Page 1 of 3 123 LastLast
Results 1 to 15 of 45
  1. #1
    Join Date
    May 2001
    Location
    Fresno, Ca.
    Posts
    181

    * Burst.net Support is still lacking..

    Ok everyone,

    I've pretty much had it up to the top of my friggin skull right now with Burst.net and it's time to vent frustrations and let people know how support is totally non existent for some when needed.

    Do I have anything against them? No, I'm sure their nice people, they just need to be more responsive and professional to their clients.

    If you remember right, I purchased a server not long ago, delayed as it was, it was the first sign of trouble. http://www.webhostingtalk.com/showth...threadid=13101

    Well after getting the server it's been nothing short of a nightmare.

    Not more than 24 hours later we get a message as follows,

    “Did you install any other software on your system just now? Our monitoring system picked up that you machine was not serving pages”.

    Uhh .. No. We haven’t even done anything with the server yet. - Well guess what? Server crash, HD I was told. They did a good job of returning the thing back online by early in the morning about 3-4 hours later.

    When looking at the server the next morning, I noticed the Top command was not working from the control panel and the Akopia Interchange server was Red and non-operational, so I opened a ticket immediately this was on the 18th. On the 19th, I fired
    off another ticket, no response, server still not correct. The 20th passes, the 21st passes, still no response.

    Now on the 22nd, I send in another ticket because I'm concerned with unusual system attacks going on from a certain IP address and a popular hacking port 111 is the target. I fire off a message to support with the log attached and the response is "This is normal, every server here has these run, it is part of the security system of cpanel...just ignore."

    Yes, I know this is part of Cpanel Portsentry but LOOK!!! Hmmmm ..

    I decide to keep a close eye on this thing that evening, so I was telnetted in and I saw the program Luckscan and Luckstat running and the CPU running at 60-70% from these programs .. Ahh Crap!!

    I call Nick at his Cell and fire off a ticket to tell them to get online and get this sun of a beech quick, he's bringing the

    system to a halt attacking other systems from ours. Nick is quite busy, doesn't want me to alert this hacker and has me wait almost an hour. I get very impatient and call again, he manages to call me back within minutes. When I finally get Nick on the system, he is quite helpful and manages to get the guy off the system, 3 times the guy got back in! The hacker was very persistent, had to block out all of Romania! So, now the system has this friggin hack program everywhere with root accounts created and is just a mess. Nick does his thing and says it's clean now, so it's late and I go to bed..

    The next day I get back on the system and notice more accounts and crap left behind so I call support and fire off tickets. That morning tech Brad gets on the system and proceeds to clean up all the trojans and files .. he says “the system looks fine to me now. the software was updated to the newest versions and the trojans were removed”.

    Later that same day, I get on the system and notice root accounts in the password file, root directories and more mess .. I fire off another ticket and phone call.. I can never get anyone on phone, no emergency phone number or nothing. I complain that their cleanup has been pretty sloppy and I need this thing finished before this new server is even useable, we decide to just NICK CALLS and we decide to start over again!

    So, to sum it up.

    I'm not one to usually complain but it's been one thing after
    another here and I've had NO choice.

    Web Server setup late .. System finally arrives!

    Hard drive crash almost immediately.. Ok **** happens
    System setup again.. Decided to lose all of our changes and start
    over.

    Open Ticket for things that never worked right after new setup, still open ticket #27436.

    Server Hacked and brought to a standstill.

    Asked for emergency contact numbers after this situation, asked 3-times now with NO response!

    System corrections applied never finished correctly, I worked for hours cleaning up system, opened another ticket.

    System replaced again, they can't get all the files from hacker off.

    More things broken now Cpanel problems, WHM problems and another ticket is needed.

    Why don't these guys treat it like their own system? I'm confused and pissed ..


    To make a long story short, the system is still not usable from WHM and Cpanel since the Hack and has NOT been a useable

    system since getting it on the 18th of June. There are problems and all I want is a system delivered as promised.

    I've fired off multiple messages, they wanted a list (I hate repeating myself but OK, I send the list) yes they have responded but have yet to take action. I called tonight twice, was told on first call they would get on it in the next hour

    or so, it would be fixed tonight. Nothing done yet!

    It's now June 26th, we were hacked on the 22nd, system is still not useable and we're venting because all we want is a little

    respect and service. I hate writing crap like this, it takes so much time and energy but I hate the fact they have put us in this position to just stew and boil ..

    So, we wait still ..

    Whew .. Now on to something more productive, this sucks!


    Well, I can’t let this letter go to waste, I’ve spent the last hour writing it and god knows how much energy but they JUST called at 01:00 am right now and needed the password to fix this mess .. Maybe there is hope on the horizon! I’ve pondered whether I should release this but feel it needs to be said, I’m hot and tired and going to bed, tomorrows a new day and we’ll see how it goes ..

  2. #2
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Sorry to hear of your troubles. If you get rooted like that, the best thing to do, is a fresh reinstall and not try and clean up a system that's been compromised like that. That sounds too far gone and there's no way to know if there's still something on there. I'd strongly urge you to have the system wiped and reinstalled (and resinstalled WITHOUT any unneeded services) and then go further and have it secured, even if just a little bit. It seems that almost every server I've seen that gets rooted, is 99% of the time because the system was installed with services that didn't need to be there. Of course there are other reasons, but that's the most common on recent installs. I suggest you have that done and don't dare try and recover without a fresh install.

  3. #3
    Join Date
    Apr 2001
    Location
    UK - Liverpool
    Posts
    2,169
    as Tim_Greer says, your procedure is simple.

    the box has been exploited, it needs rebuilding, full stop, any of the fileson that box could have trojans in them, lets face it they could have even modified the kernel and planted a trojan in it, meaning it will run every time the machine is started.

    then i suggest that you change your IP addresses, get a new batch, you have been found to be easily exploitable, the second the new server comes up you will probably be attacked again before you have a chance to update the services.

    finally i suggest that you get the latest versions of ALL software installed on the machine, use firewalling and hosts.allow/hosts.deny to restrict telnet/ssh access to your machine.

    this should be enough for now, also ensure you edit httpd.conf to disable any services not required, there are several other places too burst should be able to secure it for you (hopefully)

    Good Luck
    www.24y.co.uk - Fast Professional UK Web Hosting

  4. #4

    Question Security Risk

    How did a Hacker manage to get into a supposed secure server. Doesn't burst provide a firewall? Did you use colo of dedicated? If there was a firewall, how'd the hacker managed to circumvent it? Mabye a trojan was already on the server? Hmmm........

  5. #5
    Join Date
    Jun 2001
    Location
    Detroit
    Posts
    54
    Here is what to expect Brad :

    From Sean at Burst
    MrGoodHost: I am sorry things did not work hour for you. We do feel however that 27 hours is still a "reasonable" response time for a higher end support ticket. Some of your major hosting providers advertise only 24-48 hours response times even. At BurstNET we do strive for as fast of response times as possible, and are hiring additional staff as fast as possible to keep up with such. Most tickets do get answered within 8 hours or less. Tickets during the afternoons usually get answered within the hour.
    see the whole post at http://www.webhostingtalk.com/showth...threadid=13441

    They have a good deal but I personally require a faster response time on support tickets (sounds like you do too)

    I have to give Burst credit though , the billing department was every bit as fast to refund my credit card when I cancelled as when they charged it after my order . They do honor thier guarantee and provided the refund quickly .

    I have since signed up with VO , the communication has been very good so far but my server is not yet online so I really can't say much more about them other than they have not missed thier timing for getting the server up yet and they have been communicating nicely .
    We all demand service , do we give it as well ?

  6. #6
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051

    Re: Security Risk

    Originally posted by DracoC77
    How did a Hacker manage to get into a supposed secure server. Doesn't burst provide a firewall? Did you use colo of dedicated? If there was a firewall, how'd the hacker managed to circumvent it? Mabye a trojan was already on the server? Hmmm........
    Why was this server supposed to be secure? And if Burst does have a firewall, I don't know to what extent, but it's unlikely a provider that has a NOC will implement firewall rules on a the servers located there, as there's too many IP's accessing far too many services on far too many services for them to be able to realistically implement firewalling, which is just too strict for that sort of situation. If you're talking about a server's firewall (the very server in question), I'm also not familiar with them implementing this feature by default. If, however, you're talking about IPchains or tcp wrapper's, I don't know what they configured it like, obviously -- since it's not my server.

    However, IP chains or tcp wrappers (IP chains would be closer to what you mentioned, of course), would not stop a system cracker. Also, it wouldn't stop a cracker, if they weren't denied access to a service that they exploited to gain access, for example. And, a cracker can cricumvent a firewall, IP chains, wrappers, whatever anyway. I just doubt any of those were implemented. Further, I have serious doubts that a trojan was installed already, since it was a (by the sound of it) fresh/new install. It's possible someone could have gained access and installed it (and this root kit) before the server had any type of security done -- even if just to disable services that are dangerous, but it could be anything and after the fact. The reasons and possibilities are far reaching and can greatly vary.

    Whatever the reason, it seems that things weren't done, unless this user installed or enabled something they shouldn't have. Of course, that's not to say that this wasn't caused by an exploit that was otherwise avoidable without requiring a lot of effort spent securing this one specific server, but that is just very unlikely due to how this seems in the duration between the set up and the compromise that it was anything that wasn't avoidable. However, I won't guess or make any claims... I mentioned what i felt relevant in my previous post here. Cheers!

  7. #7
    Join Date
    May 2001
    Location
    Fresno, Ca.
    Posts
    181
    As far as the hack, I'm told it was because they had the rpc.statd running on this newly installed server.

    What really cracked me up over this whole thing is the fact they just did not accept any responsibility for it. My god, this server was setup by them and was completely new at the time. Yes, I know if they wanted to hack in bad enough they can but this was the reply from Sean when I send this message

    From Me:

    Brad or Nick or whoever,

    I see that the system still has holes in it and just found ROOT accounts that should not be there in the users file after you said it had been cleaned up.

    If I look at the accounts, there are root accounts in there again for various logons that SHOULD NOT BE THERE!

    operator, games and who knows who else?

    I'm beginning to think you guys need to spend a little more time here closing up the security problems on this system and new systems.

    I can't have these kinds of holes, they are not acceptable.

    Also, I can NEVER get hold of anyone there for emergency problems, why is this? Burst Support does not answer, phone for Nick is not dependable, what gives??

    What is a direct line for EMERGENCIES?????
    (STILL NOT ANSWERED AFTER 4 attempts now)

    I've been pretty dam patient with this whole experience but I've had it now, too many problems since getting a server from you ..

    SEANS ANSWER

    It is not our fault your server got hacked, do not blame us for that.

    If there was a problem wth security, then we would have 200 hacked servers right now, for almost every server in our facility runs the same configuration our server has. If a talented hacker wants to get into a system, then they are going to get in, regardless of what security precautions we have in place....


    END of message


    That maybe so but it seems there were holes that needed to be closed before service was established.

    The Same hacker is still trying to gain access, I see multiple attacks each day in the logs. Changing the IP address will do NO good, he knows the server name and can still find it. I'm contacting all the ISP's the hacker has been coming from the past few days, been busy all day writing messages and on phone and hopefully this SOB will get his connection cutt off for good. I doubt it though .. This guy is everywhere!

    It's really not so much the fact the server was hacked, it's the sloppy way it's been handled since. It was NOT handled as everyone here has suggested, accounts existed after their clean up, etc. I'm still not sure exactly what has been done at this time, looks like a kernal upgrade, new OS and old files copied over from previous install, old accounts still available.

    The BIND server is STILL RED and Non-Operational since this began and since they worked on it last night ..

    Yes, another ticket just opened, even though it's been mentioned many times now before ..

    I'm about ready to just go elsewhere, this has been a terrible experience, mainly because of LACK OF SUPPORT and COMMUNICATION and NOT following through completely when work is being done. Not because of events that happened.

    This seems to be a growing concern and complaint from everywhere in these forums.

    Guess I'll look around again, what a waste of time this has been. I guess all in all it's been a good learning experience..

  8. #8
    Join Date
    Feb 2001
    Location
    USA
    Posts
    866

    Angry

    sorry to hear that your server got cracked. i'll pm / email you for some other details regarding your compromised machine , i'm interested to know a few things and i'm sure that BurstNET is doing their part in fixing it.
    Last edited by DHWWnet; 06-27-2001 at 12:40 AM.

  9. #9
    Join Date
    May 2001
    Location
    Fresno, Ca.
    Posts
    181
    Well,

    If anything I know quite a bit now on these scripts they used to exploit the system. It's a dam autorooter exploit that runs on your system after gaining root access through the following process..

    The tool scans the whole netblock address by address for port 111,which usually is bound to sun RPC portmapper service. Red Hat systems are the favorite target.

    If an open port has been found, it tries to exploit the Remote Format String Vulnerability (bugtraq id 1480) of rpc.statd.

    Once in it fetches the goods remotely and then installs a rootkit on the machine, all happens pretty quickly ..

    Now if you just happen to be on your machine and see the following processes running, your already screwed.

    linsniff (password sniffer)
    luckscan-a (finds listening servers on port 111 and then calls the next script if successful)
    luckstatdx

    What their doing here is attacking other machines now from your own, your system has already been rooted at this point.

    The root kit does all sorts of crap and basically scatters everywhere on your system, trenching in and giving them full access to your system.

    If you want to see a great place I found while searching for the program in question, here is the site .. This site has write ups from different people that anylize these exploits and give their detailed findings, it was very helpful!

    http://project.honeynet.org/scans/

    When you get there, scan13 the autorooter is what got us .. Scan 13: auto rooter

    Anyways, good luck everyone!


    Originally posted by elijah
    sorry to hear that your server got cracked. i'll pm / email you for some other details regarding your compromised machine , i'm interested to know a few things and i'm sure that BurstNET is doing their part in fixing it.

  10. #10
    Join Date
    Feb 2001
    Location
    USA
    Posts
    866
    thanx for the info..
    I check our servers every night and one of our buddies checks it around 2-6 a.m. so far it checks out o.k.

    I was more interested in the attackers ip's bec. we have been attacked by some spammer in tw and all we do is fight fire with fire and since yours is coming from Romania and you said that you've blocked all Romanian IP's then i would just like to say that not all of them are bad. In fact, we have a few Romanian customers and they are very good people.

  11. #11
    Join Date
    May 2001
    Location
    Fresno, Ca.
    Posts
    181
    We currently are open to Romainia again, I wanted it open. Wanted to see if he could do it again before I start building again..

    Attacks are still happening here daily, he's tried to log on to his root accounts, didn't work,(hhahah) He's currently trying still and so are other systems too.

    The problem is that this root kit jumps to thousands of machines and IP's, you could be seeing other systems that are already hacked and don't know it, not the original hacker. This is the nature of the beast!

    Basically it may be quite useless fighting fire with fire and quite possibly your after the wrong guy anyways ..

    I basically send the attacking system this kind of note ..

    This is to inform you that someone from your root servers XX.XXX.XXX.XX
    attempted a break-in to our server 06/25/01 and 06/26/01 . This could possibly be someone
    hopping servers from your server, so I just wanted to let you know since you may want to change your root password immediately and look at all your root accounts.

    If, however, this was someone from your organization, then this is to let you know we will gladly give you any information you request simply by calling us or sending email.



    Originally posted by elijah
    thanx for the info..
    I check our servers every night and one of our buddies checks it around 2-6 a.m. so far it checks out o.k.

    I was more interested in the attackers ip's bec. we have been attacked by some spammer in tw and all we do is fight fire with fire and since yours is coming from Romania and you said that you've blocked all Romanian IP's then i would just like to say that not all of them are bad. In fact, we have a few Romanian customers and they are very good people.

  12. #12
    Join Date
    Feb 2001
    Location
    USA
    Posts
    866

    Post

    Brad - Thanx for the heads up..pls. keep us updated on what is going on.

  13. #13
    Join Date
    Feb 2001
    Location
    USA
    Posts
    866

    Talking

    coincidence...

    we have not seen any cracking attempts for sometime now except for that spammer from tw ip but just as i write this.. look one of our servers that is hosting my homepage is being probed by:
    208.18.137.9
    Silicone Wireless, Inc. (NETBLK-SPRINT-D01289)
    150 CHARCOT AVE
    SAN JOSE, CA, 95131 95131
    US
    Netname: SPRINT-D01289
    Netblock: 208.18.137.0 - 208.18.137.255
    Coordinator:
    RIDDER, JONATHAN (JR37-ARIN) jonathan.ridder@siliconwireless.com
    6507875597

    looks like some crackers are also checking out WHT

  14. #14

    Hackers

    While I will admit that most experienced hackers can just circumvent firewalls, it would have been harder had a firewall actually been in place (not to say it wasn't). And I also find it amusing now burst thinks that just because ONLY 1 server was hacked it is not their fault cuz they have some 200 more that has yet to have been hacked into, from my viewpoint if one server on burst can be hacked into, all of them can.... So basically, what he replied to you is that he didn't give you enough security but since no-one else had been hacked into, they are secure enough...... Sound pretty illogical to me.

  15. #15
    Join Date
    Apr 2001
    Location
    Boston Metro
    Posts
    345
    I found Brad's story rather disturbing. When a server gets root-compromised like his, it becomes a doorway into the rest of the network. And removing accounts and closing ports doesn't do a d**n bit of good because any hacker worth his salt has left backdoors in place, as well as utilities that will provide false data to administrators trying to delete accounts and close ports.

    That's why he kept getting back in. Once a hacker has root on your box, he owns it. And every machine on the same network is at risk because of it.

    I don't understand why they didn't a) immediately take the server off the network and b) perform or insist that you perform a root-compromise recovery. If a machine is hacked, that should be treated as a four-alarm emergency, sirens should go off, people should take up battle stations, and sidearms should be issued.

    It's their job to protect their own network, as well as the other machines on that network and it takes draconian measures to do so.

    We went through that with one of our co-lo customers (themselves a web hosting company) during the chinese-american hacking war recently. His mail server got owned by one of the chinese hackers and he got taken off the network and had to come in and do the root-compromise recovery-which takes a long time when you are running an NT server.

    He wanted to just close the ports and delete the root accounts, but once it was explained to him that the utility he was using was going to be returning false responses, he realized that it takes more than just a bandaid to fix a machine that's been hacked.

    It takes more than putting up a firewall to keep hackers out. You have to monitor the security alerts and install the latest patches on a daily basis. And you have to be ready to deal with an invasion on a moment's notice.
    http://forums.webhostdir.com/
    All your hosts are belong to us

Page 1 of 3 123 LastLast

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •