amuck-landowner

247RACK - was it right that they did this to me?

orizzler

New Member
Got this email at about 2 AM:

As indicated in an earlier message, we have uncovered malicious / illicit software running on several VPS and other server related products. This malicious software can allow a remote attacker partial or complete control over your environment. There is a risk that the issue may propagate to adjacent systems if it is not immediately quarantined.

 

Unfortunately, your system bearing IP Address: XXX.XXX.XXX.XXX has been identified as one of the affected servers and will need to be quarantined. We have prepared a temporary platform for you to access while we attempt to remediate the issue.

Since you may have critical data files on the affected system, we are prepared to migrate any important data as you require to get you operational on the new platform.

Please review and proceed with the following actions;

 

 

 

To facilitate this process, please provide a list files/directories that you need migrated and your system (administrator) login password, so that we may access the server and recover your files.

Login to your 247Rack customer profile and locate the replacement platform DEDICATED IP address and new system PASSWORD

Update your Remote Desktop or other RDP Client tools to reflect the new DEDICATED IP address and verify connectivity to the server.

Once you are on the new server, you may apply any changes and install applications as needed to support your VPS purpose

We are here to support you if you need help. Please feel free to contact us to guide you through the setup process.

We ask for your patients & cooperation to prevent further system impact while we assess the problem and re-mediate the underlying cause.

 

Regards,

247Rack Support

 

Note: If for any reason we are not able to provide the service you have come to expect - our leadership would like to hear from you. - e-mail : [email protected]
I thought this was a phishing attempt at first - who really asks their users for their root password?  I am very meticulous about checking my logs daily, and I am the only one that has access to my VPS via ssh keys - all password authentication is disabled.  My server was shut down for 12 hours yesterday with no warning to me and no chance to log in to my server to inspect any potential damage or secure my files.  This is a production server that hosts multiple websites.  They finally restored my access after 12 hours and multiple tickets and finding nothing malicious on the server, saying that they made a mistake by saying it had been infected.

My question is, is it right that they acted as judge and jury and shut down my server with no warning on a mere "hunch" that something might be wrong?  I am wondering how many other users woke up to the same message.  Should I be concerned that this would happen again, and should I look for a different provider?
 

Aldryic C'boas

The Pony
It's worth noting that several SBL-like services will send notifications to ISPs/providers when malicious scripts/malware/etc are detected on a website.  It's quite possible they were acting off of such a notification.  I would definitely ask them why you were investigated in the first place.
 

mikho

Not to be taken seriously, ever!
The email looks like it's windows systems for remote desktop browsing (and other stuff).


If I read between the lines it looks like a virus or malware got installed on atleast one server, it could even be that the malware was installed in their template and then affecting all servers provisioned. When it comes to Windows it could also mean that when they patched their template long ago some service was misconfigured which could lead to abuse by others (or access to the system) to stop this before it actually happened they issued this.


Only way to find out is to open a ticket and ask, hopefully they will be honest with their answer.
 

orizzler

New Member
I have asked them multiple times with no straight answer. I will try again. Very frustrating...

Just to clarify, I am on a Linux box. I don't have anything to do with Remote Desktop.
 
Last edited by a moderator:

Aldryic C'boas

The Pony
I have asked them multiple times with no straight answer. I will try again. Very frustrating...

Just to clarify, I am on a Linux box. I don't have anything to do with Remote Desktop.
Honestly, I would just ask them why you specifically were investigated.  If they received a report about your IP from a known 3rd party, that's one thing.  If they decided to up and 'investigate' you on their own... that's rather troubling.
 

httpzoom

New Member
Verified Provider
Seems fair enough to me. They will have had a report and they want to confirm what you are doing with the VPS.
 

GIANT_CRAB

New Member
Seems fair enough to me. They will have had a report and they want to confirm what you are doing with the VPS.
Its like getting detained for 1 year without warrant just because you searched for "how does nuclear bomb works" on Google.

If that's okay with you, go surrender yourself to the FBI.
 

orizzler

New Member
Your VPS among several others were quarantined and filtered one by one to avoid network wide problems.
Regards,

Jack
Finally got a reply - very descriptive. Never offered any apology. Hopefully posting here will let others know what to watch out for if considering 247rack.
 

Aldryic C'boas

The Pony
So, no real answer then?  This sounds a bit like "Whoops, we screwed up/jumped the gun, and don't want to admit to it".

Out of curiosity.. is this OpenVZ or KVM?
 

switsys

Active Member
They seem to think you are a doctor or something, since they "ask for your patients"

Jokes aside; I think you should switch to another provider.
 

orizzler

New Member
So, no real answer then?  This sounds a bit like "Whoops, we screwed up/jumped the gun, and don't want to admit to it".

Out of curiosity.. is this OpenVZ or KVM?
I figured they screwed up, too. I was guilty until proven innocent.

They are using VMware.
 
Last edited by a moderator:

Aldryic C'boas

The Pony
Yeesh, that's pretty harsh.  Without concrete evidence of abuse, the absolute most they should've done is simply notified you, and maybe nullrouted the IP (which would still leave the VM accessible to you).  Hopefully just a misunderstanding and not a trend, though.
 

cubixcloud

Member
Verified Provider
Was it right? Probably not.

We could all guess all day what really happened. The truth will probably never will be told. But if I had to guess, the VMware Hypervisor was compromised.
 
Last edited by a moderator:

VPSbell

New Member
@orizzler

Based on your first post "As indicated in an earlier message, "   Looks like they sent a message or some sort of communication prior to this one? 

How long you been with them?, How was your uptime? that really matters if they are solid or not.

When you got back your VPS, Was it messed up in anyway? 
 

orizzler

New Member
@orizzler

Based on your first post "As indicated in an earlier message, "   Looks like they sent a message or some sort of communication prior to this one? 

How long you been with them?, How was your uptime? that really matters if they are solid or not.

When you got back your VPS, Was it messed up in anyway? 
They had sent out an email 1 hour before shutting down my VPS telling me that multiple VPSes were going to be quarantined, and no definitive answer if mine was one of them.  Yes, 1 hour notice, at 2 AM.

I had been with them for almost a year exactly and am up for renewal.  Most likely will be bailing now.  Their customer support team has been rude to me throughout this ordeal.  I haven't had any problems with the service, but it's tough for me to look past this situation.
 

VPSbell

New Member
  I haven't had any problems with the service, but it's tough for me to look past this situation.
If it was me this is what matters the most to me... If I'm with a company for a year and have not had any problem with the service then that's really solid...

I use VPSs for business not for leisure... Uptime is the most determining factor to me...

I most likely believe that they must have got an abuse notification and had to respond to...I would not replace them since I have a solid year with them however you have all the right to check other options as you are up for renewal.

Also if you have not had any issue since you got your VPS back that also may lean towards believing their part of the story...

Another thought :  After looking at their site and spent sometime analyzing your posts... Most companies who offer hosting solutions  with different lines of products as they offer more of an enterprise solution rather than just slicing VPSs- Usually VPS is the most irritating line and the lowest profitable for them- so look at the larger picture:)

Hope that helps!
 
Top
amuck-landowner