OVH Community, your new community space.

OVH Anti-hack is having serious bug!!!


marks
17-02-2015, 16:06
Quote Originally Posted by smith00
Clearly it's a false FLAG!!!

UDP is never used on my windows server, it's only TCP and ports which i use is above 4000... so i have no idea what the hell is going on here... why anti-hack is forcing my server to re-install for something which i never did.
the cause is these packets. This is seen by our security and monitoring systems as an attack. It could be that's a false positive (you'll have to show it to us), it could that you run things that are not allowed or it could be that a virus is running that without you knowing. Do please investigate what's happening and stop it. As someone said, you can do a tcpdump/wireshark monitoring.

Quote Originally Posted by smith00
It's super clear it's a bug in anti-hack system which is effecting many ovh clients, not just me.

I am here to ask for help and fix it, not like go away... we do not allow strange activity which is not on my server at all and provided with buggy anti-hack robot.

Ask OVH tech to investigate about this and fix this bug once and for all.
If that's the case, you just need to show it to the engineers through the ticket opened on your server. Remember to show the logs. Also, you can send an email to anti-ddos@ovh.net

But do be constructive about these issues. Our engineers have detected that unimistakable as an attack and/or as a traffic not allowedin our network, so do try to look into it and find out more about it.

smith00
17-02-2015, 11:52
This is crazy... really... I did re-install my server 4 times and this time i opened support ticket + opened a topic here to restore my server without re-install it but nothing so far.

If i was the only one then i might be wrong but there are many other ovh clients facing the same issue and nobody is giving a damn about it.

The best support i ever had in my entire life from a datacenter. lol

Basically OVH is controlled by a bunch of robots with buggy codes. Those stupid robots can destroy your whole business just within seconds and nobody is here to answer for it. THAT'S JUST GREAT !!!

It seems i have to re-install my server again and wait for stupid buggy anti-hack robot to play with it again...

alvaroag
17-02-2015, 00:25
As heise said, the best option is to capcutre traffic so you can compare with OVH anti-hack system. It's possible there is a criteria error on the anti hack, but it's almost imposible that the anti hack is "forging" data.

Also, for technical & security reasons, I'd recommend using SFTP rather than FTP, as the last is more complicated through firewalls & has no encryption, so it is vulnerable to the most simple MITM attacks.

Also, why using Windows to run a FTP server? You can use linux for that, without paying any license. Just a suggestion

heise
16-02-2015, 21:56
If you know how to recreate the bug, capture your tcp traffic and copy it to your server, waiting for anti-hack to kick in. Then with the captured traffic, you can prove the error in OVH anti-hack and ask for compensation.

And yes, you are not the only one, see http://forum.ovh.co.uk/showthread.ph...ll=1#post70060

smith00
16-02-2015, 21:35
Quote Originally Posted by marks
port 0 means that's not TCP, probably UDP or below.

Not sure what you're doing, but it's not allowed on our networt. that rises security flags on our monitoring tools, so please do it in another way. I can't tell you what it is exactly that's been flagged, but with those logs , you should be able find out.

Do try to work within the limits of our network. Think that this maybe a false positive but if it's not allow is for a reason.
Clearly it's a false FLAG!!!

UDP is never used on my windows server, it's only TCP and ports which i use is above 4000... so i have no idea what the hell is going on here... why anti-hack is forcing my server to re-install for something which i never did.

My server with the same configs and services been running for 7+ months and now it's not allowed?

There is nothing running on my server except an FTP service which is normal for any datacenter. transferring data from one server to another.

It's super clear it's a bug in anti-hack system which is effecting many ovh clients, not just me.

I am here to ask for help and fix it, not like go away... we do not allow strange activity which is not on my server at all and provided with buggy anti-hack robot.

Ask OVH tech to investigate about this and fix this bug once and for all.

marks
16-02-2015, 17:53
Quote Originally Posted by smith00
OVH Anti-hack is really buggy and i've tried to contact OVH support department and they are not willing to help at all.

I have over 10+ dedicated servers from OVH.ie and most of them are effected by this useless buggy Anti-hack which is force rebooting my servers and forcing me to re-install before i could start using my server.

There is no hack or scanning or any abnormal activity and basically the info Anti-hack is giving out is completely useless and makes no sense.

from IP to IP on port 0? really? What the hell is port 0? All i know is one of my client is grabbing some data from my server, if grabbing some data from my server means hacking then no idea what is going on here... this Anti-hack bug started like 2 weeks ago and some should be fixed ASAP.

here is log from Anti-hack which makes no sense:



Really? What on earth is this? I am running normal windows server on my box and been running for months without any error and now anti-hack is disturbing me every 48 hours and i must re-install my server to use it?

Please stop this anti-hack nonsense and let me use my server.


My server ID is: ns235373

currently blocked and forcing me to re-install my server, i really don't want to re-install it again and reconfigure everything.

Please fix it and bring my server to normal HDD mode.

waiting...
port 0 means that's not TCP, probably UDP or below.

Not sure what you're doing, but it's not allowed on our networt. that rises security flags on our monitoring tools, so please do it in another way. I can't tell you what it is exactly that's been flagged, but with those logs , you should be able find out.

Do try to work within the limits of our network. Think that this maybe a false positive but if it's not allow is for a reason.

heise
15-02-2015, 21:47
Well, why is your client downloading data with protocol 41? Why data packages of only 1300 bytes? Your server shouldn't be sending out that kind of data. Good luck explaining OVH, why that kind of traffic is legit...


My server is completely secure and anti virus is installed and i do not run any unknown application on my windows server, so there is not even 1% chance of infection.
I seldom see "completely secure" Windows servers...
Antivirus does not protect against new/custom made viruses.
Especially "known" applications often have vulnerabilities. That's why one secures them with AppLocker, EMET, etc.


PS. Setup an encrypted tunnel (pptp, openvpn, stunnel, etc.) to transfer the data.

smith00
15-02-2015, 20:47
Quote Originally Posted by heise
Hi,

well if you run Windows, do you have things like AppLocker active? I would recommend to take a few steps into securing your server.

Protocol 41 -> http://en.wikipedia.org/wiki/List_of...otocol_numbers
So ask yourself, why is your server sending 4Mbps of traffic to a kimsufi server as protocol 41 with packet size 1300 bytes. That doesn't look like legitimate traffic, more like a DDoS attempt.

Before just reinstalling again, why don't you first backup your server to a VM and analyse it. Maybe you are running a version of a program with a vulnerability that is being exploited after each reinstall...
I am very much aware of "94.23.198.171" ip which is a client of mine grabbing data from my server. The main question is, when he is downloading some data from my server, it's counted as hack attempt ?

94.23.198.171 is not even unknown ip address, 94.23.198.171 belongs to one of my client!!! As soon as he grabs any data from my server - anti-hack is force-rebooting my server and giving me rescue info to grab my data and re-install my server which makes no sense at all.

I am very sure this is a anti-hack bug. I have already re-installed my server few times and i am tired of re-installing it every 48 hours.

For your information - My server is completely secure and anti virus is installed and i do not run any unknown application on my windows server, so there is not even 1% chance of infection.

I really hope OVH team look into this bug and fix it ASAP and bring my server back to HDD mode without forcing me to re-install my server.

waiting...

heise
15-02-2015, 18:16
Hi,

well if you run Windows, do you have things like AppLocker active? I would recommend to take a few steps into securing your server.

Protocol 41 -> http://en.wikipedia.org/wiki/List_of...otocol_numbers
So ask yourself, why is your server sending 4Mbps of traffic to a kimsufi server as protocol 41 with packet size 1300 bytes. That doesn't look like legitimate traffic, more like a DDoS attempt.

Before just reinstalling again, why don't you first backup your server to a VM and analyse it. Maybe you are running a version of a program with a vulnerability that is being exploited after each reinstall...

AlbaHost
15-02-2015, 18:06
Quote Originally Posted by start-your-web
check my thread : http://forum.ovh.co.uk/showthread.ph...ed-my-services
they are just using their TOS, they have the right to terminate our data without a notification, they doesn't care about our data or services as they are rebooting our servers.
you will see some responds here from the popular guys they will defend for ovh until death "blind defend"
Oh you think for ovh bit*es guys? For sure they must respond otherwise they cannot be ovh bit*es

alvaroag
15-02-2015, 17:48
A part of the OVH antihack system consists of many IPs which are not published that are used to catch attacks. I think it's a 1/10 proportion. As those IPs are not published, they should not have traffic, so any traffic for any of them can be considered a hacking attempt, specially if it's constant.

Maybe your server has been infected(which is very easy for windows), and is having activity to an OVH IP. I'd suggest:

- Run an online antivirus, at least to check everything. I'd recommend NOD32, but there are plenty of good ones out there
- Check your process tree. Use Sysinternals Process Explorer
- Run wireshark for a while, with the filter "tcp port not 3389" to discard trafic for your RDP connection.

I don't think they would just give up fake hack attempts.... There must be something wrong with your server... Based on my experience, some months ago I had 3 Linux servers, all of them outside OVH, infected with the suckit rootkit. They were blocking the internet connection of the whole place each one was located. Finally, I had to reinstall the 3 servers......

start-your-web
15-02-2015, 17:26
check my thread : http://forum.ovh.co.uk/showthread.ph...ed-my-services
they are just using their TOS, they have the right to terminate our data without a notification, they doesn't care about our data or services as they are rebooting our servers.
you will see some responds here from the popular guys they will defend for ovh until death "blind defend"

smith00
15-02-2015, 14:56
OVH Anti-hack is really buggy and i've tried to contact OVH support department and they are not willing to help at all.

I have over 10+ dedicated servers from OVH.ie and most of them are effected by this useless buggy Anti-hack which is force rebooting my servers and forcing me to re-install before i could start using my server.

There is no hack or scanning or any abnormal activity and basically the info Anti-hack is giving out is completely useless and makes no sense.

from IP to IP on port 0? really? What the hell is port 0? All i know is one of my client is grabbing some data from my server, if grabbing some data from my server means hacking then no idea what is going on here... this Anti-hack bug started like 2 weeks ago and some should be fixed ASAP.

here is log from Anti-hack which makes no sense:

- START OF INFORMATION -

Attack detail : 3Kpps/4Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
2015.02.15 12:24:35 CET 178.33.236.xx:0 94.23.198.171:0 41 --- 1300 ATTACK:OTHER
Really? What on earth is this? I am running normal windows server on my box and been running for months without any error and now anti-hack is disturbing me every 48 hours and i must re-install my server to use it?

Please stop this anti-hack nonsense and let me use my server.


My server ID is: ns235373

currently blocked and forcing me to re-install my server, i really don't want to re-install it again and reconfigure everything.

Please fix it and bring my server to normal HDD mode.

waiting...