Hello all.
I need your help! Yesterday night, I installed a new vps from EDIS (bought 5 days ago) to host my news portal there. I moved my portal from the old provider (witch worked fine, just a little more load and a bit low I/O that I thought EDIS was better at, so i decided to move) and all seemed fine. Load was normal, speed was average to good. An hour before noon today, I saw that wsite was down. When I tried to log in, I found that EDIS suspended my VPS with a message in my mail saying:
This is a notification that your service has now been suspended. The details of this suspension are below: Product/Service: OVZ Basic Domain: ----- Amount: EUR 5.19 Due Date: 28/12/2013 Suspension Reason: Abuse:C&C Please contact us as soon as possible to get your service reactivated. Nonpayment will result in deletion of the service and all associated data.
After 2 minutes, I received another mail saying:
Hi, we just received an abuse report concerning your server, please check your configuration. Due to this report, unfortunately we had to suspend your server. Yours sincerely Ismir Saljic
_***EDIT*** _The title of their second email was "Diverse Malware (laut Spamhaus) in ihrem AS 57169"
I sent them immediately an email (ticket opening in client area does not function) with this response:
I just moved my site yesterday night. It is an news portal site and nothing else. I didn't abuse anything and you don't give me any details about the reason of suspended server or what exactly am I abusing. I cannot even open a ticket to client area! The opening ticket is disabled! I bought this box 5 days ago and used it just yesterday installing a panel and a joomla site in my domain. Please infor me about the abuse I did and unsuspend my server as soon as possible, so i can check myself what is going on there (if it is going on...)
Their response:
Hi, this is the log we received for your server. Time: Tue Dec 3 22:44:25 2013 Source-IP: xxx.xxx.xxx.xxx ASN: 57169 C&C Server: Bot-Infection:unknown1895 Destination-IP: Destination-Port: 25 Local-Port: Obviously your site is infected. Yours sincerely Ismir Saljic
I responded that:
Excuse me but what you sent me says nothing! It says Bot-Infection:unknown1895. What is that? What is the abuse? Spamming? The log says nothing. Please give more information and open my server to investigate
And I received this new mail:
C&C server type of attacks are very dangers and we have to suspend server with this type of infection. If we don't do that we can face a lot of problems in our network. We're sorry but the only way to get the server back is the reinstallation. Yours sincerely Ismir Saljic
First of all: Shouldn't they give me more information about the bot they say I host? Logs that identify that there were an abuse of the server or the botnet proofs?
Shouldn't they let me in any way to investigate the cause or the source of the bot / malware or anything? Shouldn't they let me scan my site to find out what happened?
Couldn't they let me, even take a backup of the recent update of my site (some news articles I uploaded that my last mid-day auto backup didn't got them? Even give me the opportunity to log in from a single ip (my home ip) just to do investigation or / and backup?
I scanned my website to my old server (the one that worked till yesterday's move to EDIS) with several services (sucuri etc.) and seem clear. No sign of infection at all. The only update to the new (EDIS) server is just a bunch of news articles. No software, no modules, nothing.
I am not familiar with "C&C server type of attacks". Is there a special scanning method that reveals it, further that usual malware / virus scans? I have to mention that I did secure my new EDIS server (ClamAV, Spamassasing, CSF+LFD, changed passwords etc.).
I know that for a big company like EDIS with thousand of clients, my complain here is nothing. But I thing they tread me like nothing... A couple of (very) typical answers just to get rid of me without giving me any serious detail or opportunity to fix any problem - if there is one...
Any thoughts from you guys will be welcome!