Results 1 to 16 of 16
  1. #1
    Join Date
    Mar 2004
    Posts
    65

    Something very wrong and wierd with BoxVPS.com

    I've had them for a day and I am very suspicious. For one, a default install of their basic level 1 package had two instances of Apache and Sendmail running by default as well as Bind9 DNS. I had to figure out the exact versions in my Ubuntu install in order to remove them. I always do a comprehensive port scan of my machines to see what services are available and port 1720 (Netmeeting!) was enabled and filtered and I had nothing in my IPTables for port 1720 at the time. I had nothing running that uses that port unless it was root-kitted. Their tech support said it was normal and that port was probably there by default. I've installed multiple Ubuntu setups and never once has port 1720 been enabled by default nor multiple running version of Apache and Sendmail. Their web admin panel for the VPS was not available for whatever reason as well.

    I just requested the service be canceled and a refund. There may be nothing nefarious about what is going on with them but their security and setup is odd from a security point of view. Toss in the fact that my welcome email had both my login and password for the primary account in clear text for anyone to see.

  2. #2
    Join Date
    Mar 2004
    Posts
    65
    As a follow up, BoxVPS has fixed the concern with the password being sent by default in the email. That is a very good thing. They've also offered me a free month (at 3.75 a month, price is not a concern). I requested that they do additional research into why there is a port 1720 "filtered" by default on their base install of Ubuntu 8.04 when I have no services running that use that port (by default, it is the Netmeeting port). I also do not want a bunch of services installed by default, not to mention 2 instances of each service installed. There were two instances of Apache and Sendmail installed and running. That alone would not have bothered me and I would have figured to be a bug. BUT that along with the odd port just makes me security hairs tingle.

  3. #3
    Join Date
    Nov 2006
    Location
    Melbourne, Australia
    Posts
    310
    Port 1720 is not just NetMeeting, it's used by a lot of apps that use H.323 (NetMeeting, ekiga, GnuGK, ...). Although why that'd be enabled, I have absolutely no idea. The two Apache instances could just be two Apache threads or something? I know that some of the MPMs start several instances.

    In any case, perhaps a Debian netinstall is best? That way, you know that nothing is running, since netinstall is just a bare minimum Debian install. IMO Debian is better than Ubuntu for a server, although I guess that's just a personal thing.

  4. #4
    Join Date
    Jun 2009
    Location
    U.S.A.
    Posts
    12
    I think you might have jumped the gun here zerodamage. Seems like you pulled the trigger a little too quick to say "Something wrong with BoxVPS" as the subject of your post. Considering you've had them for an entire 24 hours.

    Enough said.

  5. #5
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    I agree. And 1720 is used for many VOIP based transport layers..H.224/H245, etc....was this TCP?UDP? Both?
    If it was "open" what was listening on the port?
    did you actually run nmap locally, or just rely on an external scan?
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  6. #6

    Catchy Title :)

    We have 2 types of installs for almost any Operating Image install(default, or minimal). Ubuntu only has default installs(though we can easily or the customer can edit/change the default setup to what they require).

    I have no problem customizing your Ubuntu image down to a bare nothing.

    The default includes common services etc.. to get the average Customer going(like doing a default server cd install from the OS on a basic dedicated server).

    50% of the time administrators already know what they want etc.. and pre-request it(VPS with a minimal install, which simply has ssh installed).

    We always try to go above and beyond for every customer(happy or not). Your first free month still stands.

    If anyone has any questions/concerns I would be glad to address them.

    Thanks,
    Justin

    About the HyperVM being down(http://www.boxvps.com/client/noc.php).
    boxVPS.com - How big is your box?

  7. #7
    From my experience, sending login and password in clear text to the client's email has never been a problem, you're supposed to change the password as soon as you login.

    I'd just see it as a problem if the provider asked you for a password during a secure registration procedure and then sent it in clear text to your email.
    █ Wafer VPS
    US North Carolina Based
    Self-Managed OpenVZ VPS Hosting
    Check out our offers!

  8. #8
    Quote Originally Posted by zerodamage View Post
    I've had them for a day and I am very suspicious. For one, a default install of their basic level 1 package had two instances of Apache and Sendmail running by default as well as Bind9 DNS. I had to figure out the exact versions in my Ubuntu install in order to remove them. I always do a comprehensive port scan of my machines to see what services are available and port 1720 (Netmeeting!) was enabled and filtered and I had nothing in my IPTables for port 1720 at the time. I had nothing running that uses that port unless it was root-kitted. Their tech support said it was normal and that port was probably there by default. I've installed multiple Ubuntu setups and never once has port 1720 been enabled by default nor multiple running version of Apache and Sendmail. Their web admin panel for the VPS was not available for whatever reason as well.

    I just requested the service be canceled and a refund. There may be nothing nefarious about what is going on with them but their security and setup is odd from a security point of view. Toss in the fact that my welcome email had both my login and password for the primary account in clear text for anyone to see.
    You left a provider because they sent you your login and password in plain text....? What did you want them to do? Speak it in Spanish to you in a voice over and attach it? Do funny hand signals at you until you get the password right? Drive over personally to your house and give it to you? Give it to you over the phone while the government wiretaps your phone for "no reason" other then to wiretap you, gets your password, and nukes your system.

    Wow....

    I don't think you're going to be able to find a provider here on WHT that doesn't send their users their passwords in clear text....

    Am I missing something?

  9. #9
    Join Date
    Mar 2004
    Posts
    65
    Quote Originally Posted by xorpt View Post
    I'd just see it as a problem if the provider asked you for a password during a secure registration procedure and then sent it in clear text to your email.
    Ding. This is what happened. The password I used during the signup got sent back to me in an email in plain text. They told me they have now changed that.

  10. #10
    Join Date
    Mar 2004
    Posts
    65
    Quote Originally Posted by RMCSGroup View Post
    I think you might have jumped the gun here zerodamage. Seems like you pulled the trigger a little too quick to say "Something wrong with BoxVPS" as the subject of your post. Considering you've had them for an entire 24 hours.

    Enough said.
    Did you read my two posts? Probably not, so speaking of pulling the trigger too quick.

    There was a combination of things that alone would not have been much of a concern but combined bothered me a great deal. Some VOIP / Netmeeting port not necessarily opened but Filtered and not filtered for or by me. Multiple installations of Apache. Not multiple threads but multiple installed instances. I removed one, thought I had it all taken care of, reboot and take a look at "top" and see that it is still there even though my previous apt-get remove apache2 resulted in the service being stopped and successfully removed. The same for sendmail. I had to install another app to get a list of installed apps so that I could figure out the exact program version so that I could remove it for sure. The lackluster response as to why there were multiple installs of these services PLUS the inability to get an answer for port 1720 were enough to make me paranoid enough to decide not to use them.

    With all of that said, I've been talking with them and they are going to give me a free month and set up a minimalist install of Ubuntu for me and when that happens, I will do the same sort of security audit on the VPS that I did before that will hopefully ease my paranoia.

    Their support and customer service is top notch. My issues above were just abnormal and would bother any security guru.

  11. #11
    Join Date
    Mar 2004
    Posts
    65
    And I apologize for the topic title. That was meant to be a question, not a statement. Was a long day yesterday and typing it up on my netbook was probably a bad idea.

  12. #12
    Quote Originally Posted by zerodamage View Post
    Ding. This is what happened. The password I used during the signup got sent back to me in an email in plain text. They told me they have now changed that.
    That being the case I find it a bit unorthodox as well. Good thing they fixed it promptly.
    █ Wafer VPS
    US North Carolina Based
    Self-Managed OpenVZ VPS Hosting
    Check out our offers!

  13. #13
    Join Date
    Mar 2004
    Posts
    65
    Okay... I just do not get it. Their minimalist installs re no different from the general install of Ubuntu that I did initially. I will list what I've done from start to finish.

    Log in immediately as root. I add a user, add the user to sudoers file, log out of root and log in as the new user. I disable the root account. I remove xinetd, I remove apache, I remove sendmail. I install denyhosts (python script that blocks brute force SSH attacks). I change the SSh service to something other than 22. I update the OS (Debian). I reboot the VPS, then I log back in and do a netstat --listen. What do I see? The VPS is listening for port 80 and SMTP. I do a port scan on the system, and there is that port 1720 again and port 53 for DNS (both TCP and UDP).

    I've never used a VPS service before that turns my VPS into a honeypot. That's basically what it is and it takes time to get it set up. Now I have to figure out where the hell the httpd and mail service is located since they are NOT viewable when doing "ps -aux" Right now, this service is free for a month but I just do not understand this wierd ****.

  14. #14
    Join Date
    Mar 2004
    Posts
    65
    Yeah. I am officially standing by my initially thought that there is something wrong with boxvps. This is either really poorly managed or something shady is going on.

  15. #15
    You might have missed our post above and in tickets(Ubuntu only has default installs(though we can easily or the customer can edit/change the default setup to what they require). IE: make a custom minimal one if you need/like. Though we are an un-managed provider its always about the customer.

    Im not quite sure what you mean by "I've never used a VPS service before that turns my VPS into a honeypot. That's basically what it is and it takes time to get it set up." but if you explain Im sure I can provide an answer

    I hope we can figure out this misunderstanding its hard to chase all your new posts
    boxVPS.com - How big is your box?

  16. #16
    Join Date
    Mar 2009
    Posts
    47
    @zerodamage

    You may want to issue the following command to find out what process is utilizing port 1720:

    Code:
    netstat -pan |grep -i :1720
    Hope this helps.

    Best Regards,
    Danny.

Similar Threads

  1. boxvps.com - Opinions/Experience
    By paulg1981 in forum VPS Hosting
    Replies: 12
    Last Post: 06-30-2009, 08:24 AM
  2. What happened to boxvps.com?
    By snork300 in forum VPS Hosting
    Replies: 6
    Last Post: 06-16-2009, 10:33 AM
  3. boxvps.com down
    By Spirit in forum Providers and Network Outages and Updates
    Replies: 5
    Last Post: 01-30-2009, 11:14 PM
  4. www.boxvps.com
    By budman714 in forum Shared Hosting Offers
    Replies: 0
    Last Post: 08-07-2008, 12:51 PM
  5. Mabus Hosting / BoxVPS - 1 year review
    By binba in forum Web Hosting
    Replies: 2
    Last Post: 03-24-2008, 09:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •