What does all this mean and how to I fix it so my server can come back online?

-----------------

AUP Violations - Unplugged
Problem Description: 12/24/03 11:12:36 AM
i pulled 66.98.180.16 for an aup./tos violation a denial of service packet flood attack

source ip 66.98.180.16
destination ip 201.4.236.1
sample of cap

1 2003-12-24 10:22:14.6607 66.98.180.26 -> 64.246.1.58 TCP 3306 > 37218 [ACK] Seq=4066722647 Ack=2004030929 Win=5792 Len=1448
2 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 6843
3 2003-12-24 10:22:14.6608 66.98.180.26 -> 64.246.1.58 TCP 3306 > 37218 [PSH, ACK] Seq=4066724095 Ack=2004030929 Win=5792 Len=569
4 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 64149
5 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 42858
6 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 41678
7 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 8630
8 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 13831
9 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 14449
10 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 23310
11 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 29563
12 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 63342
13 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 19316
14 2003-12-24 10:22:14.6608 66.98.180.15 -> 171.75.215.245 TCP 80 > 2611 [ACK] Seq=1131677400 Ack=2039209923 Win=7504 Len=0
15 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 42626
16 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 39422
17 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 54413
18 2003-12-24 10:22:14.6608 139.55.218.242 -> 66.98.180.7 TCP 1034 > 80 [ACK] Seq=126888180 Ack=1681209442 Win=17424 Len=0
19 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 60170
20 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 31770
21 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 42345
22 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 23420
23 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 10840
24 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 845
25 2003-12-24 10:22:14.6608 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 6567
26 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 58096
27 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 2432
28 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 12009
29 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 11660
30 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 45272
31 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 21865
32 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 43574
33 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 9162
34 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 48223
35 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 27115
36 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 6853
37 2003-12-24 10:22:14.6609 66.98.180.15 -> 171.75.215.245 HTTP HTTP/1.1 200 OK
38 2003-12-24 10:22:14.6609 69.15.30.139 -> 66.98.180.7 TCP 17055 > 22 [ACK] Seq=2059589946 Ack=3098770208 Win=63680 Len=1460
39 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 2448
40 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 53540
41 2003-12-24 10:22:14.6609 66.98.180.15 -> 171.75.215.245 HTTP Continuation
42 2003-12-24 10:22:14.6609 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 6873
43 2003-12-24 10:22:14.6610 66.98.180.16 -> 201.4.236.1 UDP Source port: 34725 Destination port: 28738

frame used for mac

Frame 4 (314 on wire, 314 captured)
Arrival Time: Dec 24, 2003 10:22:14.660816000
Time delta from previous packet: 0.000004000 seconds
Time relative to first packet: 0.000017000 seconds
Frame Number: 4
Packet Length: 314 bytes
Capture Length: 314 bytes
Ethernet II
Destination: 00:e0:52:0c:24:da (00:e0:52:0c:24:da)
Source: 00:0c:76:51:f4:08 (00:0c:76:51:f4:08)
mac to ip conversion

Mac address: 000c.7651.f408
IP: 66.98.180.225
IP: 66.98.180.227
IP: 66.98.180.226
IP: 66.98.180.16
IP: 66.98.180.230
Last Updated: 2003-12-23


Date Time Switch Port InPPS OutPPS InMBPS OutMBPS MAC

2003/12/24 10:30:14 66.98.180.245 19 31042.25 14.75 75.4589 0.0101 000c.7651.f408


allen
dc noc

This is just great... I'm reading other posts with this same issue and hearing that they were forced to do a restore, etc.

My server was up to date on everything! How can someone do an outbound DOS attack? What program would they use? Just how... I have only had this server for a month, I've did everything possible to secure it per all the posts in these forums.


Worst of all I get no email to explain anything. I did get a phone call and my daughter said the lady spoke real fast, said something was uplugged and didn't even leave a call back number.

I called support but they said I had to email abuse, I did, but there isn't any direct phone numbers to them.

What do I do?

Well after an hour and 28 minutes downtime I am asked for my root password.



12/24/03 12:40:00 PM
Dear Customer,

Please provide us with the current username and password(s) for root access for investigation of outbound attack.

Thank you
DC

Don't get me wrong here folks... if my server is indeed doing outbound attacks then it should be pulled however it shouldn't take this long to ask for my password or be this hard to get some answers. There should be someone I can call to get some answers.

I've only had this server for a month. I used another provider for the past 4 years and never had a single problem. Same sites are one this server that were on my last one.

BTW, the IP that is being "attacked" is a dialup user. Who or what would want to attack a dialup user?

IP address: 201.4.236.1
Host name: user.1.236.4.201.dial-ip.telemar.net.br

3 hours down and still nothing from support... surely they must know something by now.

This morning I learned my server was unplugged because of AUP violations. They claim is was sending out DOS attacks. Now if it was I understand it being unplugged but it took an hour and 28 minutes for the tech center to ask for my root password. It's been 3 hours down now and still all I get from tech support is that they are still working on it.

I understand EV1 has policies but the responce time on this is unacceptable to me and being a customer for only 4 weeks I'm about to start looking elsewhere. I've used another company for 4 years and never had a single issue. I switched to EV1 to get a more powerful system for the same money but I can't afford it if I see multiple hours of downtime with no replies or updates as to why.

I can't manage my unmanaged server if I don't have access to it and my calls to tech support only returns a they are working on it.

Here is a thread I started when I learned of this situation. It has their claims of my server sending out a DOS to a dialup user in Brazil.

http://forum.ev1servers.net/showthread.php...&threadid=38709


All I want is an update... what is being done, when can I expect to see my server back online so I can access it and view things on my own. I don't think this isn't too much to ask after waiting 3 hours already...

Anyone else been through this?

Wow, almost instantly after I posted this I got the following reply:

12/24/03 2:52:40 PM
Sorry for the delay.
It looks like demoindy last logged in from BA016198.user.veloxzone.com.br and ran a script in the /tmp directory call dos*.

The script it owned by that user, and the user bash history has been cleared.

allso the user is running a script call cgi that is listening on port 44464.

We will replug the server if you agree to remove this user and all the users data.

Thank you.

--------------

demoindy is a demo site I setup for users to demo the cPanel in DEMO MODE. This just proves that the cPanel demo thats an option in WHM isn't secure at all. What a shame!

Problem resolved, please see...

http://forum.ev1servers.net/showthread.php...9958#post239958

I've got emails saying people have replied to this thread but I only see posts by me! What's up with that.

Are you going to give the EV-1 staff a chance to reply to this thread?

The aup investigations are the most involved investigations our technicians perform. They have to be certain the event caused by a server will not happen in the future. It takes time to thoughroly investigate a server.

AUP/TOS investigations are normally done in batches. A tech will grab the all the tickets from the queue and systematically check each server. If the password on the account does not work, we ask for it. Once it is supplied the ticket is checked in the next batch.

I see your reply... they don't need to as the problem is resolved.

Thanks Curtis... it's just real fustrating not being about to do anything myself during this time. I'm glad the problem was somewhat minor this time and that cPanel demo is already gone.

Well congrats that you did not need a restore, thats rare. Its also "good" to know that the whm demo feature is not as secure as it should be. You might want to put in a trouble ticket with cpanel with all of the information you have obtained over the past few hours and with luck they will be able to make it a bit more secure.

Closing after speaking to user