Results 1 to 12 of 12
  1. #1

    Xenvz stop my 2 VPSs, because I spread Conficker virus?

    Sorry for my english, I'll try my best to express...
    Last month I order 2 Xen VPSs from Xenvz.co.uk and use them for VPN proxy.

    But a few days ago, xenvz stopped one vps and state "This is because it is spreading the Conficker virus.".
    I'm a little surprise because there's only 10+ users on this vps. Most of them use VPN for visting Youtube or P2P download or gaming. And Conficker virus can only run on Windows, but all my vps is running on Debian.
    Maybe someone had download something that contain Conficker virus?

    Anyway, I had to move a few users to another vps yesterday.

    But xenvz stop my another vps today for the same reason!

    I really do not know whether or not one of my user is spreading or other reason, but as I know, Conficker virus had affected thousands of hosts in the past.
    If someone download or being affect by conficker for any reason, provider then stop their host, I'm afraid thousands of sites would down.

    Can anyone let me know what should I do now, I need help.

  2. #2
    Join Date
    Aug 2008
    Location
    Vancouver, Canada
    Posts
    650
    One of your VPN users could be spreading the Conflicker virus. Try setting up filters to disable to the ability for them to spread it.
    Tailored VPS offers fully customizable VPS Hosting
    Powered by OpenVZ | Servers located in the USA | 99.9% Uptime

  3. #3
    Join Date
    Jan 2008
    Location
    Jax, FL
    Posts
    2,707
    Quote Originally Posted by AHN-Jay View Post
    One of your VPN users could be spreading the Conflicker virus. Try setting up filters to disable to the ability for them to spread it.
    Yeah, the way it sounds is one of your users is spreading it as Jay has mentioned, and since they are on a VPN it appears the traffic is going out of your VPS.

    Good luck getting it sorted

  4. #4
    Join Date
    Jun 2009
    Posts
    33
    Although it's causing you some inconvenience, I applaud the action of your host in closing down your VPS because it's spreading the Conficker virus. I just wish every ISP and host would do the same. There are probably more than 10 million infected Windows machines around the world, causing hundreds of millions of dollars worth of damage, and the only way to control the epidemic is to cut off the rogue systems and force the owners to take some responsibilty.

    The most likely scenario is that one of your users has an infected Windows PC, which is attempting to infect more PCs by transmitting across your VPN. Those attempts will have a source IP address of your VPS.

    You need to find out which of your users is infected, possibly by monitoring outbound traffic from your VPS and identifying the source at the other end of your VPN.

  5. #5
    Thank you for reply
    Can someone recommend any program can monitor outbound traffic from VPN and find out which user is spreading virus?

  6. #6
    Join Date
    Jun 2009
    Posts
    33
    iftop is a program that can display connections in real time and there are others.

    However, you really need to identify the infected user without allowing them to spew more infection attempts across the Net. Perhaps you could consider configuring a firewall (such as iptables) on outbound traffic to restrict VPN users to "legitimate" destination ports, such as port 80 and 443 for Web traffic.

    Or you could simply ask your users to check specifically for Conficker on their PCs.

  7. #7
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    372
    you could use snort to monitor the traffic of your VPN. it looks at the network traffic for things like these.

  8. #8
    Join Date
    Feb 2005
    Location
    Scotland, UK
    Posts
    185
    Hello,

    I believe a little more explanation here is required as to me it looks like you wish to bad mouth my company in order that we remove firewall/null routes put in place to protect yourself, our other customers, and the rest of the internet in general.

    The following is the chain of events so far:

    We received reports every 24 hours from upstream that our customer spreading Conficker and promptly forwarded these over to the customer. On the third offence, our upstream nullrouted the customers IPs.

    We liased with our customer and upstream in order to place very restrictive firewall rules against their IP address which would allow access to the VPS for fixing/preventing the issue while the null routes could be removed.

    Customer confirmed all was well now, firewall rules removed.

    Over the next 72 hours we went through the same scenario again, with both VPS accounts.

    Firewall rules are still in place and we are awaiting the OK from customer before removing them, though we have heard nothing.
    Sean McRobbie - Specialising in virtualisation since 2005.
    www.openitc.co.uk - We create, we host, we connect - Fully Managed VPS & Dedicated Hosting

  9. #9
    Join Date
    Dec 2007
    Location
    Scotland
    Posts
    176
    Just wanted to add, it's been mainly myself that's dealt with your support emails and as far as I know we're still working through your problem. I had no idea you were as upset as you obviously are.

    We have a responsibility to ensure our services aren't harming other users and if that means we need to block your IP temporarily then we'll do that.

    Your VPS hasn't been stopped, as such, and continues to operate but only your SSH port is working. This is to allow you access to your VPS to manage it as you see fit.

    In your post, you've mentioned some new information that we didn't know of before and that is you've moved some users from VPS2 to VPS1 and now VPS1 been null-routed too.

    It seems like one of those users from VPS2 is the infected/malicious user as VPS1 has been running much longer and without issue until yesterday.

    Also, I think your English is very good and can imagine it's very frustrating not being able to communicate in your native language.

    David Man
    www.openitc.co.uk - We create, we host, we connect - Fully Managed VPS & Dedicated Hosting
    www.direvps.com - When nothing but price matters! - Brutal marketing for a brutal market!

  10. #10
    Join Date
    Jun 2009
    Posts
    33
    That's really an excellent response from the hosting company. They are clearly behaving very responsibly in this situation.

  11. #11
    Thank you ServerSean and davidman. I've find out which vpn account was spreading Conficker, with sniffer tool and log files.

    I'm upset because two VPSs are down within very short time, and cannot be SSH.
    So I was unable to figure it out. Only one user was infected but ALL user accounts(30+) were unable to work.
    That's the reason why I post thread on WHT for help and send mail to davidman to ask sending me the user's log files.
    Thank you davidman , I cannot lock infected user without user's log files,

  12. #12
    Join Date
    Dec 2007
    Location
    Scotland
    Posts
    176
    No problem.

    We're glad you're up and running again though.

    David Man
    www.openitc.co.uk - We create, we host, we connect - Fully Managed VPS & Dedicated Hosting
    www.direvps.com - When nothing but price matters! - Brutal marketing for a brutal market!

Similar Threads

  1. iPhone "Conficker" virus.. anyone got it?
    By VL-Adam in forum Web Hosting Lounge
    Replies: 30
    Last Post: 08-04-2009, 02:35 AM
  2. Replies: 0
    Last Post: 07-22-2009, 03:29 PM
  3. How to really stop virus
    By rsferreira in forum Hosting Security and Technology
    Replies: 2
    Last Post: 03-03-2004, 09:15 PM
  4. Help! Someone using my domain to spread virus!!
    By NE-Andy in forum Web Hosting Lounge
    Replies: 6
    Last Post: 01-28-2004, 03:26 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •