We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Server hacked email.... but no details?


Rilly
08-21-2010, 02:09 PM
Yes.. its been since determined that it was because i had irc connections to the undernet server - apparently they feel undernet is not acceptable for their datacentre to be connecting to anymore..

Speedy059
08-21-2010, 09:57 AM
Don't worry about the email, OVH sends a bunch of false-positives for some reason. They claimed our server to be hacked but never was. Normally if you are hosting a popular IRC server then they will say you are hacked and to reinstall your server. Or, sometimes if you are hosting VPS's there may be a malicious client doing bad things that you can always suspend/terminate and let OVH know. Reinstalling a server should be the last option, basic management of a server can resolve most abuse notices I think.

Rilly
08-18-2010, 02:38 PM
Thanks Niall

Niall
08-18-2010, 12:34 PM
Thanks for the details. Our incident team are dealing with this and may have already been in touch.

Just to clarify, this is not actually a robot. This is a manual check that has been performed.

Rilly
08-17-2010, 12:29 PM
Hi Niall, its ns304870.ovh.net. Thanks.

I received a response on my ticket indicating that if the robot detects this issue again, I run the risk of an interruption to my server, but... if the robot is only looking for iRC connections, it will happen again. Its an IRC based business I run. There will be numerous inbound/outbound IRC connections.

Niall
08-17-2010, 10:25 AM
Hi,

Could you confirm server name please and I will look into this.

support@ovh.ie

Thanks,
Niall.

Rilly
08-16-2010, 09:55 PM
I got this email...


***********************************************
Hello,

We have detected a flow of IRC connections to
belonging to your server .ovh.net. These
connections are used to control bots installed on your
server.

Your server has been infected due to an old kernel and/or a
security hole in your system. The procedure allows the
hacker to gain 'root' access to the server. Only a complete
reinstallation of your server will make sure your system is
healthy again.

We have blocked at our routers the sources that can control
the bots and we ask you to reinstall your system within 24
hours. After this period, we will be forced to disable your
server.
**********************************************

Incident ticket [518418] Security Alert.

I've replied, but I would like to know why is it assumed that IRC activities is a hacked server? I run an irc/shell based service.
Also.. to say its an old kernel or a security hole.. I'm running the kernel that came with the box (2.6.32.2-xxxx-grs-ipv4-32).. and i keep the updates up to date - just seems inappropriate to say how it was hacked, when its not even confirmed its hacked..
Please do not shut the server down without confirming what is a rogue process, or a service I provide to my customers.