# 247RACK - was it right that they did this to me?



## orizzler (Jan 3, 2014)

Got this email at about 2 AM:



> As indicated in an earlier message, we have uncovered malicious / illicit software running on several VPS and other server related products. This malicious software can allow a remote attacker partial or complete control over your environment. There is a risk that the issue may propagate to adjacent systems if it is not immediately quarantined.
> 
> 
> 
> ...


I thought this was a phishing attempt at first - who really asks their users for their root password?  I am very meticulous about checking my logs daily, and I am the only one that has access to my VPS via ssh keys - all password authentication is disabled.  My server was shut down for 12 hours yesterday with no warning to me and no chance to log in to my server to inspect any potential damage or secure my files.  This is a production server that hosts multiple websites.  They finally restored my access after 12 hours and multiple tickets and finding nothing malicious on the server, saying that they made a mistake by saying it had been infected.

My question is, is it right that they acted as judge and jury and shut down my server with no warning on a mere "hunch" that something might be wrong?  I am wondering how many other users woke up to the same message.  Should I be concerned that this would happen again, and should I look for a different provider?


----------



## Aldryic C'boas (Jan 3, 2014)

It's worth noting that several SBL-like services will send notifications to ISPs/providers when malicious scripts/malware/etc are detected on a website.  It's quite possible they were acting off of such a notification.  I would definitely ask them why you were investigated in the first place.


----------



## mikho (Jan 3, 2014)

The email looks like it's windows systems for remote desktop browsing (and other stuff).


If I read between the lines it looks like a virus or malware got installed on atleast one server, it could even be that the malware was installed in their template and then affecting all servers provisioned. When it comes to Windows it could also mean that when they patched their template long ago some service was misconfigured which could lead to abuse by others (or access to the system) to stop this before it actually happened they issued this.


Only way to find out is to open a ticket and ask, hopefully they will be honest with their answer.


----------



## orizzler (Jan 3, 2014)

I have asked them multiple times with no straight answer. I will try again. Very frustrating...

Just to clarify, I am on a Linux box. I don't have anything to do with Remote Desktop.


----------



## Aldryic C'boas (Jan 3, 2014)

orizzler said:


> I have asked them multiple times with no straight answer. I will try again. Very frustrating...
> 
> Just to clarify, I am on a Linux box. I don't have anything to do with Remote Desktop.


Honestly, I would just ask them why you specifically were investigated.  If they received a report about your IP from a known 3rd party, that's one thing.  If they decided to up and 'investigate' you on their own... that's rather troubling.


----------



## httpzoom (Jan 3, 2014)

Seems fair enough to me. They will have had a report and they want to confirm what you are doing with the VPS.


----------



## GIANT_CRAB (Jan 3, 2014)

httpzoom said:


> Seems fair enough to me. They will have had a report and they want to confirm what you are doing with the VPS.


Its like getting detained for 1 year without warrant just because you searched for "how does nuclear bomb works" on Google.

If that's okay with you, go surrender yourself to the FBI.


----------



## orizzler (Jan 3, 2014)

> Your VPS among several others were quarantined and filtered one by one to avoid network wide problems.
> Regards,
> 
> Jack


Finally got a reply - very descriptive. Never offered any apology. Hopefully posting here will let others know what to watch out for if considering 247rack.


----------



## Aldryic C'boas (Jan 3, 2014)

So, no real answer then?  This sounds a bit like "Whoops, we screwed up/jumped the gun, and don't want to admit to it".

Out of curiosity.. is this OpenVZ or KVM?


----------



## switsys (Jan 3, 2014)

They seem to think you are a doctor or something, since they "ask for your patients"

Jokes aside; I think you should switch to another provider.


----------



## orizzler (Jan 3, 2014)

Aldryic C said:


> So, no real answer then?  This sounds a bit like "Whoops, we screwed up/jumped the gun, and don't want to admit to it".
> 
> Out of curiosity.. is this OpenVZ or KVM?


I figured they screwed up, too. I was guilty until proven innocent.

They are using VMware.


----------



## Aldryic C'boas (Jan 3, 2014)

Yeesh, that's pretty harsh.  Without concrete evidence of abuse, the absolute most they should've done is simply notified you, and maybe nullrouted the IP (which would still leave the VM accessible to you).  Hopefully just a misunderstanding and not a trend, though.


----------



## cubixcloud (Jan 3, 2014)

Was it right? Probably not.

We could all guess all day what really happened. The truth will probably never will be told. But if I had to guess, the VMware Hypervisor was compromised.


----------



## VPSbell (Jan 4, 2014)

@orizzler

Based on your first post "As indicated in an earlier message, "   Looks like they sent a message or some sort of communication prior to this one? 

How long you been with them?, How was your uptime? that really matters if they are solid or not.

When you got back your VPS, Was it messed up in anyway?


----------



## orizzler (Jan 6, 2014)

VPSbell said:


> @orizzler
> 
> Based on your first post "As indicated in an earlier message, "   Looks like they sent a message or some sort of communication prior to this one?
> 
> ...


They had sent out an email 1 hour before shutting down my VPS telling me that multiple VPSes were going to be quarantined, and no definitive answer if mine was one of them.  Yes, 1 hour notice, at 2 AM.

I had been with them for almost a year exactly and am up for renewal.  Most likely will be bailing now.  Their customer support team has been rude to me throughout this ordeal.  I haven't had any problems with the service, but it's tough for me to look past this situation.


----------



## VPSbell (Jan 15, 2014)

orizzler said:


> I haven't had any problems with the service, but it's tough for me to look past this situation.


If it was me this is what matters the most to me... If I'm with a company for a year and have not had any problem with the service then that's really solid...

I use VPSs for business not for leisure... Uptime is the most determining factor to me...

I most likely believe that they must have got an abuse notification and had to respond to...I would not replace them since I have a solid year with them however you have all the right to check other options as you are up for renewal.

Also if you have not had any issue since you got your VPS back that also may lean towards believing their part of the story...

Another thought :  After looking at their site and spent sometime analyzing your posts... Most companies who offer hosting solutions  with different lines of products as they offer more of an enterprise solution rather than just slicing VPSs- Usually VPS is the most irritating line and the lowest profitable for them- so look at the larger picture

Hope that helps!


----------



## VPSbell (Feb 7, 2014)

Any updates here.. What did you end up doing with them?

I have signed up for their cloud service starter product 1511 and I have nothing but good experience so far for almost 3 weeks 100% uptime, Keeping my fingers crossed.. 

https://www.247rack.com/pages-VMware-Private-Cloud.php


----------

