OVH Community, your new community space.

Deactivation of your server xxx.ovh.net due to SCAN


Andy
23-07-2009, 19:22
Quote Originally Posted by monkey56657
What would be nice is for OVH to alloy you to specify one IP that is allowed communication with the server for investigation. I can enter my own IP and be making sure I get the latest data before running a reinstall.
That would be a very nice feature IMO...

freshwire
23-07-2009, 19:18
What would be nice is for OVH to alloy you to specify one IP that is allowed communication with the server for investigation. I can enter my own IP and be making sure I get the latest data before running a reinstall.

Euan
23-07-2009, 15:10
Thank you Marc and the rest of the OVH team, I only wish you guys had more power to action things without having to wait on the French team to do things like this!

Euan
23-07-2009, 13:21
I retract my angry comments made here and thank the staff at OVH.

I understand that policies are put in place to protect not only myself but other customers at OVH. However I think that these need looked at and I will file an email shortly detailing why etc which I hope will be passed onto management to review.

OVH has returned access to me after explaining my reasoning behind the problem.

DedicatedPros
23-07-2009, 13:09
If you're going to provide access to the users files, you should give him access to all the files and ways to retrieve them (ftp, ssh, ovh ftp backup)... Your policy isn't too full proof

marks
23-07-2009, 13:02
If we have this policy in place is precisely because we care about our customers: the rest of the users of our network that could be victim of attacks from your server and/or the overload of the network that those attacks could cause and would affect the other users.

On the top of that, it's the second time this month that your server's been hacked. In similar cases I've seen in the past, the second time that we detect a scan like the one detected for your server, we cancel the contract with the customer and retrieve the server.

In any case, I've sent your explanation to the datacenter in France, and I'll try to get an answer today, and their decision will be final. At the end, it's not up to us (customer support) to take this decision.

Euan
23-07-2009, 12:43
After a phone call with Mark it seems like they would rather lose a customer than help them out. I am asking for simple SSH access to recover the data in full but they are refusing. I am told that I should have backed up my data but when explaining I have but I need to verify the integrity of the data before simply reinstalling.

But with OVH's great design I cannot access it from any other way apart from through ssh on the server that only has FTP access - great.

Just goes to show how little they care about their customers.

Euan
23-07-2009, 12:09
Mark I have submitted an explanation via email, it is headed ATTENTION OF MARK Fwd: Deactivation of your server xxxx.ovh.net due to SCAN

I appreciate anything you can do to assist us.

Euan
23-07-2009, 11:57
Quote Originally Posted by pete_w
I agree with the server being quickly put in recovery mode, its a great idea. However ssh access needs to be made available as well as ftp access (at least in a limited capacity) otherwise its impossible to access the FTP backup server to backup data. I always have regular backups available which i can recover from but these are always going to be a day old or so at least.
Exactly that is another issue, I cannot verify the remote FTP backups to see how recent they are etc without first reinstalling which is simply not an option.

Quote Originally Posted by Marks
I'll be checking if there is any special thing we can do about your case, but, what about following the option I've given you before? Could you explain us the nature of the attack, what do you think it caused it, what was the security hole and how will you fix it?

If your explanations are satisfactory and we see that it was a mistake and you're in control of your server, we'll give you access back.
Thank you Marks hopefully you can get back to me as soon as possible, our system admins are looking into this now to hopefully get an answer.

marks
23-07-2009, 11:48
I'll be checking if there is any special thing we can do about your case, but, what about following the option I've given you before? Could you explain us the nature of the attack, what do you think it caused it, what was the security hole and how will you fix it?

If your explanations are satisfactory and we see that it was a mistake and you're in control of your server, we'll give you access back.

pete_w
23-07-2009, 11:45
I agree with the server being quickly put in recovery mode, its a great idea. However ssh access needs to be made available as well as ftp access (at least in a limited capacity) otherwise its impossible to access the FTP backup server to backup data. I always have regular backups available which i can recover from but these are always going to be a day old or so at least.

Euan
23-07-2009, 10:55
Mysql backups can't easily be done with only FTP.

You need web data, can be downloaded with ftp but you won't be able to preserve the permissions which will cause trouble later on.

Sql data, need to dump the databases to script with phpmyadmin, mysql console or navicat. Can be downloaded with ftp but not easily restored.

Configs, somewhere I've seen a complete list of files that cPanel control in your system. These files can be downloaded with ftp.

Email, if your clients store email on your server, can be downloaded with ftp

User account data, ?
Here is what someone else said when I was googling this problem.

Effectively I can download the data but not be able to actually recover any databases and the file permissions would be wrecked.

If I cannot get any other level of access - even SSH for an hour its safe to say that myself and my customers are screwed.

Waiting a response from OVH staff to see where we can go with this. I really hope we can get some sort of proper access.

marks
23-07-2009, 10:49
I'm afraid that's OVH policy.

We are very serious and strict when it comes to scans and other hacking activities coming out from a server hosted by us. We cannot allow that, not just because if the illegal nature of it in that server, but also because of the damage that could cause to other server from other customers in our network.

If you resell the servers, you must yet be responsible for our terms and conditions to be enforced and the security maintain.

Nevertheless, in your case, as you've got several IPs and it's possible that the attack came from one of them, we are ready to look at your case. The idea is that if you running a virtualization environment, and just one of your VM got hacked, but not all the server has been compromised, we can give you the server back. To apply for this review of your case, you have to write to us with the explanation of what has happened and what you'll do to fix it. But that must include a proper explanation of what was overlooked and what you'll do so that it doesn't happen again.

Hope this helps.

freshwire
23-07-2009, 01:48
All my monkey men second this opinion

Euan
22-07-2009, 23:47
The policy that you impose is simply stupid, disabling access to the entire machine and expecting FTP to be used to recover the data and then requiring a reinstall as the only option.

I understand the policy of a reinstall but why can traffic not be blocked until we recover the data. We cannot do anything with FTP access, download it to the home machine is the only option and that would take days to download and re-upload. This is a cPanel machine, I can easily transfer all files off the machine, reinstall and setup again within 6 hours, but with FTP it would take me days to do.

I am not a spammer or malicious user, I spend over 600 a month on OVH services to be treated like an abuser. You all know that there is no way to avoid a malicious script or something to that effect.

Expecting a client to fully recover from an incident like this with only FTP access is simply stupid, please do not think I am complaining about the actual access blocking on my server - I totally understand that but there is no way to recover from this within a timely manner that my customers will expect.

I hope the OVH team looks forward to a very impatient phone call in the morning!

regards,
ae5754-ovh