hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Burst.net Support is still lacking..
Reply

Forum Jump

Burst.net Support is still lacking..

Reply Post New Thread In Dedicated Server Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 06-26-2001, 04:03 AM
Brad Brad is offline
Disabled
 
Join Date: May 2001
Location: Fresno, Ca.
Posts: 181
*

Burst.net Support is still lacking..


Ok everyone,

I've pretty much had it up to the top of my friggin skull right now with Burst.net and it's time to vent frustrations and let people know how support is totally non existent for some when needed.

Do I have anything against them? No, I'm sure their nice people, they just need to be more responsive and professional to their clients.

If you remember right, I purchased a server not long ago, delayed as it was, it was the first sign of trouble. http://www.webhostingtalk.com/showth...threadid=13101

Well after getting the server it's been nothing short of a nightmare.

Not more than 24 hours later we get a message as follows,

“Did you install any other software on your system just now? Our monitoring system picked up that you machine was not serving pages”.

Uhh .. No. We haven’t even done anything with the server yet. - Well guess what? Server crash, HD I was told. They did a good job of returning the thing back online by early in the morning about 3-4 hours later.

When looking at the server the next morning, I noticed the Top command was not working from the control panel and the Akopia Interchange server was Red and non-operational, so I opened a ticket immediately this was on the 18th. On the 19th, I fired
off another ticket, no response, server still not correct. The 20th passes, the 21st passes, still no response.

Now on the 22nd, I send in another ticket because I'm concerned with unusual system attacks going on from a certain IP address and a popular hacking port 111 is the target. I fire off a message to support with the log attached and the response is "This is normal, every server here has these run, it is part of the security system of cpanel...just ignore."

Yes, I know this is part of Cpanel Portsentry but LOOK!!! Hmmmm ..

I decide to keep a close eye on this thing that evening, so I was telnetted in and I saw the program Luckscan and Luckstat running and the CPU running at 60-70% from these programs .. Ahh Crap!!

I call Nick at his Cell and fire off a ticket to tell them to get online and get this sun of a beech quick, he's bringing the

system to a halt attacking other systems from ours. Nick is quite busy, doesn't want me to alert this hacker and has me wait almost an hour. I get very impatient and call again, he manages to call me back within minutes. When I finally get Nick on the system, he is quite helpful and manages to get the guy off the system, 3 times the guy got back in! The hacker was very persistent, had to block out all of Romania! So, now the system has this friggin hack program everywhere with root accounts created and is just a mess. Nick does his thing and says it's clean now, so it's late and I go to bed..

The next day I get back on the system and notice more accounts and crap left behind so I call support and fire off tickets. That morning tech Brad gets on the system and proceeds to clean up all the trojans and files .. he says “the system looks fine to me now. the software was updated to the newest versions and the trojans were removed”.

Later that same day, I get on the system and notice root accounts in the password file, root directories and more mess .. I fire off another ticket and phone call.. I can never get anyone on phone, no emergency phone number or nothing. I complain that their cleanup has been pretty sloppy and I need this thing finished before this new server is even useable, we decide to just NICK CALLS and we decide to start over again!

So, to sum it up.

I'm not one to usually complain but it's been one thing after
another here and I've had NO choice.

Web Server setup late .. System finally arrives!

Hard drive crash almost immediately.. Ok **** happens
System setup again.. Decided to lose all of our changes and start
over.

Open Ticket for things that never worked right after new setup, still open ticket #27436.

Server Hacked and brought to a standstill.

Asked for emergency contact numbers after this situation, asked 3-times now with NO response!

System corrections applied never finished correctly, I worked for hours cleaning up system, opened another ticket.

System replaced again, they can't get all the files from hacker off.

More things broken now Cpanel problems, WHM problems and another ticket is needed.

Why don't these guys treat it like their own system? I'm confused and pissed ..


To make a long story short, the system is still not usable from WHM and Cpanel since the Hack and has NOT been a useable

system since getting it on the 18th of June. There are problems and all I want is a system delivered as promised.

I've fired off multiple messages, they wanted a list (I hate repeating myself but OK, I send the list) yes they have responded but have yet to take action. I called tonight twice, was told on first call they would get on it in the next hour

or so, it would be fixed tonight. Nothing done yet!

It's now June 26th, we were hacked on the 22nd, system is still not useable and we're venting because all we want is a little

respect and service. I hate writing crap like this, it takes so much time and energy but I hate the fact they have put us in this position to just stew and boil ..

So, we wait still ..

Whew .. Now on to something more productive, this sucks!


Well, I can’t let this letter go to waste, I’ve spent the last hour writing it and god knows how much energy but they JUST called at 01:00 am right now and needed the password to fix this mess .. Maybe there is hope on the horizon! I’ve pondered whether I should release this but feel it needs to be said, I’m hot and tired and going to bed, tomorrows a new day and we’ll see how it goes ..



Sponsored Links
  #2  
Old 06-26-2001, 05:06 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
Sorry to hear of your troubles. If you get rooted like that, the best thing to do, is a fresh reinstall and not try and clean up a system that's been compromised like that. That sounds too far gone and there's no way to know if there's still something on there. I'd strongly urge you to have the system wiped and reinstalled (and resinstalled WITHOUT any unneeded services) and then go further and have it secured, even if just a little bit. It seems that almost every server I've seen that gets rooted, is 99% of the time because the system was installed with services that didn't need to be there. Of course there are other reasons, but that's the most common on recent installs. I suggest you have that done and don't dare try and recover without a fresh install.

  #3  
Old 06-26-2001, 05:28 AM
XTStrike XTStrike is offline
Web Hosting Master
 
Join Date: Apr 2001
Location: UK - Liverpool
Posts: 2,169
as Tim_Greer says, your procedure is simple.

the box has been exploited, it needs rebuilding, full stop, any of the fileson that box could have trojans in them, lets face it they could have even modified the kernel and planted a trojan in it, meaning it will run every time the machine is started.

then i suggest that you change your IP addresses, get a new batch, you have been found to be easily exploitable, the second the new server comes up you will probably be attacked again before you have a chance to update the services.

finally i suggest that you get the latest versions of ALL software installed on the machine, use firewalling and hosts.allow/hosts.deny to restrict telnet/ssh access to your machine.

this should be enough for now, also ensure you edit httpd.conf to disable any services not required, there are several other places too burst should be able to secure it for you (hopefully)

Good Luck

__________________
www.24y.co.uk - Fast Professional UK Web Hosting

Sponsored Links
  #4  
Old 06-26-2001, 07:10 AM
DracoC77 DracoC77 is offline
Newbie
 
Join Date: Jun 2001
Posts: 7
Question Security Risk

How did a Hacker manage to get into a supposed secure server. Doesn't burst provide a firewall? Did you use colo of dedicated? If there was a firewall, how'd the hacker managed to circumvent it? Mabye a trojan was already on the server? Hmmm........

  #5  
Old 06-26-2001, 09:01 AM
MrGoodHost MrGoodHost is offline
Junior Guru Wannabe
 
Join Date: Jun 2001
Location: Detroit
Posts: 54
Here is what to expect Brad :

From Sean at Burst
Quote:
MrGoodHost: I am sorry things did not work hour for you. We do feel however that 27 hours is still a "reasonable" response time for a higher end support ticket. Some of your major hosting providers advertise only 24-48 hours response times even. At BurstNET we do strive for as fast of response times as possible, and are hiring additional staff as fast as possible to keep up with such. Most tickets do get answered within 8 hours or less. Tickets during the afternoons usually get answered within the hour.
see the whole post at http://www.webhostingtalk.com/showth...threadid=13441

They have a good deal but I personally require a faster response time on support tickets (sounds like you do too)

I have to give Burst credit though , the billing department was every bit as fast to refund my credit card when I cancelled as when they charged it after my order . They do honor thier guarantee and provided the refund quickly .

I have since signed up with VO , the communication has been very good so far but my server is not yet online so I really can't say much more about them other than they have not missed thier timing for getting the server up yet and they have been communicating nicely .

__________________
We all demand service , do we give it as well ?

  #6  
Old 06-26-2001, 09:19 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
Re: Security Risk

Quote:
Originally posted by DracoC77
How did a Hacker manage to get into a supposed secure server. Doesn't burst provide a firewall? Did you use colo of dedicated? If there was a firewall, how'd the hacker managed to circumvent it? Mabye a trojan was already on the server? Hmmm........
Why was this server supposed to be secure? And if Burst does have a firewall, I don't know to what extent, but it's unlikely a provider that has a NOC will implement firewall rules on a the servers located there, as there's too many IP's accessing far too many services on far too many services for them to be able to realistically implement firewalling, which is just too strict for that sort of situation. If you're talking about a server's firewall (the very server in question), I'm also not familiar with them implementing this feature by default. If, however, you're talking about IPchains or tcp wrapper's, I don't know what they configured it like, obviously -- since it's not my server.

However, IP chains or tcp wrappers (IP chains would be closer to what you mentioned, of course), would not stop a system cracker. Also, it wouldn't stop a cracker, if they weren't denied access to a service that they exploited to gain access, for example. And, a cracker can cricumvent a firewall, IP chains, wrappers, whatever anyway. I just doubt any of those were implemented. Further, I have serious doubts that a trojan was installed already, since it was a (by the sound of it) fresh/new install. It's possible someone could have gained access and installed it (and this root kit) before the server had any type of security done -- even if just to disable services that are dangerous, but it could be anything and after the fact. The reasons and possibilities are far reaching and can greatly vary.

Whatever the reason, it seems that things weren't done, unless this user installed or enabled something they shouldn't have. Of course, that's not to say that this wasn't caused by an exploit that was otherwise avoidable without requiring a lot of effort spent securing this one specific server, but that is just very unlikely due to how this seems in the duration between the set up and the compromise that it was anything that wasn't avoidable. However, I won't guess or make any claims... I mentioned what i felt relevant in my previous post here. Cheers!

  #7  
Old 06-26-2001, 09:01 PM
Brad Brad is offline
Disabled
 
Join Date: May 2001
Location: Fresno, Ca.
Posts: 181
As far as the hack, I'm told it was because they had the rpc.statd running on this newly installed server.

What really cracked me up over this whole thing is the fact they just did not accept any responsibility for it. My god, this server was setup by them and was completely new at the time. Yes, I know if they wanted to hack in bad enough they can but this was the reply from Sean when I send this message

From Me:

Brad or Nick or whoever,

I see that the system still has holes in it and just found ROOT accounts that should not be there in the users file after you said it had been cleaned up.

If I look at the accounts, there are root accounts in there again for various logons that SHOULD NOT BE THERE!

operator, games and who knows who else?

I'm beginning to think you guys need to spend a little more time here closing up the security problems on this system and new systems.

I can't have these kinds of holes, they are not acceptable.

Also, I can NEVER get hold of anyone there for emergency problems, why is this? Burst Support does not answer, phone for Nick is not dependable, what gives??

What is a direct line for EMERGENCIES?????
(STILL NOT ANSWERED AFTER 4 attempts now)

I've been pretty dam patient with this whole experience but I've had it now, too many problems since getting a server from you ..

SEANS ANSWER

It is not our fault your server got hacked, do not blame us for that.

If there was a problem wth security, then we would have 200 hacked servers right now, for almost every server in our facility runs the same configuration our server has. If a talented hacker wants to get into a system, then they are going to get in, regardless of what security precautions we have in place....


END of message


That maybe so but it seems there were holes that needed to be closed before service was established.

The Same hacker is still trying to gain access, I see multiple attacks each day in the logs. Changing the IP address will do NO good, he knows the server name and can still find it. I'm contacting all the ISP's the hacker has been coming from the past few days, been busy all day writing messages and on phone and hopefully this SOB will get his connection cutt off for good. I doubt it though .. This guy is everywhere!

It's really not so much the fact the server was hacked, it's the sloppy way it's been handled since. It was NOT handled as everyone here has suggested, accounts existed after their clean up, etc. I'm still not sure exactly what has been done at this time, looks like a kernal upgrade, new OS and old files copied over from previous install, old accounts still available.

The BIND server is STILL RED and Non-Operational since this began and since they worked on it last night ..

Yes, another ticket just opened, even though it's been mentioned many times now before ..

I'm about ready to just go elsewhere, this has been a terrible experience, mainly because of LACK OF SUPPORT and COMMUNICATION and NOT following through completely when work is being done. Not because of events that happened.

This seems to be a growing concern and complaint from everywhere in these forums.

Guess I'll look around again, what a waste of time this has been. I guess all in all it's been a good learning experience..

  #8  
Old 06-27-2001, 12:30 AM
DHWWnet DHWWnet is offline
NOC DOC :)
 
Join Date: Feb 2001
Location: USA
Posts: 866
Angry

sorry to hear that your server got cracked. i'll pm / email you for some other details regarding your compromised machine , i'm interested to know a few things and i'm sure that BurstNET is doing their part in fixing it.


Last edited by DHWWnet; 06-27-2001 at 12:40 AM.
  #9  
Old 06-27-2001, 01:00 AM
Brad Brad is offline
Disabled
 
Join Date: May 2001
Location: Fresno, Ca.
Posts: 181
Well,

If anything I know quite a bit now on these scripts they used to exploit the system. It's a dam autorooter exploit that runs on your system after gaining root access through the following process..

The tool scans the whole netblock address by address for port 111,which usually is bound to sun RPC portmapper service. Red Hat systems are the favorite target.

If an open port has been found, it tries to exploit the Remote Format String Vulnerability (bugtraq id 1480) of rpc.statd.

Once in it fetches the goods remotely and then installs a rootkit on the machine, all happens pretty quickly ..

Now if you just happen to be on your machine and see the following processes running, your already screwed.

linsniff (password sniffer)
luckscan-a (finds listening servers on port 111 and then calls the next script if successful)
luckstatdx

What their doing here is attacking other machines now from your own, your system has already been rooted at this point.

The root kit does all sorts of crap and basically scatters everywhere on your system, trenching in and giving them full access to your system.

If you want to see a great place I found while searching for the program in question, here is the site .. This site has write ups from different people that anylize these exploits and give their detailed findings, it was very helpful!

http://project.honeynet.org/scans/

When you get there, scan13 the autorooter is what got us .. Scan 13: auto rooter

Anyways, good luck everyone!


Quote:
Originally posted by elijah
sorry to hear that your server got cracked. i'll pm / email you for some other details regarding your compromised machine , i'm interested to know a few things and i'm sure that BurstNET is doing their part in fixing it.

  #10  
Old 06-27-2001, 01:06 AM
DHWWnet DHWWnet is offline
NOC DOC :)
 
Join Date: Feb 2001
Location: USA
Posts: 866
thanx for the info..
I check our servers every night and one of our buddies checks it around 2-6 a.m. so far it checks out o.k.

I was more interested in the attackers ip's bec. we have been attacked by some spammer in tw and all we do is fight fire with fire and since yours is coming from Romania and you said that you've blocked all Romanian IP's then i would just like to say that not all of them are bad. In fact, we have a few Romanian customers and they are very good people.

  #11  
Old 06-27-2001, 01:26 AM
Brad Brad is offline
Disabled
 
Join Date: May 2001
Location: Fresno, Ca.
Posts: 181
We currently are open to Romainia again, I wanted it open. Wanted to see if he could do it again before I start building again..

Attacks are still happening here daily, he's tried to log on to his root accounts, didn't work,(hhahah) He's currently trying still and so are other systems too.

The problem is that this root kit jumps to thousands of machines and IP's, you could be seeing other systems that are already hacked and don't know it, not the original hacker. This is the nature of the beast!

Basically it may be quite useless fighting fire with fire and quite possibly your after the wrong guy anyways ..

I basically send the attacking system this kind of note ..

This is to inform you that someone from your root servers XX.XXX.XXX.XX
attempted a break-in to our server 06/25/01 and 06/26/01 . This could possibly be someone
hopping servers from your server, so I just wanted to let you know since you may want to change your root password immediately and look at all your root accounts.

If, however, this was someone from your organization, then this is to let you know we will gladly give you any information you request simply by calling us or sending email.



Quote:
Originally posted by elijah
thanx for the info..
I check our servers every night and one of our buddies checks it around 2-6 a.m. so far it checks out o.k.

I was more interested in the attackers ip's bec. we have been attacked by some spammer in tw and all we do is fight fire with fire and since yours is coming from Romania and you said that you've blocked all Romanian IP's then i would just like to say that not all of them are bad. In fact, we have a few Romanian customers and they are very good people.

  #12  
Old 06-27-2001, 01:31 AM
DHWWnet DHWWnet is offline
NOC DOC :)
 
Join Date: Feb 2001
Location: USA
Posts: 866
Post

Brad - Thanx for the heads up..pls. keep us updated on what is going on.

  #13  
Old 06-27-2001, 02:09 AM
DHWWnet DHWWnet is offline
NOC DOC :)
 
Join Date: Feb 2001
Location: USA
Posts: 866
Talking

coincidence...

we have not seen any cracking attempts for sometime now except for that spammer from tw ip but just as i write this.. look one of our servers that is hosting my homepage is being probed by:
208.18.137.9
Silicone Wireless, Inc. (NETBLK-SPRINT-D01289)
150 CHARCOT AVE
SAN JOSE, CA, 95131 95131
US
Netname: SPRINT-D01289
Netblock: 208.18.137.0 - 208.18.137.255
Coordinator:
RIDDER, JONATHAN (JR37-ARIN) jonathan.ridder@siliconwireless.com
6507875597

looks like some crackers are also checking out WHT

  #14  
Old 06-27-2001, 07:51 AM
DracoC77 DracoC77 is offline
Newbie
 
Join Date: Jun 2001
Posts: 7
Hackers

While I will admit that most experienced hackers can just circumvent firewalls, it would have been harder had a firewall actually been in place (not to say it wasn't). And I also find it amusing now burst thinks that just because ONLY 1 server was hacked it is not their fault cuz they have some 200 more that has yet to have been hacked into, from my viewpoint if one server on burst can be hacked into, all of them can.... So basically, what he replied to you is that he didn't give you enough security but since no-one else had been hacked into, they are secure enough...... Sound pretty illogical to me.

  #15  
Old 06-27-2001, 01:04 PM
Phoenix Phoenix is offline
Web Hosting Guru
 
Join Date: Apr 2001
Location: Boston Metro
Posts: 345
I found Brad's story rather disturbing. When a server gets root-compromised like his, it becomes a doorway into the rest of the network. And removing accounts and closing ports doesn't do a d**n bit of good because any hacker worth his salt has left backdoors in place, as well as utilities that will provide false data to administrators trying to delete accounts and close ports.

That's why he kept getting back in. Once a hacker has root on your box, he owns it. And every machine on the same network is at risk because of it.

I don't understand why they didn't a) immediately take the server off the network and b) perform or insist that you perform a root-compromise recovery. If a machine is hacked, that should be treated as a four-alarm emergency, sirens should go off, people should take up battle stations, and sidearms should be issued.

It's their job to protect their own network, as well as the other machines on that network and it takes draconian measures to do so.

We went through that with one of our co-lo customers (themselves a web hosting company) during the chinese-american hacking war recently. His mail server got owned by one of the chinese hackers and he got taken off the network and had to come in and do the root-compromise recovery-which takes a long time when you are running an NT server.

He wanted to just close the ports and delete the root accounts, but once it was explained to him that the utility he was using was going to be returning false responses, he realized that it takes more than just a bandaid to fix a machine that's been hacked.

It takes more than putting up a firewall to keep hackers out. You have to monitor the security alerts and install the latest patches on a daily basis. And you have to be ready to deal with an invasion on a moment's notice.

__________________
http://forums.webhostdir.com/
All your hosts are belong to us

Reply

Related posts from TheWhir.com
Title Type Date Posted
Update: Broken Cable Leaves Some Internet Customers in East Coast Region Offline Web Hosting News 2014-01-09 19:10:58
Admin-Ahead Server Technologies Listing 2013-11-08 07:23:41
Web Hosting Sales and Promos Roundup - November 1, 2013 Web Hosting News 2014-05-23 15:42:41
Nominet Seeks Feedback on Banning Offensive .UK Domain Registrations Web Hosting News 2013-09-13 15:25:36
UnitedLayer Launches VMware-Based Public Enterprise Cloud Web Hosting News 2013-08-28 13:48:59


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?