Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


EDIS suspended my new vps saying there is a C&C server type of attack!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

EDIS suspended my new vps saying there is a C&C server type of attack!

jvnadrjvnadr Member
edited December 2013 in Help

Hello all.

I need your help! Yesterday night, I installed a new vps from EDIS (bought 5 days ago) to host my news portal there. I moved my portal from the old provider (witch worked fine, just a little more load and a bit low I/O that I thought EDIS was better at, so i decided to move) and all seemed fine. Load was normal, speed was average to good. An hour before noon today, I saw that wsite was down. When I tried to log in, I found that EDIS suspended my VPS with a message in my mail saying:

This is a notification that your service has now been suspended. The details of this suspension are below:
Product/Service: OVZ Basic
Domain: -----
Amount: EUR 5.19
Due Date: 28/12/2013
Suspension Reason: Abuse:C&C
Please contact us as soon as possible to get your service reactivated.
Nonpayment will result in deletion of the service and all associated data.

After 2 minutes, I received another mail saying:

Hi,
we just received an abuse report concerning your server, please check your configuration.
Due to this report, unfortunately we had to suspend your server.
Yours sincerely
Ismir Saljic

_***EDIT*** _The title of their second email was "Diverse Malware (laut Spamhaus) in ihrem AS 57169"

I sent them immediately an email (ticket opening in client area does not function) with this response:

I just moved my site yesterday night. It is an news portal site and nothing else. I didn't abuse anything and you don't give me any details about the reason of suspended server or what exactly am I abusing. I cannot even open a ticket to client area! The opening ticket is disabled! I bought this box 5 days ago and used it just yesterday installing a panel and a joomla site in my domain. Please infor me about the abuse I did and unsuspend my server as soon as possible, so i can check myself what is going on there (if it is going on...)

Their response:

Hi,
this is the log we received for your server.
Time: Tue Dec 3 22:44:25 2013 Source-IP: xxx.xxx.xxx.xxx ASN: 57169 C&C Server: Bot-Infection:unknown1895 Destination-IP: Destination-Port: 25 Local-Port:
Obviously your site is infected.
Yours sincerely
Ismir Saljic

I responded that:

Excuse me but what you sent me says nothing! It says Bot-Infection:unknown1895. What is that? What is the abuse? Spamming? The log says nothing. Please give more information and open my server to investigate

And I received this new mail:

C&C server type of attacks are very dangers and we have to suspend server with this type of infection.
If we don't do that we can face a lot of problems in our network.
We're sorry but the only way to get the server back is the reinstallation.
Yours sincerely
Ismir Saljic

First of all: Shouldn't they give me more information about the bot they say I host? Logs that identify that there were an abuse of the server or the botnet proofs?

  1. Shouldn't they let me in any way to investigate the cause or the source of the bot / malware or anything? Shouldn't they let me scan my site to find out what happened?

  2. Couldn't they let me, even take a backup of the recent update of my site (some news articles I uploaded that my last mid-day auto backup didn't got them? Even give me the opportunity to log in from a single ip (my home ip) just to do investigation or / and backup?

  3. I scanned my website to my old server (the one that worked till yesterday's move to EDIS) with several services (sucuri etc.) and seem clear. No sign of infection at all. The only update to the new (EDIS) server is just a bunch of news articles. No software, no modules, nothing.

I am not familiar with "C&C server type of attacks". Is there a special scanning method that reveals it, further that usual malware / virus scans? I have to mention that I did secure my new EDIS server (ClamAV, Spamassasing, CSF+LFD, changed passwords etc.).

I know that for a big company like EDIS with thousand of clients, my complain here is nothing. But I thing they tread me like nothing... A couple of (very) typical answers just to get rid of me without giving me any serious detail or opportunity to fix any problem - if there is one...

Any thoughts from you guys will be welcome!

«13

Comments

  • "C&C" means Command and Control.

    These situations are very difficult for both customer AND provider. Essentially portions of EDIS' business (Email access) is being threatened due to suspicious activity on their network. Spamhaus is pretty accurate, and rarely quick to point a finger. So if Spamhaus says your IP was doing xyz, it's pretty well documented and recorded.

    It is very very possible that there was something on your website being used to facilitate the distribution of malware (even malware used as C&C), all without your knowledge. It could be as simple as a hosted malicious file. It happens, it happens everyday, to lots of people.

    Trust EDIS on this, re-install.

  • http://en.wikipedia.org/wiki/Botnet

    C&C A.K.A Command & Control Botnet,
    This means you have been infected by someone who can now run everything on your VPS, in the background etc.

    1. depends on their ToS
    2. they could, but there are chances YOU could get infected aswell.
  • jimpop said: Trust EDIS on this, re-install.

    The thing is he probably would ended up restoring a backup tarball that already have those malicious files in them...so that won't solve the problem. Best bet is to either install a malware scanner on your VPS and scan it through or get some external security auditing done on the server. Cost a few hundred USD probably but would worth it.

  • Unknown1895 is the code CBL AbuseAt gives.

    Did you use ZPanel to host your website?

  • zhuanyi said: The thing is he probably would ended up restoring a backup tarball that already have those malicious files in them...so that won't solve the problem.

    Good point.

    I'm not sure that malware scanners are up to the challenge however.

    @jvnadr, do you have a known-good backup that you can restore from?

  • DennisdeWit said: Did you use ZPanel to host your website?

    Yes, I installed ZPanel (previous panel was virtualmin). I have ZPanel hosted to a couple of other vps's that runs minor projects, with not a single problem for months.

  • jimpop said: do you have a known-good backup that you can restore from?

    My last backup was also my live site that worked till yesterday afternoon (I already reactivated that site that works smoothly). I even scaned with some known services such sucuri and seems clean.

  • It's your responsibility to secure your VPS. What did you want them to do? Just let it run while you figure out what's wrong? I don't see why you would post a thread on here.

  • jvnadrjvnadr Member
    edited December 2013

    terafire said: It's your responsibility to secure your VPS

    I DID secure my vps. Didn't you ever have problems with any of your projects, ever, even If you secured it? I wanted from them to let me take a backup, so, investigate what happened. I have a previous backup that seem clean and unaffected. And I post here for help from people that have a better knowledge than me or had same issues with their project before.

    P.S.: I really don't understand people that hit on LET members when they just asking for help, saying their opinion to something, share experiances. You know, LET is not (only) for advertise your "affordable KVM and OpenVZ plans" but a lot of people like it as a forum that can learn, discuss, post threads to talk and not just sell products for theri business...

  • DennisdeWitDennisdeWit Member
    edited December 2013

    @jvnadr said:

    That's your problem. Reinstall your VPS with Debian instead of CentOS and use VestaCP. Could you PM me your IP?

    I know this for sure. I have had the same problems. ZPanel is the problem that causes the unknown1895-listing.

    http://lowendtalk.com/discussion/17397/abuseat-com-s-cbl-is-giving-me-headaches#latest

  • DennisdeWit said: DennisdeWit

    There is no any ip, the service is still suspended...
    Do you know of any known vulnerability of ZPanel? The authors and their community claims that there is not any known in the latest version 10.1.0.
    As of Vesta, I'm not familiar with. I will continue to use Virtualmin/Webmin that fits my needs and will test / use Vesta in a non live box, to create an opinion about your suggestion. :-)

  • TBH and off topic a little...I don't really trust any of the free CPs, not saying the paid one is safer but at least they (even WHMCS for this matter) has to address issues ASAP when they arises...and hosting panel is really some pretty complicated stuff.

    Just go with your own LNMP set up, it is much easier to know exactly what's going on there.

    Thanked by 1Inglar
  • @jvnadr said:
    Do you know of any known vulnerability of ZPanel?

    It's basically a ticking time-bomb from what I've seen and heard.

  • zhuanyi said: I don't really trust any of the free CPs

    Well, I think Webmin/Virtualmin is safe enough - at least as safe as the three "big" paid ones. But it is full of manual configurations and sometime a little thing that may missed you can cause headaches till you find it and fix any issue you may have...

  • painfreepcpainfreepc Member
    edited December 2013

    i seen your post @ http://lowendtalk.com/discussion/comment/394001/#Comment_394001 VestaCp is not on your list.

    if you like Zpanel, you will love VestaCP,

    http://vestacp.com/ and http://stevetan.me/post/ubuntu-13-04-vestacp-setup

  • I saw this about ZPanel several months ago, it kind of put me off even wanting to try it:
    http://imgur.com/a/lzRuo

  • @jvnadr said:
    P.S.: I really don't understand people that hit on LET members when they just asking for help, saying their opinion to something, share experiances.

    I think the issue is people not having proper expectations. Your issue wasn't EDIS, yet you mentioned them many times in your opening statement.

  • k0nsl said: I saw this about ZPanel several months ago, it kind of put me off even wanting to try it: http://imgur.com/a/lzRuo

    Yes, and I opened this question!
    Well, I moved out of ZPanel because of that to my live projects and keeped a couple of installations for testing purposes, that never had any problem since then. After all this time, after the 10.1.0 came out, I decided to try the new panel to the couple of projects I was already testing it and worked like a charm. So, after some more testing in a non-critical site and in a streaming application, and after some answer posts about security from the authors and moderators of zpanel, I decided to give a try. But, if this come up that is the reason of c&c, I'll stay away from now on.

    P.S. I have to say that when I first moved out from zpanel I hadn't really any issue and I was very happy with it. But, because of the security issues some people claimed they were, I stopped using it in critical environments and continued just for testing / playing and in non critical sites.

  • jimpop said: Your issue wasn't EDIS, yet you mentioned them many times in your opening statement.

    What is "proper expectation" from your vision? Even thought EDIS is a reliable, stable and well known provider, I am disappointed on how they responded to my questions. I just wanted to investigate what was caused the abuse. A permanent suspension without even let me login from just one ip to take backup, is what I mentioned and one of the two reasons I had that post. Also, I have to say that they should suspend immediately my vps to prevent affect the reliability of the ip, but they could be more cooperative to let me find out what is going on, give me logs that showing the abuse, etc. As you see, I try to figure what happened by reductio ad absurdum.

  • @zhuanyi said:

    Just go with your own LNMP set up, it is much easier to know exactly what's going on there.

    +1

    I don't even understand, why people need some CP etc. for hosting a few of their own sites.

  • painfreepcpainfreepc Member
    edited December 2013

    "why use automatic transmission, when you can just shift gears"

    I am a VestaCP user, No gear shifting required, the thing just works..

  • @Inglar said:

    Because it's a hell of a job to configure every DNS record/zone if you have plenty of subdomains.

    Vesta did the job for me. Thanks to @jarland for helping me out.

  • We are only reacting with suspension when verified, even most Spamhaus complaints are first forwarded.

    We get these reports from cert.at (Working with nic.at and the Vienna University) which are usually following the already sent Spamhaus complaint - Zeus detection is simple and very reliable (hardcoded in binary, config download location, url scheme, reaction), same goes for most other modern trojans that are still using non-custom protocols.

    -> suspension, contact, reinstall, keep server.

    Thanked by 1jimpop
  • DennisdeWit said: Because it's a hell of a job to configure every DNS record/zone if you have plenty of subdomains.

    I let Cloudflare to take care of my DNS delegation...so that I don't have to worry about that, and they provide SOME protection against DDOS/Malware as well.

    Or you can choose from dns.HE or rage4...the choices are plenty.

  • jvnadr said: What is "proper expectation" from your vision?

    Customers have an obligation to run a VPS that meets the providers current TOS and AUP. EDIS' other customers should never be at risk (i.e. can't send email) because of another customer's poorly secured and/or maintained VPS.

    jvnadr said: I just wanted to investigate what was caused the abuse.

    While that is a noble ideal, I can't say that I would want to be your VPS neighbor whilst you perform investigative and/or educational debugging.

    jvnadr said: they could be more cooperative to let me find out what is going on, give me logs that showing the abuse, etc.

    I don't believe that is in any providers TOS, AUP, SLA, or other agreements. $20/month providers are not in the knowledge/education business.

    Devil's Advocacy: An EDIS employee hopefully makes at least $20 USD per hour, would you be willing to fund their time to investigate your problem?

    Thanked by 1marrco
  • jimpop said: While that is a noble ideal, I can't say that I would want to be your VPS neighbor whilst you perform investigative and/or educational debugging.

    This isn't an "educational" debugging. If a box or script or site of yours had a problem (hacked or anything) and your vps provider told you, "hey, you know, your script/site/server is abusing my server and I will suspend you", wouldn't you want to see what is happening? And all that when your vps provider will not be willing to give you even a detailed log to inform you what happened?

    EDIS is fo course not the case of my example that will follow, but what if wasn't EDIS but a kiddie host, that made a poorly secured node and the fault wasn't yours but something other hacked/injected the node? Again, I don't believe that this is the case (a hacked node) because I had EDIS server in the past and I was very happy with them (that's why I will ask a reinstall and wont cancel the service). But, If they wont investigate what happened (they just send me a one-line-log that describes nothing), is it so much asking them to allow me to search it? And there are solutions: they can give limited access to me, only via my home ip or something.

    That's the negative with big companies. They don't care about you, because they have thousand of clients. They don't care of a negative review, a client that cancel their cheap (in price) service or some support tickets to be resolved in a more deep way.

    A last word: many people here blame ZPanel. I am not sure that zpanel is really unsecure. A lot of people use it for long, some of my friends has, I use it in some minor projects since version 6. I know there are a lot of fans and more of lot of haters! I am neither of. That's why I would like to find out what happened with a freshly installed server and a clean install of zpanel that compromised in a couple of hours, containing a website that it's backup is working fine right now without been hacked and without having (at least, known to me) virus or malware.

  • jvnadr said: If a box or script or site of yours had a problem (hacked or anything) and your vps provider told you, "hey, you know, your script/site/server is abusing my server and I will suspend you", wouldn't you want to see what is happening?

    Yes I would. But, let's not kid ourselves, what happened to you was far from that. Your server was so unsecured and infested that EDIS's business reputation was at potential risk. That's why I feel your desire for investigation is just not warranted by the amount of $$ you pay EDIS. I know that sounds evil and trough, but it's just too true. If you were paying EDIS several hundred dollars or more, each month, I would probably say that they owed you a little more respect.

  • I have one issue with this whole thread. That is, why couldn't they null the ip (or disable the main interface) of the server and provide the customer access to it through the out of band console for the server? You can argue the setup was insecure all you want, but I am not understanding why they couldn't provide the customer access to the server in some way? Especially if this is OpenVZ I see no reason why someone couldn't login, disable the main interface and tell the customer to check the server in the OOB console and clean it before returning it online. Now, if the customer 'cleans' or investigates the server and fails to clean the issue, then sure, suspend them and insist re-install. How is someone supposed to fix an issue that they have no information about? I agree the information that was provided to the OP was VERY lacking in helpful information. As a support technician my self, I can say that this was pretty poor work on the technicians behalf.

    Don't get me wrong, I am a happy EDIS customer and have been for more than a year, but reading this it really sounds to me like someone dropped the ball when it came to assisting a (valued?) customer. Also, not providing the customer the ability to back-up the contents of their server is tantamount to holding their data hostage and insisting they must delete their contents to restore the server to me would not be an acceptable answer either. What if I had my bitcoin wallet on it with 200 bitcoin and now my option is only to destroy all my data? I am not saying this was the case, but I am sure you can see what my point is.

    @william if this is a common practice for you guys, you should look into revamping your policies to better assist and inform you clients as this would not be acceptable to me if I was in the OPs shoes.

    Cheers!

  • jvnadr said: A last word: many people here blame ZPanel. I am not sure that zpanel is really unsecure. A lot of people use it for long, some of my friends has, I use it in some minor projects since version 6.

    zPanel was hacked many times. Exploits were uncovered and they never responded. People use it doesn't mean it's secure. Never been hacked also doesn't mean it's secure.

  • jimpop said: Your server was so unsecured and infested that EDIS's business reputation was at potential risk.

    Well, you can read minds, or do black magic too? :-P Let's be serious. What fact is make you so sure that I didn't secure my server? Nothing at all. You don't know what I did, you don't know my steps, you do know nothing m8... My server was not unsecure. Or, at least, "so unsecure". I did many things to secure my server, as I do it for all servers I have, live or not. While I'm infected with "LET Virus" (buying more boxes than needed), even those I don't care about them are secured enough (strong passwords, virus scans, malware scans, firewalls, port configs etc.).

    So, no, you don't have any right to blame me for an unsecure vps. You don't know it. It was fairly secured. Maybe not the strongest securing job in the world, but again, fair enough. And what if I'm paying less than, e.g., Linode? That give the right to any company to show me less respect? No...

    Thanked by 1jimpop
Sign In or Register to comment.