OVH Community, your new community space.

Server Contract Terminated


Thelen
04-10-2010, 17:12
Quote Originally Posted by Speedy059
If you guys are serious about the "apt-get update/upgrades" or "yum update" and think that is all it takes...you are pretty delusional.
Though there is clarifications etc later on, for a normal server that is all it takes, and the only sane way to manage security.

If you are going to offer Joomla and all sorts of 3rd party full-of-exploits software, then obviously apt-get update/upgrade every hour won't keep you on top of all the holes nor with a team of 500 would you be able to keep your shared hosting servers secure against 0day exploits, but it is secure enough otherwise. If the box gets rooted it won't be because dpkg is out of date, it will be because you don't configure apache/php well and someone sticks an old version of joomla or wordpress on their shared spot.

Given how many people aren't even up to date as of a few weeks (plenty of time to write 0day exploits), and also given all those boxes aren't totally rooted, it is probably safe to assume a simple apt-get update WILL keep your server as secure as it can without getting your head exploded

LawsHosting
03-10-2010, 18:10
Quote Originally Posted by gregoryfenton
You can host joomla (and most other CMS) with one installation for multiple sites, each with their own settings, themes etc.
But that is not my idea of shared hosting....Ok, you share the server, but that doesn't mean you have to share limited software the host company supplies - theres a limit........Besides, any CMS can have plug-ins, which can be exploited too - plus these need updating too.

Note: I do understand many do what you said these days.... Do OVH do this with their "1 click modules"?

gregoryfenton
03-10-2010, 14:19
You can host joomla (and most other CMS) with one installation for multiple sites, each with their own settings, themes etc.

It is very straightforward and you only need to update one to update all the sites at once.

google multiple joomla sites on one server

There are literally millions of responses.

LawsHosting
03-10-2010, 13:33
Quote Originally Posted by Speedy059
It is extremely important to make sure your scripts are updated on the server.
I agree, however, say for eg, you have ~70 clients using Joomla/etc on the server, IMHO, even though shared hosting is managed hosting, there's so much we can do as a hosting company to protect ourselves - eg. we are responsible at the server level (firewalls, viruses, mod_security, etc) - whereas the clients are responsible for what they put on their web space (unless you offer web design & maintenance fees ofc, but thats another story).... There's no way for us to monitor those ~70 sites for up to date versions - all we can do is advise them to keep it up do date, which, in this day and age should be second nature to people....

Then theres clients who just sign up to just spam, but, again, thats another story

My 10p's worth.

Speedy059
03-10-2010, 10:35
Quote Originally Posted by Winit
In most cases it is applicable. It entirely depends on what you use the server for.
The minute you put third party scripts on the server, it isn't applicable unless those scripts have a repository. I guess if it's a gameserver then it would be good enough. People need to understand that OVH is cracking down extremely hard. We are still trying to figure out why 1 of our servers with no abuses (ever) was suspended. It is extremely important to make sure your scripts are updated on the server.

Winit
03-10-2010, 10:21
Quote Originally Posted by Speedy059
If you guys are serious about the "apt-get update/upgrades" or "yum update" and think that is all it takes...you are pretty delusional.
In most cases it is applicable. It entirely depends on what you use the server for.

gregoryfenton
02-10-2010, 23:17
Ok that was an oversimplification.

In the past week I did a full wipe and reinstall of my server which included a full kernel download to avoid the 64 bit 0-day exploit.

Even that wasn't particularly hard.

(Un)common sense should be applied at all times. And don't upset 4chan

Speedy059
02-10-2010, 23:04
If you guys are serious about the "apt-get update/upgrades" or "yum update" and think that is all it takes...you are pretty delusional.

gregoryfenton
02-10-2010, 22:55
Hoping for "There Must Be Order."?

Code:
sudo apt-get update && sudo apt-get upgrade
It doesn't get much easier than that, unless..
Code:
echo "sudo apt-get update && sudo apt-get upgrade" > update
chmod a+x update
sudo mv update /usr/bin
Then you just need to type
Code:
update
Now there is an easy thing to do.

Craig S
02-10-2010, 22:36
Quote Originally Posted by Winit
Yep. Amazing how easy it is.
Your username serves you well.

Winit
02-10-2010, 22:08
Quote Originally Posted by Thelen
making sure you keep the system up to date on a weekly basis should be good enough too.
Yep. Amazing how easy it is.

Thelen
02-10-2010, 21:40
Quote Originally Posted by LawsHosting

So, every system isn't 100% secure...
I think the general idea is to be 100% secure from the script kiddies . Pure numbers will take care of the rest (10 million servers, only X amount of actual real hackers that can hack them, = some minuscule percentage less than the chance of you being hit by a car), and in the event of major flaws like the recent 64bit kernel thing, making sure you keep the system up to date on a weekly basis should be good enough too.

LawsHosting
02-10-2010, 13:50
Quote Originally Posted by Speedy059
I wish there could be more communication with the OVH legal department. Even if you fix vulnerabilities or abuse issues, if you get another one from something else they just terminate you without warning. I don't see the method in this, as everyone will have vulnerabilities at some point. And some people may have more than others depending what they are doing, mainly those who have many hosting clients.
I agree with (bold bits) this......
Like on another forum, there was someone who had been hacked, but he did all the main required security procedures
Here's his blurb:
- The server was behind a Hardware Based firewall (WatchGuard) with the following ports open to public (80, 110, 143, 25, 21, 53, 443, 2222)
- SSH port 6022 was only open to our IP
- The server was running apache 1.3, with php cgi 4.4.9 and mysql 4.
- There was also a software based firewall (APF) configured with BFD. APF was configured and was only allowing the above mentioned ports only including 6022.
- root & admin user ssh was disabled and we created a local user that was allowed to ssh
- php disable_functions=”proc_get_status,proc_nice, proc_open,proc_terminate,proc_close,dl,phpinfo, system,posix_kill, popen,exec,passthru,apache_note,apache_setenv ,openlog,closelog,syslog,pcntl_exec,pclose,ini_res tore, escapeshellcmd,escapeshellarg,define_syslog_variab les”
- mod_evasive, mod_security were installed with apache
- php open_basedir was ON. Cant remember the settings for SAFE mode though
- Secured /tmp/

The hacker was able to delete /var/log folder and he also deformed the home page of most / all of the website(s).
So, every system isn't 100% secure...

Speedy059
02-10-2010, 11:05
I wish there could be more communication with the OVH legal department. Even if you fix vulnerabilities or abuse issues, if you get another one from something else they just terminate you without warning. I don't see the method in this, as everyone will have vulnerabilities at some point. And some people may have more than others depending what they are doing, mainly those who have many hosting clients.

Winit
02-10-2010, 10:06
A clueless sysadmin. Move along.

LawsHosting
02-10-2010, 09:30
So, you don't host any of those domains they've giving you? Do you have phpMyAdmin installed, or even WordPress? You have php installed? Do you offer SSH to anyone? If not, have you limited SSH access in iptables so that only you can connect?

Excuse all the questions, but if, as you say, OVH are implying that the server is exploiting others, then the server must be compromised in some way.

Either that, or their scripts are buggy*

* Disclaimer: Only a hunch.

Craig S
02-10-2010, 03:16
Nope this is the only server id have off them, no suspentions in past, no abuse emails, no nothing this is the first ive ever had, the only websites i host are simple html 4 page websites for business's, the ones ive pasted is what ovh sent me, i think they are inplying that my server tryed to hack them websites. ive had the server for 1 year ++ no problems until now

Winit
01-10-2010, 21:20
There's definitely more than meets the eye.

Razakel
01-10-2010, 17:00
Quote Originally Posted by Craig S
Stright Away no warning at all, that email was the first i got
Do you have any history with OVH? I mean other suspended servers, or any serious abuse cases.

LawsHosting
01-10-2010, 16:54
Quote Originally Posted by Craig S
Stright Away no warning at all, that email was the first i got
So this thread is a load of tosh OVH?
we draw the traffic from this botnet and can find all servers that are hacked and all this in less than 60 seconds. We will send automated alerts for such cases.
Before blocking, the customer will have some time to react and fix the problem but after a time robots will automatically close but also will reopen the port. All the other the servers will continue to operate.

zydron
01-10-2010, 15:45
When I look to the list of urls in your TS, I ask my self what kind of websites you host on that server...

Craig S
01-10-2010, 14:36
Stright Away no warning at all, that email was the first i got

LawsHosting
01-10-2010, 10:35
If you didn't already, its time to secure your /tmp/, disable some php functions and chmod wget/etc (to 700) to only be run by root and not apache/www-data....

Edit:
Actually, did they terminate it immediately, or did they warn you so you can fix the issues?

Thelen
01-10-2010, 09:49
Looks like the server was exploiting? At least they seem to have found more evidence this time :S

fozl
01-10-2010, 09:05
Quote Originally Posted by Craig S
got this email off ovh this morning in FRENCH, saying my server has been suspended. i run some business websites of my server and need it back up asap i replyed to there ticket to just get that its been terminated and ull have to contact the legal department. for one im in florida and havent even accessed my server at all since ive been here. what can i do, i need it back up to gather the website data to either move it to another host or get the webserver back running. i cant call support number because im in florida.. any idea's?
...
As your language of choice is english, you should not have received the email in french, I'll correct that.

Speedy059
01-10-2010, 00:09
Same thing happened to us. The only access they give you is FTP access to the files. Unfortunately the FTP access will mean all your backups you download (files mainly) will lose their permissions making it nearly impossible to restore somewhere else.

For some reason they are drawing a tough line when it comes to abuse issues, even if you didn't do it intentionally your still screwed.

Craig S
30-09-2010, 22:30
got this email off ovh this morning in FRENCH, saying my server has been suspended. i run some business websites of my server and need it back up asap i replyed to there ticket to just get that its been terminated and ull have to contact the legal department. for one im in florida and havent even accessed my server at all since ive been here. what can i do, i need it back up to gather the website data to either move it to another host or get the webserver back running. i cant call support number because im in florida.. any idea's?


adame, Sir,

Hereby we inform you that you have violated
one or
several clauses in contracts between you and OVH, namely:
- The Terms of Service
- Special Conditions Accommodation & Rentals
Dedicated Servers


Under the conditions cited above, we were
forced
suspend your server ks361534.kimsufi.com
for the following reason:
Attacks:

Php exploitx.php 321-a
http://plateaumusicproject.org/wp-co...gins/wp-phpmya
dmin / phpmyadmin / scripts / setup.php
Php exploitx.php 322-a
http://www.spooonful.com/wp-content/...p-phpmyadmin/p
hpmyadmin / scripts / setup.php
Php exploitx.php 323-a
http://www.lowcarbonworks.org.uk/wp-...lugins/wp-phpm
yadmin / phpmyadmin / scripts / setup.php
Php exploitx.php 324-a
http://wine.dowib.com/wp-content/plu...hpmyadmin/phpm
yadmin / scripts / setup.php
Php exploitx.php 325-a
http://swenglishrantings.com/Politik...tent/plugins/w
p-phpmyadmin/phpmyadmin/scripts/setup.php
Php exploitx.php 326-a
http://www.markussorger.eu/wp-conten.../wp-phpmyadmin
/ Phpmyadmin / scripts / setup.php
Php exploitx.php 327-a
http://iloveottawa.ca/wp-content/plu...hpmyadmin/phpm
yadmin / scripts / setup.php
Php exploitx.php 328-a
http://live-chat.ath.cx/wp-content/p...-phpmyadmin/ph
pmyadmin-pre/scripts/setup.php
Php exploitx.php 329-a
http://php.scripts.psu.edu/users/j/r...phpmyadmin/php
MyAdmin-2.11.10-english/scripts/setup.php
Php exploitx.php 330-a
http://quest.arcadia.edu/phpmyadmin/scripts/setup.php
Php exploitx.php 331-a
http://eros.eas.gatech.edu/phpMyAdmin/scripts/setup.php
Php exploitx.php 332-a
http://drupal.nss.udel.edu/phpMyAdmi...2-all-language
s-utf-8-only/scripts/setup.php
Php exploitx.php 333-a
http://www.curious.org/dh_phpmyadmin...rious.org/scri
pts / setup.php
Php exploitx.php 334-a
http://www.non-standardworld.com/dh_...n/mysql.non-st
andardworld.com / scripts / setup.php
Php exploitx.php 335-a
http://www.newyorkcitytechsupport.co...yadmin/mysql.n
ewyorkcitytechsupport.com / scripts / setup.php
Php exploitx.php 336-a
http://www.storagesboxes.com/dh_phpm...sql.storagesbo
xes.com / scripts / setup.php
Php exploitx.php 337-a
http://dracoproductions.us/dh_phpmya...l.dracoproduct
ions.us / scripts / setup.php
Php exploitx.php 338-a
http://www.yoursecurityexperts.com/d...min/mysql.your
securityexperts.com / scripts / setup.php
Php exploitx.php 339-a
http://www.iwigames.com/dh_phpmyadmi...wigames.com/sc
ript / setup.php
Php exploitx.php 340-a
http://sauria.com/dh_phpmyadmin/mysq...com/scripts/se
tup.php
Php exploitx.php 341-a
http://www.austininjury.org/dh_phpmy...ql.austininjur
y.org / scripts / setup.php
Php exploitx.php 342-a
http://www.asuranstar.com/dh_phpmyad....asuranstar.co
m / scripts / setup.php
Php exploitx.php 343-a
http://www.fragil.org/dh_phpmyadmin/...gil.org/script
s / setup.php
Php exploitx.php 344-a
http://www.ilikecrackers.com/dh_phpm...sql.ilikecrack
ers.com / scripts / setup.php
Php exploitx.php 345-a
http://retireincumbentpoliticians.co...yadmin/mysql.r
etireincumbentpoliticians.com / scripts / setup.php
Php exploitx.php 346-a
http://unnamed.net/dh_phpmyadmin/mys...d.net/scripts/
setup.php
Php exploitx.php 347-a
http://www.hacker.org/dh_phpmyadmin/...ker.org/script
s / setup.php
348 w
349 screen-r
350 ls-al
351 cd. Aptitude /
352 ls-al
Pg 353 cd
354 ls-al
355 cat vuln.txt
356 ls-al
357. / Do