I just started hosting with webhosting.NET, an hsphere provider.
webhosting.NET is the "large webhosting company" referenced by "beady" in this post:
In a nutshell, all Windows servers at webhosting.NET are down and have been down for at least 12 hours!
Downtime will probably continue for a number of DAYS.
And webhosting.NET might not ever recover, because they are suffering a MAJOR data loss affecting all windows servers. This includes windows content servers, windows backup servers and all MS SQL Servers.
webhosting.NET says that they are working on the problem, but they will be very lucky to recover the data.
Since their backups are also corrupt, then they are in big, big trouble.
They blame a BlackICE vuln and the witty worm, but I blame webhosting.NET.
The BlackICE patch has been available for two days but webhosting.NET did not install.
Besides that, why is a "large webhosting company" using a $20 software firewall to "protect computers" anyway? BlackIce is for home/personal users.
This is beyond belief. If you want to be a real webhosting company then protect your *network* with a hardware firewall and IDS!
webhosting.NET has about 5 windows servers, some linux servers and they also run WholesaleColo.Com.
Do not even both visiting their website.
You will not see any network status indicator on their website, because they do not operate a forum and are very secretive about their network.
Originally posted by beady I work at a large webhosting company, and from aproximately 12:30am this morning we experienced the effects of a very nasty worm believed to be either "Witty" or a variant thereof that was replicating like wildfire on our network using a compromise on Windows servers running BlackIce Defender.
The traffic pattern was so severe that it caused extremely high latency and even outage on our Extreme Networks equipment causing the Extreme routers to throw error logs almost identical to the Slammer WORM. After blocking port 4000 inbound and outbound, the network stabilised.
However, we then discovered that this worm had compromised several of both our own and our customers Windows Servers and damaged many of them to the extend that they will not even boot into Windows, some of them even "looping" on boot, and others bluescreening on loading Windows. These are currently being rebuilt from backups, but the damage is so severe that even the partition is not recognised on some of the drives even when using advanced recovery software.
I believe this is just the beginning of an extremely nasty future WORM epidemic and that we may have been one of the very first affected in this manner, because very little material is currently available on the NET, especially regarding the damage caused to compromised servers.
This post is both a warning to other ISP's and a question as to whether other ISP's or hosting customers reading this post have or are currently experiencing identical symptoms on their networks / servers.
I think the limited public alerts available completely understate the seriousness and "maliciousness" of this worm from our experience. e.g securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html