Xenvz stop my 2 VPSs, because I spread Conficker virus?
Sorry for my english, I'll try my best to express...
Last month I order 2 Xen VPSs from Xenvz.co.uk and use them for VPN proxy.
But a few days ago, xenvz stopped one vps and state "This is because it is spreading the Conficker virus.".
I'm a little surprise because there's only 10+ users on this vps. Most of them use VPN for visting Youtube or P2P download or gaming. And Conficker virus can only run on Windows, but all my vps is running on Debian.
Maybe someone had download something that contain Conficker virus?
Anyway, I had to move a few users to another vps yesterday.
But xenvz stop my another vps today for the same reason!
I really do not know whether or not one of my user is spreading or other reason, but as I know, Conficker virus had affected thousands of hosts in the past.
If someone download or being affect by conficker for any reason, provider then stop their host, I'm afraid thousands of sites would down.
Can anyone let me know what should I do now, I need help.
Although it's causing you some inconvenience, I applaud the action of your host in closing down your VPS because it's spreading the Conficker virus. I just wish every ISP and host would do the same. There are probably more than 10 million infected Windows machines around the world, causing hundreds of millions of dollars worth of damage, and the only way to control the epidemic is to cut off the rogue systems and force the owners to take some responsibilty.
The most likely scenario is that one of your users has an infected Windows PC, which is attempting to infect more PCs by transmitting across your VPN. Those attempts will have a source IP address of your VPS.
You need to find out which of your users is infected, possibly by monitoring outbound traffic from your VPS and identifying the source at the other end of your VPN.
iftop is a program that can display connections in real time and there are others.
However, you really need to identify the infected user without allowing them to spew more infection attempts across the Net. Perhaps you could consider configuring a firewall (such as iptables) on outbound traffic to restrict VPN users to "legitimate" destination ports, such as port 80 and 443 for Web traffic.
Or you could simply ask your users to check specifically for Conficker on their PCs.
I believe a little more explanation here is required as to me it looks like you wish to bad mouth my company in order that we remove firewall/null routes put in place to protect yourself, our other customers, and the rest of the internet in general.
The following is the chain of events so far:
We received reports every 24 hours from upstream that our customer spreading Conficker and promptly forwarded these over to the customer. On the third offence, our upstream nullrouted the customers IPs.
We liased with our customer and upstream in order to place very restrictive firewall rules against their IP address which would allow access to the VPS for fixing/preventing the issue while the null routes could be removed.
Customer confirmed all was well now, firewall rules removed.
Over the next 72 hours we went through the same scenario again, with both VPS accounts.
Firewall rules are still in place and we are awaiting the OK from customer before removing them, though we have heard nothing.
Sean McRobbie - Specialising in virtualisation since 2005. ‡www.openitc.co.uk - We create, we host, we connect - Fully Managed VPS & Dedicated Hosting
Thank you ServerSean and davidman. I've find out which vpn account was spreading Conficker, with sniffer tool and log files.
I'm upset because two VPSs are down within very short time, and cannot be SSH.
So I was unable to figure it out. Only one user was infected but ALL user accounts(30+) were unable to work.
That's the reason why I post thread on WHT for help and send mail to davidman to ask sending me the user's log files.
Thank you davidman , I cannot lock infected user without user's log files,