Thread: OVH / kimsufi is one of the worst providers i've ever delt with

Hello all.

This is just a quick note to tell you to stay away from OVH / kimsufi.

I've got a dedicated server with them that has recently suffered a few DDOS attacks. I initially e-mailed them and it took them over 7 days to implement their "DDOS protection" which basically rate limits the downstream of the server to 3k/s (if you are lucky) and didn't block any of the attacks. The attacks stopped and I asked them to remove this pathetic feature which again took them more than a week.

Today another attack started and they sent me the following e-mail:

Dear Sir or Madam,

We had to conduct an urgent intervention on your dedicated server
ksxxxx.kimsufi.com to block an attack. It looks like your dedicated server
has a security fault or a malicious user has obtained access.

We had to deactivate your server. Full re-installation of the
server is needed due to the scale of the attack. Please
contact our support if you need advice on necessary measures.

You will find below the information about processes run and ports open on your server at the beginning of intervention

------- BEGINNING OF ADDITIONAL INFORMATION ABOUT ATTACK -------

attack


------- END OF ADDITIONAL INFORMATION ABOUT ATTACK -------


They then proceeded to reboot my server into "rescue mode" which basically just allows me to mount the disk and retrieve data.

The first thing I did was call them and the person on the end of the phone seemed completely disinterested, he wanted me to e-mail them (?) and ask them to re-instate the server which he said would then be passed to their technical team. I explained to him that every time I have to deal with their technical team it takes at least 48 hours for any sort of response but he didn't seem to care. He said "the fastest way to get your server back on-line would be to reformat it and reinstall all your data" i then replied "why should I have to download 20GB of data to my home machine then re-upload it again because you incorrectly think my server has been hacked?" to which he replied "well we can sell you a mountable 500GB usb drive to put your data on before the re-install".

I e-mailed them and got the following response:

---------------------
Dear customer,

I'm afraid that we have little room for these sort of cases. If a hacking has been detected from your server is because a serious breach has happened, we don't request the reinstallation of the server because of petty things.

I'm afraid that the only option left is reinstallation. You've been given access codes to get to the server and retrieve your data and after that, you can launch a reinstallation.

Kind regards

Marc
OVH Customer Support Adviser
------------

So they are trying to force me to waste 6 hours re-installing the server when I know for a FACT that it hasn't been compromised.

Poor service.

To be honest I'm shocked.

Anyone else with OVH customer support experiences?

My last monthly invoice was £68.98

All I run on the server is a small java game that has around 90 people on-line at maximum and a forum. I presume some kid with a botnet got banned and decided to take revenge but honestly I don't have a clue.

Originally Posted by goscombtech

May I ask how you know for a fact it hasn't been compromised?

OVH sent me this message after I waited a week for a response from them:

"Dear customer,

sorry for the delay, I must apologize, but it's been quite difficult to collect the information.

your server has been closed because of the following file found in your server:

-rwxr-xr-x 1 root root 48 May 14 23:58 syn

#!/bin/bash
while true; do
synd
sleep 20

It looks like somebody has broken into your server and left this, or at least that's what we have to believe.

Therefore, the security of the server has been compromised, and reinstallation is needed. Till you have done that, you won't be able to use it. I suggest you to go ahead and do it as soon as possible."

Now the synd script is:

PHP Code:

#!/bin/sh
load_conf()
{
    CONF="/usr/local/synd/synd.conf"
    if [ -f "$CONF" ] && [ ! "$CONF" ==    "" ]; then
        source $CONF
    else
        head
        echo "\$CONF not found."
        exit 1
    fi
}

head()
{
    echo "Syn-Deflate version 0.1 alpha"
    echo "Based on Dos-Deflate - felosi <admin@nix101.com>"
    echo
}

showhelp()
{
    head
    echo 'Usage: synd.sh [OPTIONS] [N]'
    echo 'N : number of SYN_RECV connections (default 10)'
    echo 'OPTIONS:'
    echo '-h | --help: Show    this help screen'
    echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
    echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
}

unbanip()
{
    UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
    TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
    UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
    echo '#!/bin/sh' > $UNBAN_SCRIPT
    echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT
    if [ $APF_BAN -eq 1 ]; then
        while read line; do
            echo "$APF -d $line" >> $UNBAN_SCRIPT
            echo $line >> $UNBAN_IP_LIST
        done < $BANNED_IP_LIST
    else
        while read line; do
            echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
            echo $line >> $UNBAN_IP_LIST
        done < $BANNED_IP_LIST
    fi
    echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT
    echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT
    echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT
    echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT
    echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT
    . $UNBAN_SCRIPT &
}

add_to_cron()
{
    rm -f $CRON
    sleep 1
    service crond restart
    sleep 1
    echo "SHELL=/bin/sh" > $CRON
    if [ $FREQ -le 2 ]; then
        echo "0-59/$FREQ * * * * root /usr/local/synd/synd.sh >/dev/null 2>&1" >> $CRON
    else
        let "START_MINUTE = $RANDOM % ($FREQ - 1)"
        let "START_MINUTE = $START_MINUTE + 1"
        let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
        echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/synd/synd.sh >/dev/null 2>&1" >> $CRON
    fi
    service crond restart
}


load_conf
while [ $1 ]; do
    case $1 in
        '-h' | '--help' | '?' )
            showhelp
            exit
            ;;
        '--cron' | '-c' )
            add_to_cron
            exit
            ;;
        '--kill' | '-k' )
            KILL=1
            ;;
         *[0-9]* )
            NO_OF_CONNECTIONS=$1
            ;;
        * )
            showhelp
            exit
            ;;
    esac
    shift
done

TMP_PREFIX='/tmp/synd'
TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
BANNED_IP_MAIL=`$TMP_FILE`
BANNED_IP_LIST=`$TMP_FILE`
echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
echo >>    $BANNED_IP_MAIL
BAD_IP_LIST=`$TMP_FILE`
netstat -ntu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
cat $BAD_IP_LIST
if [ $KILL -eq 1 ]; then
    IP_BAN_NOW=0
    while read line; do
        CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
        CURR_LINE_IP=$(echo $line | cut -d" " -f2)
        if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
            break
        fi
        IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
        if [ $IGNORE_BAN -ge 1 ]; then
            continue
        fi
        IP_BAN_NOW=1
        echo "$CURR_LINE_IP with $CURR_LINE_CONN SYN_RECV connections" >> $BANNED_IP_MAIL
        echo $CURR_LINE_IP >> $BANNED_IP_LIST
        echo $CURR_LINE_IP >> $IGNORE_IP_LIST
        if [ $APF_BAN -eq 1 ]; then
            $APF -d $CURR_LINE_IP
        else
            $IPT -I INPUT -s $CURR_LINE_IP -j DROP
        fi
    done < $BAD_IP_LIST
    if [ $IP_BAN_NOW -eq 1 ]; then
        dt=`date`
                hn=`hostname`
#        if [ $EMAIL_TO != "" ]; then
#            cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt $hn" $EMAIL_TO
#        fi
        unbanip
    fi
fi
rm -f $TMP_PREFIX.* 


Basically it just checks for syn connections and blocks people in the firewall.

Originally Posted by reedox

So they are trying to force me to waste 6 hours re-installing the server when I know for a FACT that it hasn't been compromised.

So I assume you didn't place this script there yourself?

Still interested in how you could be so 100% sure that you hadn't then find out that you had been breached!

I think Leigh just started spaming old thread and you guys are covering for him!