OVH Community, your new community space.

Server disabled for 'hacking' - NTP Amplification - Support suggests 'Complete wipe!'


nowwhat
10/02/2016, 01h10
The 'ntp ddos bug' has been resolved for months now (more then a year ?!) but would affect you if you you are really using old software.
Using old software is dangerous .... and you proofed it.

Contact support.
You should have received some sort of FTP read-access to your server to retrieve your data. That is your contractual right.
Trying to manage your server, well, I guess you lost that right.
Just say to yourself : "Now I know why I made these backups every day"

Btw : my ntp service on my server (Debian - up to date - default settings) is running ok.

janus57
09/02/2016, 20h24
Hello,

first time you know or very first time for this server (the warning are per server and are never reset unless you cancel it).

So try to speak with support, we can do nothing for you here.

And in last case you have rescue access normally, so…

Cordialement, janus57

Coastalcomp
09/02/2016, 18h30
Hi janus, nope - This is our FIRST hack warning. (Flagged up yesterday at 3AM, although we had no e-mail....) It's a simple case of disabling NTP so that it will no longer return a response when queried. (Infact, it shouldn't have been turned on anyay).

I want the server online so I can pull EVERYTHING off in it's entirety and migrate the machines to my office here, so I can close my account after this latest debacle.

janus57
09/02/2016, 18h03
Hello,

it's your second time in "hacking" mode ?

If yes that normal the support need you to wipe and start from frash install.

1st time : you can activate the server to make the correction.
2nd time : wipe en clean restart
3rd time : server canceled and you have 15days to get your data before the complete lose of the server (break of the TOS from you).

Cordially, janus57

Coastalcomp
09/02/2016, 12h54
I just received a notification that my host (Not the virtual machines, the actual ESXi Host) was partaking in an NTP amplification attack.

The NTP Server service should NOT have been running and I have no idea why someone has enabled it, but I am now being told my OVH support that I need to 'wipe and format' my server, which is a technically incompetent answer - The solution is for me to boot my host up into ESXi and disable the NTP service from listening to requests....

Can someone from support please clarify as to why your staff are suggesting I 'wipe and reinstall' all 6 of my VM's and format the host due to an NTP amplification attack, when I simply need to disable a service?!

I'm really not happy with the incorrect response I received and would like it to be escalated further up as this should be a simple configuration fix, not a 'sledgehammer to crack a nut' response!!