All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
RackNerd VPS from being best, trying to get worst experience... Which I don't want to be.
Everything started as great with their support service and offer / pricing. I have been using their service for my clients. All vps followed same configuration system with CWP and rate limiting all emails through policyd with 50 email max per hour. I have around 6 VPS from them for my clients from racknerd and I do have more on other providers. But lately one of my VPS IP causing trouble at their end. It suddenly going offline. They claiming my VPS sending spam email of more then 60k and they puts on null route. Though on my vps system log it shows no outbound email being sent. None of systems being used for sending outbound emails... just few server side email log which stored on localhost root. Then where or how this ghost emails being sent? No idea from my side, as I cannot see anything on vps side. Only can trust over on some words which they send on support ticket. So far not having a good experiences. Faced this problem twice. I hope we can over come with these issues in future. My client also making questions about my support for this.
Comments
Sounds like your site was compromised. Do you use WordPress by any chance?
Leave a
tcpdump -s 0 -w smtp.pcap 'tcp and ((src or dst port 25) or (src or dst port 465) or (src or dst port 587))'running for a few hours, and then check if any outbound SMTP connections were made from the packet capture.>
My client did installed a wordpress I can see. and its on maintenance lock.
Thank you for your guidance. I just ran it and this is what appeared. Did I added command properly? I will keep it on as suggested.
[root@srv ~]# tcpdump -s 0 -w smtp.pcap 'tcp dst port 25' tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytesBe advised that its unfortunately very common for WordPress plugins and themes to have tiny bugs that allow attackers to mostly use your server as a spam station.
Yes. Later, you can download the smtp.pcap file and analyze it with Wireshark.
In my experience Racknerd would not null route unless they had to,
As an admin, you need to get to the bottom of why there is 60k of mail ?
+1 for this. Wordpress has bad security, due to its popularity so a lot of malicious people target it. Also a lot of WP users people are at fault for using it without updating plugins and themes regularly (or for using plugins from unknown untrusted sources).
Also, check your VPS do not have any "test" account that was created with an easy password or something just to test and ended up never disabling. do you have fail2ban activated? Also Make sure none of the users have their user/password combo compromised. A lot of users use same passwords, and when their data is leaked, all their accounts are leaked.
Straight out calling out provider without doing ANY due diligence from your side we all can already tell you that you got hacked and you have no idea what you are doing. I hope someday some provider will sue people like you.
With those kind of rates you need to get a handle on this quickly. First, block outbound email on the VPS:
Then you can take your time to investigate. You may need to hire a system administrator to resolve it for you, or you may need to move to a managed service provider. You can only enjoy the savings of an unmanaged service if you can manage it yourself, otherwise you are tempting fate.
Hi @goodone -- thank you for being our valued customer, and I’m happy to hear that things have been going smoothly for you short of this particular incident.
Without deep diving into your VM (which would require root credentials) we can only assume, but this can be caused by any number of things, for example a compromised Wordpress install or unauthorized user having access to your server.
By default our KVM VPS services are unmanaged to keep our costs low, but we’re always open to lending a hand wherever we can. Shoot me an e-mail at [email protected] with your VPS IP address and temporary root login credentials and we will take a closer look into your set up and see if we can help identify the culprit. There’s a few things that are commonly overlooked when it comes to security that can easily be applied, and I’d be happy to make those suggestions to you after looking at your environment.
One important thing I did want to say is that we ultimately care about our customer’s satisfaction, whether you host with RackNerd or anyone else, you’d be running into the same issue that you’re experiencing with this particular install, so either way we want to help get to the bottom of this and help you address it.
There's the 1st problem!
2nd issue: NEVER trust CWP developers, to actually code something without flaws. Double-check via command line, that the policy is enforced. Much as I like, indeed prefer CWP, their coding/communication leaves a lot to be desired, putting it very mildly!
So you basically claim that Racknerd is null routing your VPS for no reason, although they can proof it is sending thousands of spam mails, then you admit that your customer has a WordPress site that may have been hacked, but you have no idea how to handle that by yourself. Nice one really, keep up the good work
Couldn't you solve this with more tickets to Racknerd instead of coming here?
Thank you everyone for all your supporting guidance, specially @stevewatson301 @afn @jar @dahartigan
And thanks to non supportive questions too.
RackNerd support response experience truly great. I have no doubts about it. They take their customer seriously. I didn't said they are worst. What I said I have started feeling worst and I don't want to feel like that. As I did not get the answers most of which I have asked. They are ready to help me but not briefly answer me some questions. Like I asked them to show me proof of actual mail sending / spam which happened in outbound. I got no response on this but rather , "my issue has been fixed". Then they sent me talosintelligence link which contain no reference of email send out volume either. I am not questing about not supporting a customer and fixing the issue. What confused me about even after my attempt of resolving an issue why it will happen again automatically which did not made sense to me. But later they cleared me it might happen because of IP reputation. So I am giving a 48hrs before I jumps back in again on the VPS.
Dear @dustinc From my past experience with any other providers, your team quickly try resolving an issue and you are an excellent person also. This is a reason I am moving every of my clients one by one at your system. I truly appreciate your support. At present I am going to wait 48hrs to see if things stay properly. As adjustments has been done from your support end. I will make sure to contact you if thing's goes sideways again. Maybe I might change the panel it self....
But What confused me earlier. when I applied postfix config with rate limiting not more then 50 emails per hour, and also on cwp side I included a policyD for panel side users. How vps could send spam email which leads to null routing automatically. As my maillog it self seems clean when I did check it. Though I am following some more pattern to check if I can identify the issue. Regarding wordpress hack and problem how everyone mentioning, I did check thoroughly on that and there's no sneaky backdoors and its not infected. Literally there's no source of plugin / theme downloaded from nulled resources which could cause it except wp repo. there's only 3 plugin. And theme which being used is legimate version. Last resort for me to suspect the CWP Panel itself which I am using and has been trusting long time.
Last year when Rack911 conducted security audits, I remember they were saying CWP is pathetic in security.
I may be wrong as the devs may have fixed everything now.
What's the point of this thread other than exposing OP's flaw?
Maybe the end is nigh and OP wanted LET not to miss it.
I had been using many panels but CWP has been my first choice always as they always send automatic updates. Thanks for the news, I am reading it. Well, I might change it as well if necessary.
You also need to remember that Racknerd lease servers, so the IP that is being abused wont belong to them or their infrastructure and they will be getting suspension warning from their supplier also, this is why they will have acted quickly.
Yup, seems like OP never learns.
.. and frequently screw things up in the process.
It appears OP should stick with shared hosting rather than rely on a control panel - no need to get frightened of CLI then.
You always exchange quality to price in low end market.
We here at LET Support tend to answer the same way we get questions in, please don't forget to post your order number to get your LET experience doubled.
It is two years since Rack911 made the security audit of alternative panels, so it is too old to use it as a guideline.
CyberPanel has hired a pentester after this audit, so hopefully, their security has become a lot better.
https://www.rack911labs.com/research/security-analysis-of-alternative-control-panels/
Yes recently they did an update about fixing many security issues i dont test it yet personally but they are really working hard for it