Yet another OVH fail (Not Actually) [Archive]

Myatu

20-08-2010, 11:33

Originally Posted by Thelen

So basically what you are saying is my server was hacked, they used it to DDoS, OVH saw the logs IMMEDIATELY power cycled (as in no time for the hacker to remove the php file(s)), booted into rescue mode, where there was still no evidence of said php file because the hacker managed to hack the rescue mode as well? Riiiiight....

As I had mentioned: Your lighttpd logs showed that your web server responded with a "200 OK" when serving the file "udp.php". Which means that the file was THERE. Or do you suppose that the developers of Lighttpd randomly insert "200 OK" instead of "401 File not found" log messages to throw admins around the world off? Get real.

I also mentioned that lighttpd does not need to use the /var/www directory to serve files. Let's say the PHP upload or server PUT facility was used - pure guess here - the location would be /tmp/. If it's a tmpfs mount, or on some distros like Ubuntu, it gets cleaned (as in: REMOVED) upon a reboot. That is speculation, but given that this one of the most common places for unauhtorised files, it's likely.

As for the log, you still seem to fail to grasp that the log is impossible unless they somehow manage to break .htaccess.

Thelen, what you seem to fail to grasp is that LIGHTHTTPD DOES NOT SUPPORT .htaccess FILES (see their FAQ why).

So using .htaccess to "lock down" your lighttpd-based webserver was completely futile. Not to mention, it's akin to locking the front door, but leaving the windows open.

Your webserver was insecure (partially because of your assumption that .htaccess was locking it down), someone (or you yourself - you did throw a threat around before) managed to place "udp.php" file on your server and used it to DoS'ed the living daylights out of another server used to host only websites. Nothing you have said has indicated otherwise; and by your own words, nonetheless.

Seriously!

Thelen

20-08-2010, 05:42

Yea well, OVH are cheap and nasty, so what do you expect >_>

I've done more maths and OVH is only about 20% cheaper, but putting all these issues into context, they are barely any cheaper now. The next major stuff-up, and they'll be more expensive to stay with that move.

Speedy059

20-08-2010, 05:36

Originally Posted by raxxeh

Yes, it's normal, and they are self-centered - only they are right, the customer is always wrong, You're posting in this thread so you must have read it...

That doesn't make sense as I have never been told by any of the 4 datacenters I'm in that they will reinstall my server over nothing. This is quite frightening for us as we are trying to run a legitimate business. That is a very excess option to resolve a small 'suspicious' complaint by their network. Delete hundreds of GB of data over a small issue is ridiculous. If there is an abuse report, I think we should be the ones determining whether or not to reinstall our server or not.

This "reinstall your server within 24 hours or be terminated" is very extreme and almost bullying. Why is this? Anyone from OVH can comment on such bullying policies?

Thelen

20-08-2010, 02:47

Heh got a lol ticket response:

What my answer mean is:

- your server has been suspended because WE intervent always when our network security is in danger.

In your case for example this mean: if we let the incoming attack still the same, switch performances going down, if your server can not resist and the attack is successful your server start to be an zombie and can be an danger for others )

And so we send an generic message to the server admin.
***************SNIP*****************
- is your server hacked? we do not know, because you know your server and I'm sure you have now checked everything
All what we can do is provide this informations and explain you that whenever something will be an danger for our network: we will intervene

So basically, server was put into rescue mode because of incoming details not necessarily outgoing. Given there is no evidence except the log and their details, we'll never know if it was or not, but it doesn't seem to matter because it only has to LOOK like hacked activity!

Thelen

20-08-2010, 02:38

Originally Posted by Myatu

That puts a whole different twist on your story. The fact that lighttpd registered a log entry from YOUR server AND it responded with a "200 OK" means that "udp.php" was in fact in your server.

And if someone was able to PUT something on your server, what makes you think someone can't REMOVE something from your server? Besides, you don't have to have something in /var/www for it to be server by lighttpd.

Not even an the most insane torrent-app connects to UDP port 2413 outgoing and then 59724 outgoing on the next attempt...

So... Who's cause was it again?

So basically what you are saying is my server was hacked, they used it to DDoS, OVH saw the logs IMMEDIATELY power cycled (as in no time for the hacker to remove the php file(s)), booted into rescue mode, where there was still no evidence of said php file because the hacker managed to hack the rescue mode as well? Riiiiight....

As for the log, you still seem to fail to grasp that the log is impossible unless they somehow manage to break .htaccess.

I've seen torrent apps connect from completely random ports, from 2500 to 62000, that is the point, it is random. But that aside.

I'm starting to think the user of said seedbox slot had a virus on his end, which then used all his open authenticated pages to try bypass other security measures.

Originally Posted by Winit

Thelen = 0wned.

And yet, I haven't done a single thing except reboot, and magically I'm not owned?

You might all thing I am in denial, but I've done NOTHING to the box. And neither has anyone else. How is it it is suddenly magically un-hacked?

Seriously.

jonlewi5

19-08-2010, 21:59

Oh dear.......

Winit

19-08-2010, 21:15

Thelen = 0wned.

yonatan

19-08-2010, 20:30

Originally Posted by LawsHosting

I was going to mention this before I saw your post...... I wonder if it was a 404 code, OVH wouldn't had flagged it?

They might flag it even if it was 404, but then there is no logic explanation for the bad udp traffic ...

LawsHosting

19-08-2010, 19:49

Originally Posted by Myatu

Wait a minute...
The fact that lighttpd registered a log entry from YOUR server AND it responded with a "200 OK" means that "udp.php" was in fact in your server.

I was going to mention this before I saw your post...... I wonder if it was a 404 code, OVH wouldn't had flagged it?

Myatu

19-08-2010, 16:59

Wait a minute...

Before you edited your post, you said this (I've edited the external IP and your domain out):

xxx:/home# zgrep '207.182.151.24' /var/log/*/*
/var/log/lighttpd/access.log.1.gz:94.1xx.xx.xx xxx.xxomseedbox.com xxx[11/Aug/2010:15:38:51 +0200] "GET /udp.php?act=phptools&host=207.182.151.24+&time=2 HTTP/1.1" 200 874 "http://xxxx.xxomseedbox.com/udp.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)"

Apparently that is the proof my server is hacked. Well, firstly, udp.php doesn't exist in that users www directory. It also doesn't exist in the servers www directory (which is blank btw).

... (blah blah) ...

That puts a whole different twist on your story. The fact that lighttpd registered a log entry from YOUR server AND it responded with a "200 OK" means that "udp.php" was in fact in your server.

And if you someone was able to PUT something on your server, what makes you think someone can't REMOVE something from your server? Besides, you don't have to have something in /var/www for it to be server by lighttpd.

More so, the "act=phptools" portion in the log gave away what script was used - and it's in fact a very simple script specifically meant to cause a DoS (just do a Google).

That's very consistent with the logs Mark's has posted, which show high successive UDP connection requests. Portion of that "udp.php" code consists of ...

PHP Code:


           $rand = rand(1,65000);

           $fp = fsockopen('udp://'.$host, $rand, $errno, $errstr, 5);

... and is also evident in the Mark's posted logs, as the port range varies over a huge range, ie:

Code:

2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 43429 207.182.151.24 2413 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 45603 207.182.151.24 59724 UDP 1 1500

Not even an the most insane torrent-app connects to UDP port 2413 outgoing and then 59724 outgoing on the next attempt...

So... Who's cause was it again?

Thelen

19-08-2010, 10:48

Originally Posted by yonatan

... maybe someone *SMARTER* than you hacked your rig? ( you know they are out there ), maybe they are hiding/spoofing a process from you?
maybe you are a victim of some bot?

did you disable functions in your php.ini?
do you know how to secure a web server and lock it down to the max so NO one on earth *MIGHT* be able to use your server for bad things?

and finally, can you explain the traffic going to that poor guys hosting box?
does it makes sense to talk to his server on high random UDP ports?

was it video streaming ? why would a web server would like to watch a video in the first place?

god calm down, people are trying to help you.

1. Sure someone smarter could have. But given I run the same setup on roughly 60 other servers with OVH, only hacking one when you can have 60 makes no sense at all. (Oh and not to mention I know for a fact Feral Xirvik and others run exactly the same setup too, numbers probably in the thousands of servers, none of them are hacked.)

2. You still fail to understand the server in question is locked down with .htaccess. NO-ONE in the public can access it with anything more than the default lighttpd .html file. And given it was up to date, if they could, then millions of boxes would be hacked right now. But there isn't, so you really still think the bot is right, with its circumstantial and timing bullsssssht?

3. I can't explain the traffic nor have I even bothered to look. You and OVH aren't trying to help, you are just asking useless questions or asserting my server has been hacked purely based on some network traffic and a log file. If it was hacked, and I haven't done ANYTHING since they rebooted it, it would STILL be doing suspicious things. But it isn't.

So man, how about you STFU, GTFO, and stop wasting my time.

raxxeh

19-08-2010, 10:15

Originally Posted by Speedy059

Is this normal behavior from OVH to assume they know exactly what is in your server even though they wont touch it with a 10-foot pole...(that's the vibe I get from support). How on earth could a OS re-installation be the only option, especially when their own templates install this kernel?

Yes, it's normal, and they are self-centered - only they are right, the customer is always wrong, You're posting in this thread so you must have read it...

yonatan

19-08-2010, 07:12

marks sent an interesting log
Ok, seeing both sides
one claims legit torrent traffic which might occur on high random udp ports
the other claims an attack

keep in mind ... you can never trust the OVH robots at first look, but they sometimes do give us a good idea of what is going on with our servers...

Lets analyze it for us all, and see who is more likely to be right, the robot or the end user...

2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 49697 207.182.151.24 36133 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 43429 207.182.151.24 2413 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 45603 207.182.151.24 59724 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 34052 207.182.151.24 16341 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 46009 207.182.151.24 41416 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 48272 207.182.151.24 10741 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 45847 207.182.151.24 56073 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 53431 207.182.151.24 34723 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 55983 207.182.151.24 45260 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 43504 207.182.151.24 40102 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 57163 207.182.151.24 36126 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 53290 207.182.151.24 18779 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 39498 207.182.151.24 6600 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 49170 207.182.151.24 61304 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 40212 207.182.151.24 44514 UDP 1 1500

207.182.151.24
claimed to be a torrent on the run... could be legit traffic right?
dig in:

Code:

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> 207.182.151.24
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    18.97.b6.static.xlhost.com
Address:  207.182.151.24

>

now lets use our mighty cracking skills and scan port 80

http://18.97.b6.static.xlhost.com

Right! that's a large torrent box , its pretty normal for a torrent peer to talk with that server on high random UDP ports ...

... maybe someone *SMARTER* than you hacked your rig? ( you know they are out there ), maybe they are hiding/spoofing a process from you?
maybe you are a victim of some bot?

did you disable functions in your php.ini?
do you know how to secure a web server and lock it down to the max so NO one on earth *MIGHT* be able to use your server for bad things?

and finally, can you explain the traffic going to that poor guys hosting box?
does it makes sense to talk to his server on high random UDP ports?

was it video streaming ? why would a web server would like to watch a video in the first place?

god calm down, people are trying to help you.

just for the fun Ive sent byethost a mail asking if i can host http://deluge-torrent.org/ and peer torrents from the web server, will update if they ever take me seriously.

( after all its unlimited web space right? )

Speedy059

19-08-2010, 06:06

Yesterday we got a report that our server was being used for botnets due to a vulnerability in our kernel and had 24 hours to reinstall our server before it's terminated... I mean wow.

First of all, they don't know what kernel i'm even using (latest patched openvz kernel, same thing they offer in their proxmox and virtuozzo templates) and they don't know that it's a VPS and not the actual server. We promptly suspended our client and then had to quickly explain to OVH why we don't need to erase all of our clients data.

Is this normal behavior from OVH to assume they know exactly what is in your server even though they wont touch it with a 10-foot pole...(that's the vibe I get from support). How on earth could a OS re-installation be the only option, especially when their own templates install this kernel?

Thelen

19-08-2010, 01:22

The problem is, YOUR interface/scanning tools detect INCOMING attacks and DDoS stuff, and blame it on the server, as is my case:

xxx:/home# zgrep '207.182.151.24' /var/log/*/*
/var/log/lighttpd/access.log.1.gz:94.192.46.135 xxx.customseedbox.com xxx[11/Aug/2010:15:38:51 +0200] "GET /udp.php?act=phptools&host=207.182.151.24+&time=2 HTTP/1.1" 200 874 "http://xxxx.customseedbox.com/udp.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)"

Apparently that is the proof my server is hacked. Well, firstly, udp.php doesn't exist in that users www directory. It also doesn't exist in the servers www directory (which is blank btw).

2nd problem I see is, INCOMING attacks will obviously register in the log, but that doesn't make them the initiator, and especially because googling for that particular exploit or tool, doesn't give any results for any server side hack (ie rootkit). So, that leaves client pages, and since it is all behind .htaccess, there is no way anyone in the public has access either which way.

So, I still stand behind my initial statement that this is OVH fault, they register incoming attack as my fault, and that they should say sorry and compensate me for the down time.

I'd also like to add, it is highly likely if it WAS from the server, given 94.192.46.135 is the IP of access, then my customer who is on that account has a virus and was simply trying to exploit via any open windows.

marks

18-08-2010, 11:43

Originally Posted by Thelen

How is it a threat to demand the service you pay money for? That is like buying MacDonalds, and only getting half a container of fries, going in to say you'll call BBB or something. Might look like a threat to MacDonalds, but to the person with half a container of fries it is demanding and receiving what you paid for!

I think Angie's been very clear:

We have do this standard answer to help.
Now: an dedicated server stills an dedicated server and is admin job to check.

In some cases, the engineers could do YOUR job on your behalf, but that's not included on the standard service (look for what's the cause of the attack, check your logs, search in the history, ...), that would be an extra service.

This would be the diagnosis service, €20 that Angie is talking about.

LawsHosting

18-08-2010, 09:22

Originally Posted by curiosity

easy to say that when its not You receiving the treatment and downtime isn't it ?? . One wonders how you would feel if it had been you though ?

Then you actually need to think why you are........... Ok, so they've screwed the bandwidth, but, personally, I have never ever had any problems like are discussed here - maybe because I look after my servers, or even, use them for their intention?

Heck, I wasnt hit with this phpmyadmin hack, and yes I have it installed.....but manually, and not in its default directory........

Thelen

18-08-2010, 03:40

How is it a threat to demand the service you pay money for? That is like buying MacDonalds, and only getting half a container of fries, going in to say you'll call BBB or something. Might look like a threat to MacDonalds, but to the person with half a container of fries it is demanding and receiving what you paid for!

I'm not an American who thinks he deserves the universe for free, I just want my servers to not be taking offline for no reason, or if they are receive credit for that mistake.

If the SLA compensation fees aren't ever going to happen, then take them off, otherwise it is false advertising!

I will reply to the ticket for you, Angy.

Angie

17-08-2010, 19:42

Hi,

just by the way :

the answers in the tickets are an 'standard answer' because if your server has been suspended in the night who we have found this big attack is possible that you have been suspended because we have see something: flood or attack ( incoming or outcoming ).

We have do this standard answer to help.
Now: an dedicated server stills an dedicated server and is admin job to check.

If we have propose to fix for 20 Euro HT: is not specified fix phpMyAdmin.
This mean the intervention do find out what's happend on the server.

Now if someone here mean that the suspension of his server is an error:
you can contact me trought the ticket interface: relaunch the ticket and post in the message that the ticket is for me, that I have ask here to restart it and I will check.

Cheers,
Angy

jonlewi5

17-08-2010, 19:39

Originally Posted by Thelen

And just FYI, some torrent people aren't very nice at all. I know many that have external botnets that would be able to DDoS you to oblivion, and they are very close to doing it as well (one had his nice shiny new 40TB 10Gbit server quota disappear in only 6 days. You can imagine what he paid..)

I hope that aint a threat man, because no matter what the situation, that aint cool.

If it was, you arent doing yourself any favours.

curiosity

17-08-2010, 19:10

Originally Posted by LawsHosting

So glad you're not our customer........ Touches of an attitude going on.

easy to say that when its not You receiving the treatment and downtime isn't it ?? . One wonders how you would feel if it had been you though ?

LawsHosting

17-08-2010, 17:22

So glad you're not our customer........ Touches of an attitude going on.

Thelen

17-08-2010, 15:53

Originally Posted by marks

Firstly, read properly what I've said, before getting back with such comments. We are here to help and explain better the actions taken by OVH when we don't have any other choice.

So, stop complaining and check the facts: your server was scanning other machines and that's something we won't allow. Your server is your responsibility.

Well the facts are, the box isn't hacked, the box was never hacked, and it will never be hacked. Your network tools were in error, they totally mis-read the packets, which, while appearing to be a scan to you, were in fact NOT a scan.

The fact it occurred on the same day is proof enough for me that your tools were simply over-zealous and lumped my server in with all the others that HAD actually been hacked. You said yourself you do not check the server, so how on earth, and since when, does X packets conclusively mean a scan. Seriously..

I don't accept that swearing and getting heated is in any way unwarranted, you have taken my server offline for 48 hours and blamed it/me for something that never happened. You have actually cost me money, not to mention you probably cost yourself money by creating extra work.... In the REAL WORLD, you do **** like this, someone swearing on a forum is the least of your worries.

If this was a real world contract, I'd be suing your ass back to the stoneage. You are just lucky the price of this server, and indeed all my servers, is below the cost of a lawsuit. Carry on with this and the bandwidth stuff, though, and you might see a bunch of people get together to foot the bill. And just FYI, some torrent people aren't very nice at all. I know many that have external botnets that would be able to DDoS you to oblivion, and they are very close to doing it as well (one had his nice shiny new 40TB 10Gbit server quota disappear in only 6 days. You can imagine what he paid..)

marks

17-08-2010, 12:24

Originally Posted by stoner

So basically it wouldnt be much problem if some1 did want to do illegal torrents.. With the amount of time it takes you to sort out small issues they should get around a few months at least to keep on doing what there doing while you pull your fingers out, get a lawyer and what not.. That or they will just ditch the server at the end of the month anyway

The legal department spends most of the time dealing with abuse complaints and checking these things. They have nothing to do with the engineers in the datacentre or the developers.

But one thing you say it's true: using your server for illicit file sharing is not allowed at OVH. Therefore, before we find it out, it's better to stop doing that or ditch the server.

marks

17-08-2010, 11:18

ITS NOT A EFFING WINDOWS BOX, OVH ARE JUST RETARDS.

you're not helping yourself with this comments. I would suggest to calm down and check the facts. Also, LawsHosting is not an OVH staff member.

Originally Posted by Thelen

ITS NOT A EFFING WINDOWS BOX, OVH ARE JUST RETARDS.
WHAT THE EFFING MOTHER EFFING HELL IS GOING ON. THE SERVER ISN'T HACKED. IT NEVER WAS HACKED. THE REASON SO MUCH TRAFFIC/PORTS BETWEEN THOSE 2 SERVERS IS DUE TO DELUGE-TORRENT CLIENT. YOU JUST SAW A CRAPLOAD OF OTHER SERVERS GET HACKED VIA THAT VULNERABILITY, ASSUMED BECAUSE MY SERVER WAS DOING MORE THAN 1KB/S OF TRAFFIC THAT, ZOMG IT MUST BE HACKED TOO.

Right, now that I've let off some steam; seriously, so I have to PROVE that it wasn't hacked? How is that possible. Anything can be hacked, and in fact everything can be hacked to leave no evidence. Doesn't mean it is being abused (though with shutting down of this server apparently you morans think it was), so that is insane.
.

Firstly, read properly what I've said, before getting back with such comments. We are here to help and explain better the actions taken by OVH when we don't have any other choice.

Let's see if you can understand how our services work: we do not have access to the servers and our support doesn't include doing anything inside your server (neither fix nor check what's going on in it).

We do have control on the routers and therefore, we can apply some security on them. Our routers caught those scanning packets, that's enough for us and we need. That kind of behaviour is just not allowed in our network, to make sure that, at least our servers are not used for illicit purposes.

The reason why your server did that? We don't know. We don't check inside your server and do an investigation, that's up to you. The engineers suggested the vulnerability with PHPMyAdmin, but it might be something else. It's entirely up to you to find it out.

I'm afraid that, even though you would like us to do the job for you, our engineers can't afford to be searching for vulnerabilities in all our servers. That's the admin/customer responsibility.

So, stop complaining and check the facts: your server was scanning other machines and that's something we won't allow. Your server is your responsibility.

Thelen

17-08-2010, 03:30

Originally Posted by LawsHosting

So, was this to do with phpmyadmin or something else......... I see its a window box? If so, it'll be like a needle in a haystack........... People are too quick to judge OVH......

ITS NOT A EFFING WINDOWS BOX, OVH ARE JUST RETARDS.

Originally Posted by marks

I can't tell if the server was broken into through this phpMyAdmin vulnerability:

http://status.ovh.net/?do=details&id=377

but it's true that in that same day, lots of other server at OVH were hacked using it. the phpMyAdmin could have been the exploited bug, but we can't be sure about it. It was reported as a possibility. Not sure if the engineers had more info than me when they pointed to phpMyAdmin, but it's worth checking.

You can check section 5.2 of the contract that relates to liabilities etc in the case of loss of service or data due to attacks. To challenge this decision you need to provide information that we could examine that proves the hack status was not a false positive.

Regards, Folarin.

WHAT THE EFFING MOTHER EFFING HELL IS GOING ON. THE SERVER ISN'T HACKED. IT NEVER WAS HACKED. THE REASON SO MUCH TRAFFIC/PORTS BETWEEN THOSE 2 SERVERS IS DUE TO DELUGE-TORRENT CLIENT. YOU JUST SAW A CRAPLOAD OF OTHER SERVERS GET HACKED VIA THAT VULNERABILITY, ASSUMED BECAUSE MY SERVER WAS DOING MORE THAN 1KB/S OF TRAFFIC THAT, ZOMG IT MUST BE HACKED TOO.

Right, now that I've let off some steam; seriously, so I have to PROVE that it wasn't hacked? How is that possible. Anything can be hacked, and in fact everything can be hacked to leave no evidence. Doesn't mean it is being abused (though with shutting down of this server apparently you morans think it was), so that is insane.

How many times do I have to say that phpmyadmin wasn't installed, isn't going to be installed, and has played no role in the alleged hacking. I'd like you, Marks, to provide more substantial evidence than just a lot of traffic/port activity...

Hell, I'll even setup a fund, and other people here can contribute 1 euro each towards the 20 euro, so we can just get more proof how retarded you guys are.

stoner

16-08-2010, 20:14

So basically it wouldnt be much problem if some1 did want to do illegal torrents.. With the amount of time it takes you to sort out small issues they should get around a few months at least to keep on doing what there doing while you pull your fingers out, get a lawyer and what not.. That or they will just ditch the server at the end of the month anyway

marks

16-08-2010, 18:00

Our legal team would check these issues, and the big picture will taken into account when deciding whether:
a) issue will be ignored because it falls into licit usage of torrents
b) customer will be contacted and asked to remove the material
c) server will be put in hack mode, and the server will have to be reinstalled
d) contract will be broken

our legal team will decide which one applies.

zydron

16-08-2010, 17:38

Back to that torrenting is legal and such

when I was on a vacation this holliday, I downloaded the downloads which I wanted to use (source code of books I use, and other big files (10MB+)) on my server and torrented to my laptop which used crappy wifi (15KB/sec)
so that I can pause and resume, great way to use torrenting and imho legal.

marks

16-08-2010, 17:13

Originally Posted by jonlewi5

I have a quick question in regards to this marks.

On one of my servers, i run media streaming software, it requires me to logon and im the only one that uses it ( i spend a lot of time down south so its easier i do it this was than carry loads of cd's around)

Anyway, if there was an intervention on this serve rand you saw a folder full of my mp3's what would happen?
These are cd's that iv ripped and uploaded.
would you cancel my server? Would i have the oputunity to explain?

that's up to our legal team. It's not only the files, but how they are used. It's easy to see if they've been distributed or not.

Originally Posted by =LawsHosting;

So, was this to do with phpmyadmin or something else......... I see its a window box? If so, it'll be like a needle in a haystack........... People are too quick to judge OVH......

I can't tell if the server was broken into through this phpMyAdmin vulnerability:

http://status.ovh.net/?do=details&id=377

but it's true that in that same day, lots of other server at OVH were hacked using it. the phpMyAdmin could have been the exploited bug, but we can't be sure about it. It was reported as a possibility. Not sure if the engineers had more info than me when they pointed to phpMyAdmin, but it's worth checking.

LawsHosting

16-08-2010, 16:24

So, was this to do with phpmyadmin or something else......... I see its a window box? If so, it'll be like a needle in a haystack........... People are too quick to judge OVH......

jonlewi5

16-08-2010, 15:37

Originally Posted by marks

If your server is found with such files, it can be cancelled.

I have a quick question in regards to this marks.

On one of my servers, i run media streaming software, it requires me to logon and im the only one that uses it ( i spend a lot of time down south so its easier i do it this was than carry loads of cd's around)

Anyway, if there was an intervention on this serve rand you saw a folder full of my mp3's what would happen?
These are cd's that iv ripped and uploaded.
would you cancel my server? Would i have the oputunity to explain?

Cheers

marks

16-08-2010, 15:11

these are the logs caught regarding your server:

2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 49697 207.182.151.24 36133 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 43429 207.182.151.24 2413 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 45603 207.182.151.24 59724 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 34052 207.182.151.24 16341 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 46009 207.182.151.24 41416 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 48272 207.182.151.24 10741 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 45847 207.182.151.24 56073 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 53431 207.182.151.24 34723 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 55983 207.182.151.24 45260 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 43504 207.182.151.24 40102 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 57163 207.182.151.24 36126 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 53290 207.182.151.24 18779 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 39498 207.182.151.24 6600 UDP 1 1500
2010-08-11 17:03:49 2010-08-11 17:03:49 94.??.??.14 vi??.??omseedbox.com 49170 207.182.151.24 61304 UDP 1 1500
2010-08-11 17:03:50 2010-08-11 17:03:50 94.??.??.14 vi??.??omseedbox.com 40212 207.182.151.24 44514 UDP 1 1500

I partially hid the IP and server.

Regarding the other concern, the torrent. You're right, torrent itself is not an illegal program/protocol. Though 99.9% of the time is used to share illicit material, which it does break our terms and conditions.

If your server is found with such files, it can be cancelled.

RapidSeeds

16-08-2010, 15:00

Originally Posted by Thelen

WTF? You are telling me, to prevent an attack from servers I have no control over? Or if not, I see no way the server can be hacked, it is/was 100% up to date on that day. I think more likely your 'scan' is just a crap load of open ports.

Aside from the crappy english, she is implying that I use my server for illegal activities? Does she even know I have 25 in my account?

And, torrents are now against OVH TOS are they? (In general, I'm not stipulating they are all legal, but some/many are)

you've been hacked, dude. better reinstall windows

Thelen

16-08-2010, 14:07

WTF? You are telling me, to prevent an attack from servers I have no control over? Or if not, I see no way the server can be hacked, it is/was 100% up to date on that day. I think more likely your 'scan' is just a crap load of open ports.

From : Celine S.
For: jd6756-ovh
Date: 2010-08-16 14:44:46

Dear customer,

The incoming attacks are due to the content or
the server's activity,
and to the competition in this sector often
illegal or subject to controversy.
The use of the torrent is not allowed on servers
of ovh.

Kind regards,
Celine S

Aside from the crappy english, she is implying that I use my server for illegal activities? Does she even know I have 25 in my account?

And, torrents are now against OVH TOS are they? (In general, I'm not stipulating they are all legal, but some/many are)

marks

16-08-2010, 12:27

@Thelen: I've checked your server and there was a scan coming out of your server on the 11th. I can send you the logs if you want more than those in the ticket.

Even though, the server has been allowed to be booted from the hard disk. Make sure that the attack doesn't repeat itself.

Thelen

16-08-2010, 07:50

Ah my mistake I thought she/they were complaining it was still 'hacked'... Doesn't help she isn't using english.

The main support number doesn't work, use the ticket one.

raidensnake

15-08-2010, 18:46

my server has suffered over 6+ hours downtime due to an os reinstall fault that's preventing me from restarting it. It's gone way past the intervention time and I'm getting loads of complaints (over 50k so far) I tried calling the incident number and it says it's busy and keeps hanging up on me. what's going on and why is it taking ages to fix it? It's been about 8 hours!

Winit

15-08-2010, 16:30

Originally Posted by Thelen

OMFG YOU USELESS PEOPLE:
I have just verified that you have changed the netboot
on the hard disk.
The server ping and all ports are open.

Kind regards,
Celine S

YES BECAUSE IT IS RUNNING TORRENT PROGRAMS, THERE WILL BE LOTS OF PORTS OPEN FFS.

Celine is stating what you did. The server responds to pings and the standard ports are open. Nothing to do with BitTorrent.

Thelen

15-08-2010, 15:27

OMFG YOU USELESS PEOPLE:
I have just verified that you have changed the netboot
on the hard disk.
The server ping and all ports are open.

Kind regards,
Celine S

YES BECAUSE IT IS RUNNING TORRENT PROGRAMS, THERE WILL BE LOTS OF PORTS OPEN FFS.

Thelen

15-08-2010, 14:51

Oh, no, not for this small downtime, even though the principle would be worth upholding :P

But, just in general. If they don't solve the bandwidth counting problems (and surely you are being affected by this too), then they rapidly become more expensive than LW even given their unreliability as well.

I operate on roughly the same margin you do, if not slightly more, but it isn't 100% profit, so until then, no, chargeback > 1 months profit

_Lemon_

15-08-2010, 14:21

Originally Posted by Thelen

Basically. Still no answer to my request for credit...

Tomorrow when I'm at the bank I'll have to ask them about chargeback for contract defaulting. Might be more trouble that it is worth, and I still want to keep the servers, but if this keeps going on, will have no choice but to move lock stock and barrel.

You're leaving OVH (don't expect them to keep all your servers...) for the sake of a few pounds (the equivalent of a few days downtime)?

Surely: (what you'd get from the chargeback) < (what you'd earn by keeping the server another month)?

Thelen

15-08-2010, 13:54

Basically. Still no answer to my request for credit...

Tomorrow when I'm at the bank I'll have to ask them about chargeback for contract defaulting. Might be more trouble that it is worth, and I still want to keep the servers, but if this keeps going on, will have no choice but to move lock stock and barrel.

raxxeh

15-08-2010, 13:43

hi guis i am ovh u have virus format server thanks! i reply to ticket in 3 week

did i get it right?!

Thelen

15-08-2010, 12:38

Originally Posted by Winit

That doesn't prove anything. It could be a manual install.

LOL you sir, fail epicly.

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is
where

Not to mention the fact I DIDN'T. So unless you think I'm lying and making up this whole thread (which isn't possible given previous post has confirmed the OVH stuff-up), please stop trolling.

HugeServer

15-08-2010, 09:55

I have the same problem, My server is installed WINDOWS, and celien told me that it is PHPmyAdmin issue, which is wonderful. Celien does not check anything on server befor she is replying.

Winit

14-08-2010, 12:25

Originally Posted by Thelen

Oh look at that, you mean phpmyadmin wasn't installed at all? WOW.

That doesn't prove anything. It could be a manual install.

Thelen

14-08-2010, 12:24

Have sent email asking for credit, sent to customersupport@ovh cos not sure what the other one is. Have asked it to be forwarded to appropriate place though. We'll see what they say...

Thelen

14-08-2010, 03:51

victor:/home# apt-get remove phpmyadmin
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package phpmyadmin is not installed, so not removed

Oh look at that, you mean phpmyadmin wasn't installed at all? WOW.

I'm definitely going to ask for credit given, this 48+ hours of outage is just insane, especially when there was nothing wrong.

Thelen

14-08-2010, 03:35

It actually said something like "this option is invalid".

It works just now, so I'm rebooting, but it definitely didn't let me select boot from HD before.

Myatu

13-08-2010, 21:46

Originally Posted by MicroChip123

BTW how do i install the latest version for debian?

As the one on debian package is outdated and vulnerable http://packages.debian.org/lenny/phpmyadmin

Add the "unstable" branch (latest versions, but not fully tested by Debian yet):

Code:

echo deb http://ftp.fr.debian.org/debian sid main >> /etc/apt/sources.list

Then create a preference for stable versions over unstable versions, by creating the file /etc/apt/preferences containing:

Code:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=unstable
Pin-Priority: 600

Do an update of package lists:

Code:

aptitude update

To grab phpmyadmin from the unstable branch:

Code:

apt-get install phpmyadmin/unstable

If you need/want to get the associated libraries and packages from the unstable branch as well:

Code:

apt-get -t unstable install phpmyadmin

turbanator

13-08-2010, 16:25

fozl why arent u replying and helping in the internal BW issues?

fozl

13-08-2010, 15:40

Originally Posted by Thelen

Not sure what you mean, but if I try change netboot to HDD, it says GTFO...

It says that in the Manager? Could you add a screenshot of this to the ticket?

Thelen

13-08-2010, 14:16

Not sure what you mean, but if I try change netboot to HDD, it says GTFO...

Thelen

13-08-2010, 13:57

Yes I am a .uk customer, just noticed that myself LOL.

Ticket 514505

MicroChip123

13-08-2010, 13:38

Cant you switch off monitoring then reboot it?

Thelen

13-08-2010, 13:35

root@rescue:~/oldhdd/var/log/lighttpd# cat access.log |grep setup
root@rescue:~/oldhdd/var/log/lighttpd# cat error.log |grep setup
root@rescue:~/oldhdd/var/log/lighttpd#

and of course proof nothing to do with phpmyadmin is even there.

Thankyou VERY MUCH for taking my server offline for 48 hours so far...

MicroChip123

13-08-2010, 13:19

BTW how do i install the latest version for debian?

As the one on debian package is outdated and vulnerable http://packages.debian.org/lenny/phpmyadmin

fozl

13-08-2010, 13:13

Originally Posted by Thelen

So customers email me saying box is down, I'm like wtf I didn't see no outage email from OVH.

So I check, and lo and behold I find a SERVER HACKED one which I missed cos filter didn't catch it cos of having different format.... So anyway, I reply to the ticket saying WTF??, they reply with:

Code:

Dear customer, Hack details: http://travaux.ovh.net/?do=details&id=4452 The offending script is not one of your scripts but phpMyAdmin fault. You must update this phpMyAdmin. The used fault: http://securityreason.com/exploitalert/6399 Check the logs of your machine: cd / var / log / votredossierdeslogsapache egrep-ri 'POST' * | grep phpmyadmin | grep setup We turn the machine in rescue mode . Thank you to update your phpMyAdmin before restarting the server in boot. If you would like us to carry the update we can offer this for 20 Euro HT. Kind regards, Mrayam J

Which is just lovely for many reasons:
1. phpMyadmin isn't installed
2. Any SQL database of any kind is not installed
3. There is no public facing web page, they are all behind .htaccess
4. I had to ASK for these hack details, they didn't just say from the start
5. I still don't have rescue login details, so I CAN'T do anything, and trying to reboot just says GTFO.
6. 20 Euro fee for them to fix something that doesn't exist and which they caused.

Lovely.

Could you provide a ticket number for us to have a look?

Also I notice you quote a price in Euros, are you an ovh.co.uk customer?

fozl

13-08-2010, 13:12

Originally Posted by raxxeh

Sounds like OVH to me, useless *****s

Please remind yourself of the forum guidlines raxxeh...

http://forum.ovh.co.uk/showthread.php?t=162

Criticism's fine, but not insulting language.

RapidSpeeds

13-08-2010, 12:27

That doesn't sound like fun - Should be asking for a refund.

I am waiting on Support opening the phone lines back up, I got a major problem too with the ovh system having errors.

raxxeh

13-08-2010, 11:59

Sounds like OVH to me, useless *****s

Thelen

13-08-2010, 11:56

So customers email me saying box is down, I'm like wtf I didn't see no outage email from OVH.

So I check, and lo and behold I find a SERVER HACKED one which I missed cos filter didn't catch it cos of having different format.... So anyway, I reply to the ticket saying WTF??, they reply with:

Code:

Dear customer,

Hack details:
http://travaux.ovh.net/?do=details&id=4452

The offending script is not one of your scripts but
phpMyAdmin fault.
You must update this phpMyAdmin.

The used fault:
http://securityreason.com/exploitalert/6399

Check the logs of your machine:
cd / var / log / votredossierdeslogsapache
egrep-ri 'POST' * | grep phpmyadmin | grep setup


We turn the machine in rescue mode .
Thank you to update your phpMyAdmin before
restarting the server in boot.


If you would like us to carry the update we
can offer this for 20 Euro HT.

Kind regards,
Mrayam J

Which is just lovely for many reasons:
1. phpMyadmin isn't installed
2. Any SQL database of any kind is not installed
3. There is no public facing web page, they are all behind .htaccess
4. I had to ASK for these hack details, they didn't just say from the start
5. I still don't have rescue login details, so I CAN'T do anything, and trying to reboot just says GTFO.
6. 20 Euro fee for them to fix something that doesn't exist and which they caused.

Lovely.