Hey guys,
Got a question. I run both my domains through Host Rocket, and one of them was suspended today for this reason: "After killing bnc process running on server, found that it was being running from your directory. Also found bindshells and other prohibited scripts." I don't even know what that MEANS, and I KNOW I didn't put anything in any of my directories that would cause any problems, unless I was hacked. I responded to them early this morning and still haven't gotten a response, so I'm a little heated. Okay, a lot. Anyway, since they haven't had the time to reply yet, could someone please explain to me what the heck that even means? :angry:

Also, I'm definitely moving both my sites, now. I've never had any major problems with HR but little things have been building up... PHP problems, CHMOD errors that weren't my doing, FTP problems, and now this. I guess the delay in any kind of response has me the most angry. I've read a lot of good things about Netrillium, and I think I'm going there. I've already done the search on them, but if anyone has anything additional to say, good or bad, please do!

Thanks!

A BNC process is a process that is running in the background on a server that is used for IRC channels.

Bindshells are remotely accessible shell scripts that are placed on a system. Once they are actually placed on a server, a hacker can execute basically anything that they want.

Either your site or the server have definitely been hacked.

BNC is short for bouncers. The primary use for it is to act as a proxy when you connect to irc networks. For example, if you connect to irc directly, your real IP/ ISP/ Masks and so on can be seen and found with a simple IRC query. What BNC does is to act as a layer. So when you connect, you first connect to a BNC, and the BNC will connect to the irc networks. So anyone attempting to do a query on your IP will actually get the IP of your BNC and not your real IP.

If it is not your fault, I would say give HR a chance to resolve it. Moving sites can't be very fun. :)

Netrillium is a good choice if you do decide to move.

As for the shells - do you run a program call greymatter? Or a similar blog program that uses cgi or php?

There was a hack through greymatter comments that often found people uploading bindshells to accounts and gaining root access to a server through it. Very sticky.

That sounds very much like Greymatter. There have been recent problems with the Greymatter's insecurity. Individuals are actually able to upload hacks to the archives folder, through your comments.

The files they upload are bindshell and phpshell. Which in turn can help them install and run psybnc on the server. Many hosts are scared of this problem, but there is an easy fix.

The newest version of GM is patched, so there would be no problems like this. Also, we have a GM patch that you can install to any Greymatter that fixes the comments so no one can upload such files :)

I actually run Movable Type, and have for about 4-5 months now... I deleted all the GM entries from my site but a week or two ago I got email notification that someone had commented to a GM entry. It was quite strange. Thanks for the explanation... is this also possible through MT?

What kind of sites do you run?

If you got a message a week or so ago stating someone commented that comment could have possbily been from a hacker and they could have gained access to your site within 1-2 weeks. This can be causing a problem if you run GreyMatter anyone I would recommend going to http://cafelog.com and using the Greymatter to b2 Converter as b2 is alot more secure and alot more secure and it also very much lower on the load. GReymatter has several load problems that you will notice if you run a locate gm.cgi on the server you would be suprised of how many people actually run that program. Then again you could stick with GM and have a higher load time on the server and fix the exploit. From my suggestion I would say go to B2 also Movetable Type is CGI which can always be a resource hog all though many like the program I have played with it a bit and find it rather a pain in the ass to use at times as it is close to Greymatter and you have to rebuild the stuff to make an entry show up I believe etc.

Netrillium I never heard anything bad about all though I don't use them or anything i have heard of them though the forums here. GIve them a shot if you don't like them move which can be often easy.

I've got a pretty large fansite and a personal domain - nothing major, but... god. HR STILL has not replied to anything regarding my suspension, but they DID reply to a ticket I sent in 12 hours later regarding my other domain and some different issues. I usually have quick service, but this is really, really bad. If it's something small I can wait a day or two (though I've never had to), but to be suspended and not be able to get to any of my files... I have everything except for my MT files.

Is this normal? I know HR has a really good reputation and I've never had major problems with them before... but to suspend someone for a problem that, from what everyone here is saying, they should've known I didn't create purposefully and take over 24 hours to reply?

Anyway, thanks again for all your help. I don't mean to dis HR because they've been good to me for like 3 years now. Oh, and fyi - you don't have to rebuid everytime you post a new entry for MT, just everytime you change the templates... which is still annoying, true. ;)

Well, it's not so clearcut whether it's done purposefully or not. It may be. So as any responsible host, any of them would shut it down first pending investigations. (or some for good).

If it is indeed investigations, it may take some time as that's a lot of logs to comb and such, and even then , it may not be 100% conclusive.

Okay, but they should have explained that to me in the initial email. That, and used english for us non-tech people. Badly done, in my opinion.

And if for some reason they decide to suspend me for good, I don't even get my files do I? That seems like it shouldn't even be legal. Two and a half years of journals gone, when I did nothing. I guess I'm getting ahead of myself, but god. There's a lesson to regularly back up.

Have you tried calling their support phone number? Perhaps that way you can get some insight on the situation.
Or at least ask them to unsuspend it enough so you can make a backup of your files.

Is this fair? I finally got a response that said absolutely nothing: "You were running scripts which for the purpose of
exploiting the server. You will need to find a new web
host." I didn't do anything purposefully. I already found a new host, but how can they just do that? I didn't know about this GM security breach. I've got 2 1/2 years of blog entries there that I don't have backed up. Which yeah, stupid, but god. Nowhere on their site do they say Greymatter is illegal. And now I'm practically sobbing because of something I didn't do. Thanks HostRocket! What a great host.

I'm sorry to hear that :(
Have you tried calling them on the phone and seeing if they will at least backup the files for you?

They could have at least allowed you to grab your files, especially since it would appear that it was not an intentional act on your part...

It depends. Some host will just delete the files on terminating the account especially when they are exploits found. But you can cross your fingers and hope that's not the case. Ask them and see if they can let you have a backup of the site.

If you tell me your domain name or ticket numbers I can check on this for you and let you know if we can provide you with a backup. It is strict company policy that only certain people can deal with tickets of this nature, and that any accounts caught with certain types of material on them will not be reopened. We don't do it because we're trying to be mean, we do it for the sake of our other customers on the same server/network, because certain scripts are an absolutely huge security risk. Whether you put them there yourself or they got their via an insecure script you were running or a password you have given to someone else or however it may have happened, you are still responsible for whatever is on your space on our servers.

-Brendan

My domain name is englishsun.org... thanks for helping out, or trying anyway. And I understand that I am responsible, but it still sucks. Oh well, time to let all my friends know to get rid of Greymatter.

Originally posted by Addie
My domain name is englishsun.org... thanks for helping out, or trying anyway. And I understand that I am responsible, but it still sucks. Oh well, time to let all my friends know to get rid of Greymatter.

Addie, if you wish to use MT or B2 in the future, e-mail me so I can help you with the setup.

Originally posted by Addie
My domain name is englishsun.org... thanks for helping out, or trying anyway. And I understand that I am responsible, but it still sucks. Oh well, time to let all my friends know to get rid of Greymatter.

I have located the files, when I get back to the office tonight I will get them to you.

-Brendan

HRBrendan - do you want the script that I have that searches for insecure greymatter programs and patches them?

It only patches the comments phpshell exploit though.

sure send it over it cant hurt - bbrader hostrocket.com

-Brendan