glad you replied!

Sorry to dig up this thread however I must call bull**** on this one.

Quote Originally Posted by Marks
This would be a quick sum up of the conversation dealt directly with Reedox throgh email, I won't enter into details.

Reedox has been provided with logs of the outgoing traffic coming out from his server using one of his failover IP to scan other IPs, which by itself is enough to cancel your server as it's a fraudulent use of our machines, by terms and conditions (I won't post the logs here as it's information related to his server so we won't publish that without the customer's consent).
No such logs where provided. I probably used nmap a few times to scan my home server and servers for clients. Are techies not allowed to perform network diagnostics using your servers?

There where two things running on the server.
A) A java based game server
B) A web site

Quote Originally Posted by Marks
Further more, there are those files found in his server plus commands executed voluntarily by the root user.
As I explained to your staff, several times, these so called suspicious files where merely bash scripts run at intervals in cron used to help block the DDoS attack using IPTables (the linux firewall). Just because your tech staff don't have the technical ability to read a bash script doesn't mean that its right for you to remove a server without refund or notice.


Quote Originally Posted by Marks
The latter point is just suspicious behaviour, but the former one is just enough by itself to cancel the server. In this case, we've marked it as hacked and ask the customer to reinstall it, which, as everybody knows, is our policy in these cases.
That part made me cringe. The server wasn't hacked, nobody at OVH even took the time to investigate the so called "suspicious" files. I was even told by a member of staff on the phone that it would be quicker to reinstall my server than try and fight to get my data back, even if I was in the right. OVH wanted an excuse to cancel my server as somebody had launched a DDoS attack against it. I still have the packet graph from the attack:
http://i42.tinypic.com/2z7qy48.png

Green being outbound packets (flat) and blue being inbound, where was the attack coming from my server here then OVH?

Quote Originally Posted by Marks
Your complain about the delay on dealing with the issue is another matter. Of course we always want to sort things out the quickest but your problem started with your server been attacked, after it switched to problems with the connection to your server (through your ISP) and finally to the attacked detected from your server. So it's been a very long issue, and you've not always been keen to provide us with information needed, which made everything slower and more difficult.
Two very separate issues, the first being a routing issue between my ISP and your network which was a ticket I raised months before my server was cancelled (the issue we are discussing currently). Now you mention it though, this gives testament to the quality of OVH's network doesn't it?

Quote Originally Posted by Marks
Finally, I'm afraid that, yours is a Kimsufi server. The hardware and network are as good as for professional servers, but one of the differences is the SLA on support. Professional servers pay for a better SLA and therefore, the response times are much better. We don't neglect Kimsufi, but there must be a difference between them.
I was paying around £80 a month for the server with OVH. Kimsufi or not I could have rented a higher spec server in the US with less bandwidth. The price wasn't cheap. Sticking a different brand on something and making the ticket response times 4 days, isn't an excuse for poor customer service.

Quote Originally Posted by Marks
Overall, as I commented on the correspondence, we're ready to hear your case, and if you give us a detailed explanation for all those commands and logs, we may consider an alternative to reinstallation.

I hope this shed some light on these last posts.

Cheers!
There is my case. I don't care about OVH any more. I don't care about getting my money back. I spent more money in my time trying to get a refund from you. The only reason I took the time to respond to this post is because I don't want people who read this thread to think OVH where in the right.

Every technical person I've met who is looking to rent a budget dedicated server I've steered away from you guys and I will continue to.

Just to add, here is a support conversation I had with OVH. What great people they have working there eh?
also posted on webhostingtalk:

on 20/04 I sent the following e-mail:

"The server has not been hacked so I will waste my time setting up the server again unless you want to pay me to do it. Get someone from your technical team to re-check the server again or send me some solid proof.

(pasted link to post here)"

-------------------

I got this response:

"Dear customer,

You're free to post everything you want in other websites.

Now, if you want us to help you in anything, you'll let us know. I could have tried to find out more why your server has been hacked, but you didn't request that, neither gave any explanation from your side about what has happened nor gave me the chance to do it.

As I said, you're welcome to get back to us."

---------------------------

What? Didn't I ask for proof?

My response:

"That's mature for a company representative.

Please can you give me the reason why your tech guys think my server is hacked?

Also I presume once we find out the server is not hacked I will be provided with suitable recompense for my inconvenience?"

Their response:

"Dear customer,

we're still looking into it. I'll get back to you soon.

PS: Thanks for the mature compliment. I wonder if your behaviour could be labeled likewise."

Great a ****y customer support rep who has more interest in making childish comments that helping a customer.

I didn't hear anything after that for 5 days!!

So today I e-mailed them asking for an update and got this:

"Dear customer,

sorry for the delay, I must apologize, but it's been quite difficult to collect the information.

your server has been closed because of the following file found in your server:

-rwxr-xr-x 1 root root 48 May 14 23:58 syn

#!/bin/bash
while true; do
synd
sleep 20

It looks like somebody has broken into your server and left this, or at least that's what we have to believe.

Therefore, the security of the server has been compromised, and reinstallation is needed. Till you have done that, you won't be able to use it. I suggest you to go ahead and do it as soon as possible."

Now synd is a bash script I PUT THERE that checks for certain syn connections and blocks them in IPTABLES. The server has NOT been hacked. I'm speechless, honestly I've never come across a company that cares less about a customer than OVH.

I've asked for a full refund as my server has now been down nearly 2 weeks for no reason at all.
Halide
01-06-2009, 03:44
Sounds to me like you're just b***hing and moaning, OVH seems to be doing exactly what they should, follow their own terms and regulations.

If this alone makes you leave ovh then i almost say good riddance. I've had nothing but great experiences with OVH services and customer support.

All the best! ;P
Ashley
01-06-2009, 03:14
Quote Originally Posted by Seedbox Paradis
????
It was in response to this:

Quote Originally Posted by reedox
The only thing running on the server is a java game that has around 90 people online at peak, somebody most likely got banned and decided DDOS me.
He was probably running a 'RuneScape Private Server' - i've seen many skiddies in my time and was unfortunate enough to play this game and see the kind of attitude between this certain crowd of kids who knock around on IRC servers threatening to DDoS each other and hack each others RuneScape accounts. RuneScape is a popular MMORPG based in England and is owned by a company called JaGeX.
marks
29-05-2009, 18:12
This would be a quick sum up of the conversation dealt directly with Reedox throgh email, I won't enter into details.

Reedox has been provided with logs of the outgoing traffic coming out from his server using one of his failover IP to scan other IPs, which by itself is enough to cancel your server as it's a fraudulent use of our machines, by terms and conditions (I won't post the logs here as it's information related to his server so we won't publish that without the customer's consent).

Further more, there are those files found in his server plus commands executed voluntarily by the root user.

The latter point is just suspicious behaviour, but the former one is just enough by itself to cancel the server. In this case, we've marked it as hacked and ask the customer to reinstall it, which, as everybody knows, is our policy in these cases.

Your complain about the delay on dealing with the issue is another matter. Of course we always want to sort things out the quickest but your problem started with your server been attacked, after it switched to problems with the connection to your server (through your ISP) and finally to the attacked detected from your server. So it's been a very long issue, and you've not always been keen to provide us with information needed, which made everything slower and more difficult.

Finally, I'm afraid that, yours is a Kimsufi server. The hardware and network are as good as for professional servers, but one of the differences is the SLA on support. Professional servers pay for a better SLA and therefore, the response times are much better. We don't neglect Kimsufi, but there must be a difference between them.

Overall, as I commented on the correspondence, we're ready to hear your case, and if you give us a detailed explanation for all those commands and logs, we may consider an alternative to reinstallation.

I hope this shed some light on these last posts.

Cheers!
Seedbox Paradis
28-05-2009, 19:30
Quote Originally Posted by Ashley
Biatch, I've got 99 problems and RuneScape aint one
????
Ashley
28-05-2009, 19:02
Biatch, I've got 99 problems and RuneScape aint one
randomguy
28-05-2009, 17:38
I bet someone just overlooked the file and took "synd" for "syn flood" or something and decided to disconnect your server. It wouldn't really surprise me.

In the future, maybe name your script "peaceloveflowers.sh". Did you have the OVH rpm or whatever monitoring program running? I bet that's involved if you did.
Seedbox Paradis
28-05-2009, 17:05
Quote Originally Posted by reedox
My first monthly fee was £70 that isn't even cheap.

OVH told me that they disabled the server because they found a script called synd. I put the script there and it blocks syn floods in the firewall and doesn't initiate any type of DDOS attack it blocks them!

I'm just making sure any potential customers are aware of how useless OVH really are.

A few of my posts have made quite a high ranking on google for "OVH" so i'm just happy that people will be warned.


@Ashley. you have no idea what you are talking about.

The script in question is:

PHP Code:
#!/bin/sh
load_conf()
{
    CONF="/usr/local/synd/synd.conf"
    if [ -"$CONF] && [ ! "$CONF==    "" ]; then
        source $CONF
    else
        head
        echo "\$CONF not found."
        exit 1
    fi
}

head()
{
    echo "Syn-Deflate version 0.1 alpha"
    echo "Based on Dos-Deflate - felosi "
    echo
}

showhelp()
{
    head
    echo 'Usage: synd.sh [OPTIONS] [N]'
    echo 'N : number of SYN_RECV connections (default 10)'
    echo 'OPTIONS:'
    echo '-h | --help: Show    this help screen'
    echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
    echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
}

unbanip()
{
    UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
    TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
    UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
    echo '#!/bin/sh' $UNBAN_SCRIPT
    echo "sleep $BAN_PERIOD>> $UNBAN_SCRIPT
    if [ $APF_BAN -eq 1 ]; then
        while read line; do
            echo "$APF -d $line>> $UNBAN_SCRIPT
            echo $line >> $UNBAN_IP_LIST
        done $BANNED_IP_LIST
    else
        while read line; do
            echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
            echo $line >> $UNBAN_IP_LIST
        done $BANNED_IP_LIST
    fi
    echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE>> $UNBAN_SCRIPT
    echo "mv $TMP_FILE $IGNORE_IP_LIST>> $UNBAN_SCRIPT
    echo "rm -f $UNBAN_SCRIPT>> $UNBAN_SCRIPT
    echo "rm -f $UNBAN_IP_LIST>> $UNBAN_SCRIPT
    echo "rm -f $TMP_FILE>> $UNBAN_SCRIPT
    $UNBAN_SCRIPT &
}

add_to_cron()
{
    rm -f $CRON
    sleep 1
    service crond restart
    sleep 1
    echo "SHELL=/bin/sh" $CRON
    if [ $FREQ -le 2 ]; then
        echo "0-59/$FREQ * * * * root /usr/local/synd/synd.sh >/dev/null 2>&1" >> $CRON
    else
        let "START_MINUTE = $RANDOM % ($FREQ - 1)"
        let "START_MINUTE = $START_MINUTE + 1"
        let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
        echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/synd/synd.sh >/dev/null 2>&1" >> $CRON
    fi
    service crond restart
}


load_conf
while [ $]; do
    case $1 in
        '-h' '--help' '?' )
            showhelp
            exit
            ;;
        '--cron' '-c' )
            add_to_cron
            exit
            ;;
        '--kill' '-k' )
            KILL=1
            ;;
         *[0-9]* )
            NO_OF_CONNECTIONS=$1
            ;;
        * )
            showhelp
            exit
            ;;
    esac
    shift
done

TMP_PREFIX='/tmp/synd'
TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
BANNED_IP_MAIL=`$TMP_FILE`
BANNED_IP_LIST=`$TMP_FILE`
echo "Banned the following ip addresses on `date`" $BANNED_IP_MAIL
echo >>    $BANNED_IP_MAIL
BAD_IP_LIST=`$TMP_FILE`
netstat -ntu grep SYN_RECV awk '{print $5}' cut -d: -f1 sort uniq -sort -nr $BAD_IP_LIST
cat $BAD_IP_LIST
if [ $KILL -eq 1 ]; then
    IP_BAN_NOW=0
    while read line; do
        CURR_LINE_CONN=$(echo $line cut -d" " -f1)
        CURR_LINE_IP=$(echo $line cut -d" " -f2)
        if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
            break
        fi
        IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
        if [ $IGNORE_BAN -ge 1 ]; then
            continue
        fi
        IP_BAN_NOW=1
        echo "$CURR_LINE_IP with $CURR_LINE_CONN SYN_RECV connections" >> $BANNED_IP_MAIL
        echo $CURR_LINE_IP >> $BANNED_IP_LIST
        echo $CURR_LINE_IP >> $IGNORE_IP_LIST
        if [ $APF_BAN -eq 1 ]; then
            $APF -d $CURR_LINE_IP
        else
            $IPT -I INPUT -s $CURR_LINE_IP -j DROP
        fi
    done $BAD_IP_LIST
    if [ $IP_BAN_NOW -eq 1 ]; then
        dt=`date`
                hn=`hostname`
#        if [ $EMAIL_TO != "" ]; then
#            cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt $hn" $EMAIL_TO
#        fi
        unbanip
    fi
fi
rm -f $TMP_PREFIX.* 
The only thing running on the server is a java game that has around 90 people online at peak, somebody most likely got banned and decided DDOS me.

All I can say from my experience is stay away from OVH and Kimsufi.
£70 in itself might not be little, but for the server you get for that price, its very cheap, I can assure you. In your last sentence you say someone probably decided to DDoS you, and yet you keep saying that its a script called Synd. So maybe, the server was attacked, you're too full of yourself to admit that, and because you have to have things the way you want them, you're turning people away from OVH. Most of OVH's client network have never had a problem like this, and how much you want to bet a lot of those people used a script alike yours? Someone please close this thread as its useless, just flame wars...
reedox
28-05-2009, 16:07
Quote Originally Posted by Seedbox Paradis
You're a paying customer that pays a ridicoulously low fee for your server rentals, and if OVH had reason to believe your server was being attacked, you should be happy they did something to protect your data. You didn't really prove that it wasn't attacked either, you just told us about some script of your that may have been what OVH took as an attack. You can find another DC to host with if you're unhappy with OVH, but posting and moaning on this board isn't going to help you at all.

My first monthly fee was £70 that isn't even cheap.

OVH told me that they disabled the server because they found a script called synd. I put the script there and it blocks syn floods in the firewall and doesn't initiate any type of DDOS attack it blocks them!

I'm just making sure any potential customers are aware of how useless OVH really are.

A few of my posts have made quite a high ranking on google for "OVH" so i'm just happy that people will be warned.


@Ashley. you have no idea what you are talking about.

The script in question is:

PHP Code:
#!/bin/sh
load_conf()
{
    CONF="/usr/local/synd/synd.conf"
    if [ -"$CONF] && [ ! "$CONF==    "" ]; then
        source $CONF
    else
        head
        echo "\$CONF not found."
        exit 1
    fi
}

head()
{
    echo "Syn-Deflate version 0.1 alpha"
    echo "Based on Dos-Deflate - felosi "
    echo
}

showhelp()
{
    head
    echo 'Usage: synd.sh [OPTIONS] [N]'
    echo 'N : number of SYN_RECV connections (default 10)'
    echo 'OPTIONS:'
    echo '-h | --help: Show    this help screen'
    echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
    echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
}

unbanip()
{
    UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
    TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
    UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
    echo '#!/bin/sh' $UNBAN_SCRIPT
    echo "sleep $BAN_PERIOD>> $UNBAN_SCRIPT
    if [ $APF_BAN -eq 1 ]; then
        while read line; do
            echo "$APF -d $line>> $UNBAN_SCRIPT
            echo $line >> $UNBAN_IP_LIST
        done $BANNED_IP_LIST
    else
        while read line; do
            echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
            echo $line >> $UNBAN_IP_LIST
        done $BANNED_IP_LIST
    fi
    echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE>> $UNBAN_SCRIPT
    echo "mv $TMP_FILE $IGNORE_IP_LIST>> $UNBAN_SCRIPT
    echo "rm -f $UNBAN_SCRIPT>> $UNBAN_SCRIPT
    echo "rm -f $UNBAN_IP_LIST>> $UNBAN_SCRIPT
    echo "rm -f $TMP_FILE>> $UNBAN_SCRIPT
    $UNBAN_SCRIPT &
}

add_to_cron()
{
    rm -f $CRON
    sleep 1
    service crond restart
    sleep 1
    echo "SHELL=/bin/sh" $CRON
    if [ $FREQ -le 2 ]; then
        echo "0-59/$FREQ * * * * root /usr/local/synd/synd.sh >/dev/null 2>&1" >> $CRON
    else
        let "START_MINUTE = $RANDOM % ($FREQ - 1)"
        let "START_MINUTE = $START_MINUTE + 1"
        let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
        echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/synd/synd.sh >/dev/null 2>&1" >> $CRON
    fi
    service crond restart
}


load_conf
while [ $]; do
    case $1 in
        '-h' '--help' '?' )
            showhelp
            exit
            ;;
        '--cron' '-c' )
            add_to_cron
            exit
            ;;
        '--kill' '-k' )
            KILL=1
            ;;
         *[0-9]* )
            NO_OF_CONNECTIONS=$1
            ;;
        * )
            showhelp
            exit
            ;;
    esac
    shift
done

TMP_PREFIX='/tmp/synd'
TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
BANNED_IP_MAIL=`$TMP_FILE`
BANNED_IP_LIST=`$TMP_FILE`
echo "Banned the following ip addresses on `date`" $BANNED_IP_MAIL
echo >>    $BANNED_IP_MAIL
BAD_IP_LIST=`$TMP_FILE`
netstat -ntu grep SYN_RECV awk '{print $5}' cut -d: -f1 sort uniq -sort -nr $BAD_IP_LIST
cat $BAD_IP_LIST
if [ $KILL -eq 1 ]; then
    IP_BAN_NOW=0
    while read line; do
        CURR_LINE_CONN=$(echo $line cut -d" " -f1)
        CURR_LINE_IP=$(echo $line cut -d" " -f2)
        if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
            break
        fi
        IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
        if [ $IGNORE_BAN -ge 1 ]; then
            continue
        fi
        IP_BAN_NOW=1
        echo "$CURR_LINE_IP with $CURR_LINE_CONN SYN_RECV connections" >> $BANNED_IP_MAIL
        echo $CURR_LINE_IP >> $BANNED_IP_LIST
        echo $CURR_LINE_IP >> $IGNORE_IP_LIST
        if [ $APF_BAN -eq 1 ]; then
            $APF -d $CURR_LINE_IP
        else
            $IPT -I INPUT -s $CURR_LINE_IP -j DROP
        fi
    done $BAD_IP_LIST
    if [ $IP_BAN_NOW -eq 1 ]; then
        dt=`date`
                hn=`hostname`
#        if [ $EMAIL_TO != "" ]; then
#            cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt $hn" $EMAIL_TO
#        fi
        unbanip
    fi
fi
rm -f $TMP_PREFIX.* 
The only thing running on the server is a java game that has around 90 people online at peak, somebody most likely got banned and decided DDOS me.

All I can say from my experience is stay away from OVH and Kimsufi.
Ashley
28-05-2009, 10:00
Stop running udp.pl or this synd script and they wont disconnect your server.

It's amazing how you can attract DDoS attention on a kimsufi.

I have been with OVH nearly a year and do approx 2TB of HTTP bandwith a month and never recieved any DDoS attacks.

So obviously you are a child who has upset someone over the internet and has had your server breached, or you are trying to be a hardcore e-thug threatening to DDoS people.

Seedbox Paradis
28-05-2009, 07:28
Quote Originally Posted by reedox
@Paradis:

When support act like they couldn't care less, unfortunately I'm not going to take that.

I'm a paying customer and unfortunately that means they have to deal with me and I expect at least some level of competency.

@Myatu:

Support are saying my server has been hacked and as a result of that it's been off-line almost two weeks. They even took a week to respond at one point. It hasn't been hacked i've already proved that. OVH incorrectly took the server I paid for offline. OVH are in the wrong and you can't defend that.
You're a paying customer that pays a ridicoulously low fee for your server rentals, and if OVH had reason to believe your server was being attacked, you should be happy they did something to protect your data. You didn't really prove that it wasn't attacked either, you just told us about some script of your that may have been what OVH took as an attack. You can find another DC to host with if you're unhappy with OVH, but posting and moaning on this board isn't going to help you at all.
reedox
27-05-2009, 17:10
@Paradis:

When support act like they couldn't care less, unfortunately I'm not going to take that.

I'm a paying customer and unfortunately that means they have to deal with me and I expect at least some level of competency.

@Myatu:

Support are saying my server has been hacked and as a result of that it's been off-line almost two weeks. They even took a week to respond at one point. It hasn't been hacked i've already proved that. OVH incorrectly took the server I paid for offline. OVH are in the wrong and you can't defend that.
Myatu
27-05-2009, 15:44
Quote Originally Posted by reedox
I'm not going to bother re-writing my post for here but you can see it at: ...
I don't think you should have bothered at all, it's a moot point. Clearly you're not paying any attention to what support is saying, nor to the service agreement for Kimsufi servers (which is another forum, by the way).
freshwire
27-05-2009, 14:25
The support can be problematic...But for the crazy low prices I just avoid support as much as possible and live for myself
Seedbox Paradis
27-05-2009, 14:20
Well, I'll agree with the people on WHT, if you want someone to do something for you, learn to be polite and pleasant, and fully explain the situation.
reedox
27-05-2009, 10:08
I'm not going to bother re-writing my post for here but you can see it at:

http://www.webhostingtalk.com/showthread.php?t=862708

Pay particular attention to page 2.