New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
this is the reason i'm scared of CP and just stick to simple shell to manage vps. less bloat
TBH, it doesn't sound like you wanted help as much as to lash out at EDIS for suspending your VPS for it getting compromised. Whether you thought it was secured or not, it wasn't, and got your IP blacklisted, as well as a possibility of damaging their reputation if they kept the server running.
Thank you, this is exactly what I'm saying. There are a lot of ways to give a customer the ability to investigate his own issue to an unmanaged vps. Or if not, at least, give him some more details to work with.
I totally agree with you. Just saying that the creators claim that this version is secure. I would like to have facts to prove them that my server was hacked because of zpanel (if this occurred, of course). But, I really don't know if this is zpanel's fault and I dont want to blame anyone or any software if I don't have facts. DOn't you agree?
maybe try to check your site files now to see if there is substance
Again, you speak without knowing what happened. The first thing EDIS offered to me before my post here, is to reinstall the service so, will be live again. People on EDIS support was polite, they responded in minutes after any of my email but I am not happy with their response. I don't blame them for suspending my service, they had to do it an I totally agree with them. I don't like the fact that I can;t have even minimum information about the cause of the suspension. Just knowing of a c&c abuse - nothing else! Please, I don't want to argue with anyone of you, guys. I just want to talk it. I have my service run already in my old server, I have several backups in a lot of other servers, I'm trying to secure my servers doing my best. What is "secure" for you? SolusVM that hacked or had vulnerabilities a lot of times? WHCMS? Or other big players that had our data compromised? Did they also had their services totally unsecured? Shit happens, m*...
Knock, and the door will open
Seek and you will find
Ask and you'll be given
The back door to your root
Check the php code to make sure you have secured your zPanel properly.
I did, so some friends of mine did. They seem good...
It is natural that you are disappointed with the suspension
Well, I am really not disappointed with that. It is normal for a vps to be suspended if abusing other clients on node or is a danger for blocking a whole range of provider's ips. I am disappointed for not being able to search what happened. That could be a big help to me to find if was zpanel issue, my files issue or a random issue (e.g., server hacked before even installed zpanel or apache).
It is not the task of a provider of an unmanaged VPS to have to look at your system and search for the cause. They mailed you the abuse-info they had. Throwing that into google and using common sense gives you more than enough hints to where to look at.
I never said or implied that you lied or did a poorly investigation or had a poorly decision. Of course the rerver was compromised.
I disagree with this order. You have to insert something between contact and reinstall: investigate or trying to clean. Or else, there is no meaning with the "contact" step, just suspension. reinstall, keep server.
http://lowendtalk.com/discussion/10391/the-security-trainwreck-that-is-zpanel
Again: I dont want EDIS to check my system, the receive peanuts for the service they provide, of course is totally unmanaged. But they didn't mail me any info. Please, do your search to google and tell me: what happened? who or what was been hacked? They didn't give me details and they don't have to. But they should leave clients to search this, with limited -of course- access. It is easy...
Ok, but that is not proof. There is a new version, with lot of users (and a dozen of providers, too). I am confident that there are issues with zpanel, but do I am wrong if I want to have a look before "burn them in hell" without knowing if this issue was really their panel's fault?
Given enough time, every one of us is going to get hit by a 0-day or some other crap. Learn and move on.
But one thing - a server found to be a C&C node or a dump target for a botnet is never going to be relinquished back to the owner by any responsible provider on the grounds that sensitive phishing data is now on that server. EDIS is doing the right thing by not providing you access to it (its not personal).
If you want to learn what might have happened, I suggest you grab a copy of Kali Linux and run its series of exploits against a test VM duplicating your setup. You probably won't turn up anything, but it's worth trying just to be sure.
https://groups.google.com/forum/#!topic/zpanel-alerts/em62Pq5pFxs
Well, my experience with edis is also "you pay peanuts you get monkey support".I migrated to premium providers paying 5x more.
When a provider got a report abuse (not only Edis), then it is their concern to keep their good reputation by eliminating the abuse.
In this case the first thing a customer should do is checking whether his IP is blacklisted. If it is, it is most likely your server is compromised.
Second, cooperate with the tech support, contact them and follow their advice to reinstall.
Do a clean install (server and panel), secure it and wait for 2-3 days. When another abuse occurred, then it is the panel.
Just a tip:
When you order a vps and get the vps info, it is better to immediately reinstall the OS and change the root password.
Secure it with a key pair and disable password login via ssh.
Prepare your IPtables of any hardening measure then install whatever software you want.
his complaint is edis didnt give enough info
Abuse info is enough to check online
Excuse me, but, WHAT!? So if some how my server becomes attacked and exploited this gives the provider the right to refuse me access to MY personal data? I am sorry but that is just ignorant sounding to me. If a customer of mine had an issue like this, I would disable the network interface to ensure no further abuse came from the server and ask the customer to log in through the OOB console and check their server for any issues. Sure it is reasonable to mandate that before putting things back online that they do a fresh install, but I can not agree with denying someone access to their server and data, regardless of the issue. Just because someone compromised the server doesn't mean that you should take their data hostage and force them to wipe it all.
Think about it this way, if I were the OP before coming here and opening this thread and re-install was my only option with no information about what occurred, I would likely re-install it the exact same way and be vulnerable again as I would have no idea the attack vector that was used against my server. He came here and opened this thread because he had NO idea what was wrong as no one would tell him or let him investigate and he wanted to be sure when setting up his server again he didn't run into the same issue.
Sure if this was a repeat abuse situation, go ahead, force re-install. However, as the OP said that he has only had the server 5 days and this was the first active project he put on it, I can't see this being the case. The bottom line here is that EDIS didn't care to go out of their way to help their customer, sure at the low cost and it being unmanaged I can see why they wouldn't want to spend extra time on it, but at the same time this make for HORRIBLE customer service and makes the customer feel helpless. I don't care what your profit margin is, if the attack vector is dangerous enough where you would deny the customer access to the server just because of the presumed risk, then you should be willing to help the customer to understand why and not just give a 2 sentence "go fuck your self" answer.
I digress.
Cheers!
True and the notification said:
Please contact us as soon as possible to get your service reactivated.
Which means there a possibility for OP to ask to retrieve or investigate his server.
I asked. They didn't answer to my demand. Ypu can read in my initial post the whole discuss. And this is odd. In their first response, they said to me to "check my configuration". How would I check my configuration if the service is suspended and the only way to unsuspend it is to wipe it out? I' familiar with the... configuration of a clean wiped empty linux box...
Also, when asked for more details, they answered me like if I was a complete idiot or didn't even know that a computer can start if you press the big white power button in the front of the case!
@jvnadr In your case, I see 2 possible point of attacks that might be used to abuse your server. zPanel and Joomla.
I won't comment more about zPanel as I am just another stupid user that still using plain Kloxo and Limbo in some of my sites.
In case of Joomla, they have many version flying around (1.x, 2.x, 3.x, etc) with a great numbers of plugins and templates available.
If you follow Joomla newsletter you will know that Joomla always has newly found vulnerability once in a while.
Some of the plugins and templates (usually commercial) are encrypted, and you might not be able to know whether the scripts are weak despite the secure claims by the developer.
I don't know whether you sch/ftp the zPanel or Joomla from your development environment when installing it, or simply wget from source.
If you have it installed in you development environment before uploading to your server, then you can check the configuration there.
You read me. As ignorant as I may sound to you, no one should be allowed back onto a C&C node unless you want to personally vouch for him. The OP has my sympathies, but he has a backup and right now only wants to re-enter the node for 'education' purposes. This isn't even a question about data - which if it was, there are way to provide it sanitized without cart-blanch access to the node.
As a provider, you would tread some serious ground if you let a third party back onto that C&C node.
Could the messages to him have been phrased better. Of course. Could they have spent the countless man-hours we all have just done to better educate him on C&Cs and botnet. Sure.
You're more than welcomed to your righteous indignation. But as a support technician, I really hope you are never placed in a position to give a bot operator the keys. To think that disabling the NIC would make your worries evaporate to me sounds to be the more ignorant and irresponsible.
edit: Just for clarification, I personally don't think the OP is the bot operator. But it doesn't really matter in this discussion what I think.
@tchen LOL. So if someone gains illegal access to my server you find it okay to then refuse me access to MY data that you do not own? As I stated before in my reply, which you likely didn't read to its completion, if as a provider you find the attack vector is dangerous enough where you would deny the customer access to the server just because of the presumed risk, then you should be willing to help the customer to understand why and not just give a 2 sentence "go fuck your self" answer. This would mean you as a provider would take the opportunity to go into the server (with the customer permission), make sure if there is any such "botnet" or "fishing" data that you would either by agreement with the customer remove it before providing access back to the server or do a detailed analysis of the server to provide the customer with the attack vector used to gain access. By no means does it give you the right to fraudulently retain someones private information and force them to delete their data without providing a copy. If you choose the method of not giving the client access then even as an unmanaged service you have an obligation to check the server and provide more information.
In some cases, were the service valuable enough and the data valuable enough, by refusing me access to my data and forcing me to delete it (barring specific TOS/AUP stipulations to such) I could then sue you for unauthorized destruction of private property and likely win.
What host do you work for by the way? I want to make sure I never do business with them.
Cheers!
It happened to us to force people to reinstall after repeated attacks originating from their IP and claims "they fixed it".
While we presume the customer knows what is doing, if it happens more than once then something is wrong and they did not heed our advice to reinstall or use insecure scripts.
It is not OK for only the provider to suffer because the customer has no idea what is doing or simply plays dumb and attacks/spam/scans are really their work. If the reinstall does not fix it, well it is time to say goodbye and recommend a managed service.
On the other hand we offer free backup space and tutorials on how to do it automatically so there are really no excuses for not having up-to-date backups. Therefore, denying the customer access after repeated issues is well within my right to do.
@Maounique in my replies I definitely stipulated if it was a repeat infraction that I would agree with that method. But, once again, the op has only had the server for 5 days and had only installed a site on it yesterday. So, as this was not a repeat offense, I do not see an issue with providing the customer either access or information about the issue if you deem the server too much of a security risk.
The customer said they had a recent back-up as they just deployed things, however, they did not have the access to the most recent updates or to finding out what the cause of the exploit was. So your back-up spiel is a little misplaced here.
Cheers!
OK, to summarize my take on this:
1. The customer is at fault for using lax security or unsafe scripts in spite of all warnings at least here (zpanel);
2. The host is at fault for not allowing the customer access to the console to see what happened before he can reinstall himself (as mentioned a simple null would have done it);
3. That being said, since it was a new customer I can understand the host jumping the gun to some point, but they went a bit too far.
Other than that, the thread is very good to shed a light on how things work in the unmanaged business, it is not the first nor the last and from what I have seen in some 10 years of facing these situations from the both sides of the fence it is pretty regular, no part went too far to be extraordinary there are far worse examples for both sides.
EDIT: To answer the claim that OP didnt know zpanel was insecure even after reading some reviews here, well, we all have friends that swear by some product or another, we all know that absolutely junk products may work perfectly given a lot of luck or even little, but when people working in the field tell you with arguments the product is insecure and you risk a lot by using it, when other people say it even bundled an open proxy at some time, then you should not use it there are plenty of other free panels there, the headache of tweaking extra parameters is well worth it, besides giving more options, compared with the risk of being used by criminals.
You make it sound like we're talking about your everyday php shell. This is a C&C node, and one apparently vetted by numerous third parties. There's a difference.
That aside, standard TOS written by any legal team will give the provider transmission rights, the release of liability related to the loss of that data, and the right to restrict access on reasonable grounds. No one is disputing your rights of ownership on that data but everyone is well within rights to restrict you from that specific instance of it.
You're projecting. Besides, you're the one not reading. Please take a deep breath. I invite you to go back and read my reply. I understand if you were probably already seeing internet-red by the time that paragraph where I agreed communication could have been better scrolled by.
Hence I said there are ways to SANITIZE data provided back to the OP. Most of which is a positive effort involving dumping mysql databases, filtering for suspicious data, etc. However, it is naive to think that you can 'remove' the C&C or be assured that the code isn't setup to dump the data to a dark corner of the server. Allowing access is just plain dumb IMHO and it doesn't take a rocket scientist to realize that.
Barring specific TOS like the entirety of section 12. Data Protection at EDIS? Even if it were omitted from the TOS, this is not a backup service hence the claimant (you) would not have any standing of reasonable grounds to assume that data is protected and retrievable in all situations. You're still well within your right to initiate a suit, but the judge would hurry you out of the court room. Good luck.
I'm not a provider. I'm just humbly someone who doesn't agree with you.