New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Mycustomhosting Suspended VPS with unreasonable
This discussion has been closed.
Comments
Busyet dah...
Explanation: Busyet (Buset) is a colloquial terms used by native Jakarta derived from Bullshit.
"Busyet dah" is an expression of surprised :P similar to "OMFG"
What does it mean? Is it Javanese language?
I've edited above.
Nevermind.
Thanks.
You know, I feel like I've insulting "my own family".
@isy44h112 Everybody here are trying to help, but OP seems to misunderstood the intention.
@ZeroCool you should say thank you to mycustomhosting that your vps was not suspended before. Few providers asked their customers to remove that crap at all.
That's why I asked where he was from. Language barrier affects
Yes, for an Indonesian, the way he responded is quite rude.
Drama, yeap.
Here's the response I provided you on your ticket.
"Y"ou can find the logs brought up by our system below which led to this alert.
Attack detail : 52Kpps/21Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason
2014.01.28 18:09:28 CET 198.50.246.xxx:36406 171.161.198.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:51329 171.161.206.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:33827 171.161.206.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:51365 171.161.206.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:55762 171.161.198.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:33857 171.161.206.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:33863 171.161.206.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:60143 171.161.202.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:48920 171.161.202.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:36430 171.161.198.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:51353 171.161.206.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:33839 171.161.206.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:33851 171.161.206.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:60137 171.161.202.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:51341 171.161.206.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:33845 171.161.206.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:60131 171.161.202.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:55750 171.161.198.100:443 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:51347 171.161.206.100:80 TCP SYN 52 ATTACK:TCP_SYN
2014.01.28 18:09:28 CET 198.50.246.xxx:55744 171.161.198.100:443 TCP SYN 52 ATTACK:TCP_SYN
Your VPS was used in an outbound DoS attack and has been terminated.
-----> End of response.
I was in no way rude or trying to start drama with you. Clearly you can see your VPS was used in an outbound DoS attack on, of all people, BoA. Sorry you claim your VPS is unused but then ask to make backup? If VPS is truly idle there would be no backup to be taken. What else isn't true your saying?
Your VPS will not be reinstated as it's a harm to my network and the internet. In the future I'd suggest securing your VPS or not using VPS for DoS.
Knowing a very well known exploit which matches that exact profile, could you have not merely suspended the client instead of terminating?
How would I know that without snooping through the customers VPS?
Either way, it would be his duty to secure his VPS. A hacked script is no excuse. It wouldn't fly with any other company or industry why would it here?
The data you pasted was enough to tell you that it was. No snooping required.
How you conduct business is of course your choice and yes the client was responsible for the security of his VPS; however we all (including yourself) place faith in third party products. I assume your billing system is hosted somewhere? Would you be happy for the host to terminate it if you were exploited by a 0 day?
I use several well known companies here at LET (and WHT) that did not terminate my servers when they got hacked some months ago.
I was using Status2k on all my servers, and someone got access to all my servers, uploading a mining script. It used lots of CPU recourses.
Some of the host turned my servers off, letting me start them and find the source of the issue. I think this is a better solution then just terminate the server/user.
He can't. That's MCHPhill, and his arrogance is well known around. He would rather die than be reasonable and helpful to anyone.
The data I pasted does not say kloxo or some script has been hacked. Where do you see that? It says there was a TCP SYN attack on an IP. There are many ways this could be done and only one of them includes kloxo.
I do not host my billing system externally, what kind of provider trusts another provider with access to their billing system. I also take precautions to hopefully prevent attacks. Whereas this could be a simple server with password logins enabled?
I also keep updated on exploits and usually have them patched within a few of them being released. I don't use kloxo nor keep up with that craptastic software.
Edit: I would not have a problem working with him if it didn't take an argument and thread for him to realize his VPS was hacked. For all I know he knew this was going on and is just BS'ing everyone.
The traffic profile and target (BoA) was more than enough to determine that it was most likely Kloxo. I think your client may have appreciated a dialogue on the issue before he was terminated. Either way how you conduct business is your choice.
I would say that a lot of providers host their billing externally. In fact looking at the whois data for your billing area it's hosted at OVH.
Will be adding you to my provider shit list.
Lol, please do.
i don't understand one thing, suspended or terminated ?
Suspending makes sense in such a case but terminating does not.
Yes, exactly. And it applies to every single host here. Speculating about what some host "could have done" or "should have done" is useless and does nothing except create arguments.
It would have to be at a datacenter wouldn't it? I mean come on?
Had the clients first response not have been OMG no it was not me you lie. I would be willing to work with him, instead it's not his responsibility and the VPS was unused. Come to find out it was installed with kloxo, not so unused huh? I don't understand what the problem is? I can't trust him. I won't put my other clients in jeopardy for his $21 a qtr. Contrary to popular belief, my business is doing great and I have plenty of happy customers, losing one or two here and there is fine, especially if they are not securing their VPS and thus putting my other clients at risk. He wants high risk web hosting, it's not $21 a qtr for 4Gb RAM. And it's certainly not in NA.
A more appropriate response to the VPS being suspended would have been, I am not sure how this would have happened, I had XXX installed... Can you allow access to check things out.
Not, this.
Because he does not feel it is his responsibility this will continue to happen. Not worth the trouble.
That's a reasonable point. At least clients know where they stand in future.
This doesn't change the element of trust. By default OVH servers come with an SSH access key. Even if removed it can be trivial to single user a server. I'm not sure how your setup is different to what I described.
Then ask, don't assume. See my sig? I don't mind explaining some of the steps I take..
I don't use OVH templates at all. All my nodes at OVH are installed over KVM/IP with official mirrors. So none of their fun will be included. The single user a server argument applies to any host...
Shoot me a PM if you'd like to know anything else about my setup. I don't mind sharing.
I have always stated publicly I take a strong stance on policy. My business model is built on that fact. Had his first 3 response not have been my vps was unused, this is a lie etc. And then waiting less than about 2-3 hours before posting this here. This is unneeded.
He is putting my other customers at risk by supposedly using "known" buggy software. This is a no brainer in my world
Still, why terminate? Why not just let him rebuild his server? Or was that what you did?
>
Not worth his trouble, for $21 a qtr
His server sits suspended at this time. Terminated only means a sense of it will not be reinstated. His own admission, he is not responsible for his VPS security so this will likely happen again. The VPS will not be reinstated because of this. He's more than welcome to a backup and should reply to my ticket in private, like this matter should have been originally handled.
Or, you could not be a complete asshole about things and take the BuyVM approach to handling this situation regarding Kloxo.
Because suspending someone with a VPS that is sending a DoS attack is an asshole thing to do lol.
He opened a ticket and then promptly posts here about how I'm trying to start drama. This is COMEDY.
The BS this forums allow from providers and then I suspend a client for DoS and am crucified. Cute. I should just move all my CA customers to South America. That would win you guys over right?