New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
False abuse report from C-Servers
I purchased a NAT VPS from them recently, but I barely used it at all — no scanning, no brute force, no flooding, nothing of that sort.
Out of nowhere, I received a long abuse report claiming my VPS was involved in:
- TCP SYN port scanning
- SSH brute force
- UDP flooding
- NTP amplification scanning
- Proxy harvesting
They also stated thousands of violations within minutes and claimed severe impact on other users.
However, the issue is:
I did not run any such activity on the VPS. In fact, the server was essentially idle most of the time.
They're not providing any concrete logs or evidence beyond general statements.
And, this reads more like a termination notice than a technical audit report.
I’m not concerned about the loss, just a heads-up for others.
Dear user,
Subsequently to a thorough analysis after Zeta.10 Houston became available again, at 16h15 WET, we proceeded with a technical networking analysis between 16h15 WET and 20h15 WET, in order to collect, interpretate and understand what ultimately caused Zeta.10 Houston to be down during this period.
Your service or services were found violating the Terms and Conditions and the Fair Usage Policy - most specifically, by one or more of these reasons:
TCP SYN IPv4 Port Scanning on the vast majority of users and services, in several instances at port 80 and for Chinese IPs, but not only at port 80 nor for Chinese IPs, the highest offender of which managed to register a count of 2990 violations over 23 minutes (!);
Usage of SSH bruteforce attempts, steeming from the VPS service, at selected ports;
UDP flooding (73-114 byte packets were analyzed, most specifically);
NTP amplification scanning (in 1 isolated case);
Proxy harvesting over TCP;
Other unusual traffic also registered over TCP/HTTP;
Entirely and fully bogus registration details, and simultaneously suspicious usage already seen, posing severe additional systemic risk on the sustainability of the service to the existing users;
PayPal disputes, lost or won (and every 7 out of 10 were won by Centerfield Ltd), that effectively have broken the company's trust on the user, as usual and standard on these matters.
It is important to state that we did not penalize, nor report, any users that were using services such as CloudFlare WARP and similar, nor any P2P usage, nor any similar grey-area usage. We did not also interfere or tamper, in any way, with your VPS service, as the pickup of packages was done direct at the corresponding NAT bridge to where all VPS services must communicate first.
We used tcpdump and a professional IDS/IPS service to produce the correspondent results, on a configuration already battle-tested and widely pre-vetted.
The resulting analysis was executed from the very moment the global server restarted, up to each corresponding period. A global serving of nearly 17000 TCP packages and 92000 UDP packages, registered over a period of 23 minutes (for TCP) and 6 minutes (for UDP), were plenty and enough to find the severe violations at hand.
This must be stated
Your action has caused severe harm to hundreds of users, that have been unduly deprived of using their bought service to what they intended to do, for a total period of 12 days.
Moreover, your malicious action has caused potential damages yet to be calculated to Centerfield Ltd, and absolutely calculated to our honorable upstream for this server, DartNode (Snaju Inc), which provides us with a service that has allowed us to provide you, in turn, below-average market pricing.
You abused your position at this Company.
You used a purchased Service to proceed your malicious intentions, with entire and full disregard not only for the sharing users at this server, but also for the entire community. With your action, you've irresponsibly put at risk the lives of those who depend on our services to work on what they need to work, but also the very own Company you purchased your services from.
This must have an action.
DartNode, as the upstream with an IP affected by your malicious usage, naturally wants to have this issue corrected. And we will correct it.
Therefore, with immediate effect, your service and the entirety of your customer relationship with Centerfield Ltd, including other services, is terminated with no possible appeal, refund, or any other compensation by default. Any exceptions to these rules are exceptions to the entire and full discretion of Centerfield Ltd without serving as an example for the matter at hand, and are hereby declared explicitly unusable and unappealable.
No additional detail will be provided for you. This e-mail has already plenty of it.
Centerfield Ltd
Comments
A number of people have reported that they received this. I think everyone behind a particular NAT IP is being terminated because someone there was spamming/scanning/abuse, and the owner couldn't find out which one it was.
See https://lowendtalk.com/discussion/215850/c-servers-vps-suspended-without-notice-beware-before-buying/.
Sounds like this might be related: https://lowendtalk.com/discussion/215987/reddit-user-has-their-vps-backdoored
The OP's VPS was accessed from their provider's control panel and they identified the issue thanks to their monitoring. From the linked Reddit thread:
Did you have monitoring configured on the VPS? And what VPS control panel does C-Servers use?
I monitored it for a while (komari), and the average CPU load 1-5%.
They are using VirtFusion.
I don't think it was hacked, probably just a mistake
Just seen another thread about them terminating VMs for whatever reason they feel and it seems their monitoring probably isn't what they claim it to be, so it's probably not a hack like the Reddit OP: https://lowendtalk.com/discussion/215850/c-servers-vps-suspended-without-notice-beware-before-buying/
Some MJJs are really naughty and not in a good way. You would expect for MJJs to enjoy the freedom of porn, but no — they abuse the services and become noisy neighbours. Shame on such bad apples who destroy the adult fun of others!
My guess is that the network on the server is poorly configured.