Attack? I need details
derchris
18-08-2009, 16:23
I would say update any Script you are running on your machine.
Might be known issues, and fixed in a later version.
the server was compromised.. i didn't want to risk any other hidden access hotspots, so i reimaged
If your server is blocked due to an attack, go into the manager, turn OVH intervention off in the services panel. Then do a hard reboot.
Should be able to log in.
I noticed i can copy still to my USB drive.. if I dump everything on my USB drive.. it won't be touched by the recovery.. right? OVH doesn't have some weird script to erase USB attached devices too?
edit: nvm... didn't actually copy over
Got the details... hacked... i'll have to figure out how they did that so I can block it
edit2 - now that i have the details.. agree that reimage is the solution (though.. could have saved me time if they just said that in the beginning heh)
Have a look at
http://ossw.ibcl.at/FTPSync/ - genius little script! That way you don't have to mess around with all the FTP commands, per directory, etc., etc.
If you use Debian-based distro, get the libwww-perl and libnet-perl packages to get it to work (apt-get install libwww-perl libnet-perl).
to be honest.. i don't trust the OVH server right now, and want to move it all to a different server.. but I don't have a gui on the other server.. so stuck with either command line FTP (which... i've never used lol).. or FXP.. (which.. appears to be disabled)
edit: oooooooooh come on.... the ftp in rescue mode runs at like 2-5 kb/s ???? This is stupid.. why don't they just tell me I have to fly to France to back it up locally next
Are you able to boot in vKVM mode at this point, btw? Perhaps you can use the FTP backup space then...
i think just stating "attack" is too broad... I want to know what they consider is the attack.. what port was the access attempt on ..It could be an application I'm running that is meant to allow access to the server!
edit: I can't transfer via FXP either to another server? I'm going to need weeks to re-upload the data!!
I have had this issue with OVH before, the policy is pretty crap because reinstalling the operating system will do nothing when you are simply going to reupload the same files which may well be infected.
It was through my OVH Manager as well... i've submitted a ticket asking for more details... they responsed with
_________________
Bonjour,
Cordialement, Olivier T.
___________________
and nothing in between...
I'd have to say that's a bit strange request based on the little information you were given. Are you sure it's an official e-mail from OVH? It should also be in your Manager, if it is.
I mean, like you said, it's a bit like someone saying "you need to change a tyre" out of the blue. Why? And which one? My car? Or my wife's?
As for the syslog, it'd be in /var/log. /home wouldn't be mounted unless it's a plain-old-directory.
I'm just asking for them to tell me what triggered their notion the server was attacked.. They must have received SOMETHING for them to think that my server was attacked.. unmanaged or not.. they should be able to say "we received this alert .. " or "this server IP was scanning...".. something.
I've never connected via rescue mode... is there no /home mount? and are the syslogs all inaccessible? I don't see either
DedicatedPros
16-08-2009, 00:13
Originally Posted by
MIODude
Thats what i need them to tell me.. else i could just put the same application back on the server - how do they know what is an unwanted user or a wanted user.. i have many applications running on the server, nothing new recently..
OVH - I need more details.. else i could be re-imaging again 2 days after re-setting up the server. I need to know what triggers you have to consider it an 'attack'
Again, the servers are unmanaged, they won't go through your data and check every bit of it for malicious code.
Thats what i need them to tell me.. else i could just put the same application back on the server - how do they know what is an unwanted user or a wanted user.. i have many applications running on the server, nothing new recently..
OVH - I need more details.. else i could be re-imaging again 2 days after re-setting up the server. I need to know what triggers you have to consider it an 'attack'
DedicatedPros
15-08-2009, 23:55
That's their policy I guess, I've never had the pleasure of dealing with it
The read-only access is so you can download the files, check for bad code, and upload on the new installation.
I guess they consider any files that allow unwanted users to gain access to the server as malicious
But how could I fix with only FTP 'read only' access? And.. how do I know what they consider to be the malicious code?
DedicatedPros
15-08-2009, 23:44
Originally Posted by
MIODude
I received a note telling me I have to reimage my server because it was 'attack'. No further details provided, except an FTP address to copy over my data then wipe it clean.
I don't think it is too much to ask on the nature of the attack? The server has been running fine for over a year, suddenly i have to reimage? It doesn't make sense. Part of the note says 'someone may have gained access'.. but how do you know who I've even given access too? If its someone attacking my server, how is a reimage going to help? That would just be a waste of time for me to re-install everything while the person continues to attack my server.
My server is ks354825. Can someone shed some light on this for me? I'm out of town right now so can't do anything until tomorrow anyways.
They ask you to reformat as there is some kind of malicious code on your server, and it was put there after the installation so a clean install would fix the issue.
As these servers are unmanaged they tell you to install, but if you know how to fix the issue than do it, they really don't give you instructions as that would fall under the category of management
I received a note telling me I have to reimage my server because it was 'attack'. No further details provided, except an FTP address to copy over my data then wipe it clean.
I don't think it is too much to ask on the nature of the attack? The server has been running fine for over a year, suddenly i have to reimage? It doesn't make sense. Part of the note says 'someone may have gained access'.. but how do you know who I've even given access too? If its someone attacking my server, how is a reimage going to help? That would just be a waste of time for me to re-install everything while the person continues to attack my server.
My server is ks354825. Can someone shed some light on this for me? I'm out of town right now so can't do anything until tomorrow anyways.