New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Quadranet/Crissic suspended VPS for running mysql
This discussion has been closed.
Comments
Can you run this and see if it gets suspended?
yum/apt-get install screen
cp $(which screen) /usr/sbin/mysql
/usr/sbin/mysql -S test
GTFO script kiddie.
I'll do and report.
Edit:
What's this?
Edit 2:
Well, it does nothing than clearing the terminal but got not suspended so far. They must have missed it.
Resolved, VPS is back up.
I'm not sure what happened, unintended rule, intended rule, bug in script, drunk sysadmin ex-employee tampering, unlucky cosmic ray flip? Anyways, I guess I'll give the benefit of doubt this time...
It copies the screen binary to a new file named "mysql" and the later command runs an empty screen session named "test" so "mysql*" shows up in the px aux of the hostnode, thereby triggering the nodewatch script.
Just wondering, how they detect it? Spying to users?
Never got VPS suspended by provider for several years.. Only if not paid at the time
Because it's OpenVZ, they can look at processes and whatever they want. You can login as root in your VM with a simple command.
Some hosts run software like nodewatch that detects abuse and such.
they could have just let us know that they want us gone.
Alright, found out what it does when I played around with it. So you just have shown me howto make any script / binary look like something legit in the processes list. Nah, no real use for that.
But is Nodewatch really being triggered when it detects such an attempt to hide the real process name?
That was not the intention - The intention was to have something named "mysql*" to see if it suspends the VPS - I just picked screen as it runs indefinitely in background and you can simply detach from it, plus without anything running it is not ressource intensive.
Nodewatch does not check if a proc was renamed (which is impossible anyway), it just compares "ps fauxww" to a list of banned procs.
Got couple of times providers login into my VPS without my permission, just cancel next month with them.
>
Alright, so obviously they have fixed it now or OP ran something else then MySQL.
Edit: And why does the quoting with @[user] work this badly in the last few days for me. So many answering and quoting me without @..
I think what @kcaj said is more likely (they aren't just going off the process names)?
Woops
Crissic in crisis condition
Alright, addition: or OP did whatever / faked the hole email to harm Crissic's reputation. Would be pretty nasty.
Quadranet / Crissic wrongly suspended me. A quick ticket and I got - basically instantly- a very friendly reply and the issue was resolved. I'm very impressed by the support quality at the new Crissic. I only wish the migration notification had been a bit further out from the actual migration.
Because Vanillaforums sucks.
"Process name detected: mysql" , single thing which sucks is abuse message template here.. they can tell you what evil connections you made, maybe a copy of binary to understand if someone hacked you and spoffed process name.. and i can not understand why they not automatically delete evil files if they scans your vps..
What is "spoffing"? I only know spoofing.
Any updates on this? Crissic should've responded by now.
No ISP should EVER touch files inside a VPS - malicious or not.
Idk dude, is really hard to understand my 3l33t l4ngu4g3.
@William, That's true! But reading this abuse report .. it seems like they do.
Not as such, they scanned them yes but they didn't actually alter or delete the files which could get them in trouble.
Having an automated tool remove files because it thinks they're malicious isn't going to end well, just ask the antivirus vendors who've managed to nuke OS installs that way.
Testing the Miami dc network
CPU model : Intel(R) Xeon(R) CPU X5650 @ 2.67GHz
Number of cores : 3
CPU frequency : 2659.959 MHz
Total amount of ram : 512 MB
Total amount of swap : 512 MB
System uptime : 1:19,
Download speed from CacheFly: 18.9MB/s
Download speed from Coloat, Atlanta GA: 59.6MB/s
Download speed from Softlayer, Dallas, TX: 63.8MB/s
Download speed from Linode, Tokyo, JP: 356KB/s
Download speed from i3d.net, Rotterdam, NL: 2.10MB/s
Download speed from Leaseweb, Haarlem, NL: 6.60MB/s
Download speed from Softlayer, Singapore: 5.58MB/s
Download speed from Softlayer, Seattle, WA: 24.6MB/s
Download speed from Softlayer, San Jose, CA: 30.0MB/s
Download speed from Softlayer, Washington, DC: 9.61MB/s
I/O speed : 124 MB/s
Looks like useless outside the US...
EU and AS peering looks terrible
Took the full 20 minutes to complete the benchmark...
closed since issue has been resolved according to this post http://www.lowendtalk.com/discussion/comment/1231249/#Comment_1231249