Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Quadranet/Crissic suspended VPS for running mysql
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Quadranet/Crissic suspended VPS for running mysql

    Crissic.net was recently acquired by Quadranet. I have never had any issues with my VPS until a few minutes ago, when my VPS got suspended for running mysql!?!

    I was ssh'd into my server, running the mysql client accessing localhost (where there is also a mysqld running). Again, I've never had an issue pre-acquisition... Does Quadranet now consider "mysql" a "hacking" or "ddos" tool? @dustinc ?

    Thanked by 2josephb GM2015
    «1

    Comments

    • From the looks of it they do.

      #1 USA Based Hosting Provider

      Free & Paid Web Hosting | KVM SSD VPS's | Dedicated Servers | Website Design| Managed Service

    • Wow! Surely a configuration mistake of the scripts that trawl for abusive processes.

    • AmitzAmitz Member
      edited August 2015

      MySQL is a very dangerous weapon. Last year, 461 innocent children died due to MySQL attacks. Quadranet did the right thing to pull the trigger on you database bastard! If I were them, then I would also take away httpd from you, just to be on the safe side.

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • Could MySQL be bound to port 53 or something similar?

    • THE END IS NEAR. REPENT FELLOW CRISSIC USERS.

      Different.

    • @kcaj said:
      Could MySQL be bound to port 53 or something similar?

      You can bind it to any port if you wanted.

      Their scripts are clearly going by process name though.

      Thanked by 1Jeffrey
    • Hahahahahahahahahahahahahahahahahahaha

      ^ These are the only words I can offer regarding this. And so it begins.

      Thanked by 1coinchat
    • coinchatcoinchat Member
      edited August 2015

      @kcaj said:
      Could MySQL be bound to port 53 or something similar?

      Certainly not, all ports were at defaults.

    • I wasn't scared about Crissic. Now I am.

    • AmitzAmitz Member
      edited August 2015

      I hope you obtained a federal license to run sshd. I have heard that this demonic daemon is mostly used by hackers to gain access to servers. You will get treated like a terrorist if using it without governmental allowance. Your mysqld debacle will seem like kindergarten in comparison! ;-)

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • josephb said: Their scripts are clearly going by process name though.

      You've misunderstood the angle I'm coming from.

      I doubt Crissic's criteria for suspension is just a process named "mysql" as you seem to be implying.

      Could we exercise our brains a little before replying. Thanks.

    • @kcaj said:
      Could we exercise our brains a little before replying. Thanks.

      All brain capacities are focussed on the question whether the new favicon of LET sucks or not. Sorry, no slots left.

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • Just because the process was named 'mysql' doesn't mean it's the mysql process.

      Uptime monitoring for the masses. NodePing

    • @josephb

      www.lowendtalk.com/discussion/comment/1230670/#Comment_1230421

      couch bs couch

    • @NodePing said:
      Just because the process was named 'mysql' doesn't mean it's the mysql process.

      I'm pretty sure their script only goes off process names... unless they started suspending the MariaDB binary...

    • jarjar Provider

      @NodePing said:
      Just because the process was named 'mysql' doesn't mean it's the mysql process.

      Bingo.

    • kcaj said: I doubt Crissic's criteria for suspension is just a process named "mysql" as you seem to be implying.

      Just so you know, former Crissic employees (in #crissic on freenode) are laughing at your comment because that's exactly how their scripts work lol.

    • @coinchat what NodePing is saying is that processes can be created with any name, including one that's called "mysql." For example, something like

      gcc ddos.c -o mysql && ./mysql
      

      People tend to mask malware by naming them legit process names so it's not as suspicious.

    • coinchatcoinchat Member
      edited August 2015

      @black Yeah I know what you mean. Given how the suspension happened minutes after I opened up mysql -u root -p, I'm pretty sure that their rules are suspending processes with the name mysql... including the real MySQL (well, technically MariaDB) client.

      Anyway, the former Crissic employees have known me in #crissic for ages (and they told me to post on LowEndTalk); the suspension system does just look at the process name...

      I'm confident that Quadranet will fix this in due time, but right now my VPS is down and has been suspended for a comically ridiculous automatic rule, and my users can't connect to my site.

    • J1021J1021 Member
      edited August 2015

      coinchat said: Just so you know, former Crissic employees (in #crissic on freenode) are laughing at your comment because that's exactly how their scripts work lol.

      Even IF the script works that way, why would it be looking for "mysql"? You're the only customer reporting a suspension for this, are you the only customer running MySQL? That sounds silly.

      C'mon man, use your brain.

      EDIT: I think this sums up the level of maturity being displayed by any disgruntled staff in #crissic.

      Thanked by 1dustinc
    • coinchat said: but right now my VPS is down and has been suspended for a comically ridiculous automatic rule

      Been there, I feel your pain.

      Thanked by 1coinchat
    • So we've got a new member here, just signed up to let us all know of this bizarre event at Crissic + half a dozen disgruntled ex-staff members in #crissic.

      My money is on this being a disgruntled ex-staff member, knowing how the system works, manipulating a process name to trigger this event and posting the outcome here for a bit of brand damage.

      /thread

    • AmitzAmitz Member
      edited August 2015

      So you think that we have a case of

      Well, seems plausible too.

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • Sigh, looks like I need to go get my popcorn.

    • coinchatcoinchat Member
      edited August 2015

      kcaj said: My money is on this being a disgruntled ex-staff member, knowing how the system works, manipulating a process name to trigger this event and posting the outcome here for a bit of brand damage.

      I'm certainly not "an ex-staff member". You can ask @SkylarM if I am.

      If my VPS being suspended was the work of a disgruntled ex-staff member... then I'm still pissed! I was asked to make a post on LET:

      <*me*>30 wow WTF 20<*me*>30 We've detected software running on your VPS that could be used for hacking and DDoS related activity. - Process Name(s) Detected: mysql 20<*me*>30 crissic VPS just got suspended for runing MYSQL 20<*me*>30 WTF. 18<esde18> wow 18<Sollidius18> o_O 18<Sollidius18> O_o 18<esde18> That is something 19<Sollidius> open a ticket *me*. But also post it on LET 18<Sollidius18> heh 18* esde pops some popcorn 18<esde18> don't forget to share the link in here 20<*me*>30 Sollidius, i responded to the automatic [email protected] 20<*me*>30 still cant believe it 18<esde18> i only believe it because you've never given me reason to not believe you 18<esde18> but otherwise it's incredible 20<*me*>30 Sollidius, what section should I post it in LET? general? 18<Sollidius18> dunno, i never post on LET :p 18<esde18> Providers, i guess 20<*me*>30 Sollidius, esde: http://www.lowendtalk.com/discussion/61360/quadranet-crissic-suspended-vps-for-running-mysql#latest 18<esde18> That is so fucked up of them 18<esde18> now they're alienating the remaining crissic clients, classy

    • TrafficTraffic Member
      edited August 2015

      kcaj said: My money is on this being a disgruntled ex-staff member, knowing how the system works, manipulating a process name to trigger this event and posting the outcome here for a bit of brand damage.

      Stop making things up.

      I know for a fact this a real client. PM'd him though so he can hide it better.

      Thanked by 10xdragon

      vrtz.net Cheap VPS Servers Offers - now with EXCLUSIVE offers! (all links are aff links)
      $12/year HostUS Deal (768MB RAM+768MB vSwap)$11.29/year GestionDBI Deal (768MB RAM)

    • Maybe they don't want to work with Crissic clients and want to suspend all of them for some randomly generated reason. Already waiting for my VPS with them being suspended as well for being idle because of "senseless energy consumption". :)

      Thanked by 1geekalot

      ¦ x64Dash ¦

    • Traffic said: Stop making things up.

      I know for a fact this a real client. PM'd him though so he can hide it better.

      And who the fsck are you? I'm just posting an opinion, on the internet. I haven't claimed anything to be "fact" like you have.

      • Can we be assured you're a trustworthy character?
      • Can we trust you're not stupid enough to be fooled by this individual?
    • WilliamWilliam Member, Provider
      edited August 2015

      nexusrain said: Maybe they don't want to work with Crissic clients and want to suspend all of them for some randomly generated reason. Already waiting for my VPS with them being suspended as well for being idle because of "senseless energy consumption". :)

      Can you run this and see if it gets suspended?

      yum/apt-get install screen

      cp $(which screen) /usr/sbin/mysql

      /usr/sbin/mysql -S test

      Thanked by 1Catalin
    • kcaj said: And who the fsck are you? I'm just posting an opinion, on the internet. I haven't claimed anything to be "fact" like you have.

      GTFO script kiddie.

      Thanked by 10xdragon

      vrtz.net Cheap VPS Servers Offers - now with EXCLUSIVE offers! (all links are aff links)
      $12/year HostUS Deal (768MB RAM+768MB vSwap)$11.29/year GestionDBI Deal (768MB RAM)

    • nexusrainnexusrain Member
      edited August 2015

      @William said:

      I'll do and report. :p

      Edit:

      cp $(which screen) /usr/sbin/mysql

      What's this?

      Edit 2:

      Well, it does nothing than clearing the terminal but got not suspended so far. They must have missed it.

      ¦ x64Dash ¦

    • coinchatcoinchat Member
      edited August 2015

      Resolved, VPS is back up.

      Hello,

      I sincerely apologize for your VPS being suspended for running MySQL. I have added global exceptions for "mysql" and "mysqld" so no client will trigger it based on that ever again. The VPS is now unsuspended.

      I'm not sure what happened, unintended rule, intended rule, bug in script, drunk sysadmin ex-employee tampering, unlucky cosmic ray flip? Anyways, I guess I'll give the benefit of doubt this time...

    • WilliamWilliam Member, Provider

      nexusrain said: What's this?

      It copies the screen binary to a new file named "mysql" and the later command runs an empty screen session named "test" so "mysql*" shows up in the px aux of the hostnode, thereby triggering the nodewatch script.

    • Just wondering, how they detect it? Spying to users?

      Never got VPS suspended by provider for several years.. Only if not paid at the time :)

      Yes, I can boogie

    • fitvpn said: Just wondering, how they detect it? Spying to users?

      Never got VPS suspended by provider for several years.. Only if not paid at the time :)

      Because it's OpenVZ, they can look at processes and whatever they want. You can login as root in your VM with a simple command.



      Some hosts run software like nodewatch that detects abuse and such.

      Thanked by 1netomx
    • marlmarl Member

      they could have just let us know that they want us gone.

    • nexusrainnexusrain Member
      edited August 2015

      @William said:

      Alright, found out what it does when I played around with it. So you just have shown me howto make any script / binary look like something legit in the processes list. :p Nah, no real use for that.

      But is Nodewatch really being triggered when it detects such an attempt to hide the real process name?

      ¦ x64Dash ¦

    • WilliamWilliam Member, Provider
      edited August 2015

      nexusrain said: But is Nodewatch really being triggered when it detects such an attempt to hide the real process name?

      That was not the intention - The intention was to have something named "mysql*" to see if it suspends the VPS - I just picked screen as it runs indefinitely in background and you can simply detach from it, plus without anything running it is not ressource intensive.

      Nodewatch does not check if a proc was renamed (which is impossible anyway), it just compares "ps fauxww" to a list of banned procs.

    • black said: black

      Got couple of times providers login into my VPS without my permission, just cancel next month with them.

      Thanked by 1vimalware

      Yes, I can boogie

    • nexusrainnexusrain Member
      edited August 2015

      @William said:

      >

      Alright, so obviously they have fixed it now or OP ran something else then MySQL.

      Edit: And why does the quoting with @[user] work this badly in the last few days for me. So many answering and quoting me without @..

      ¦ x64Dash ¦

    • perennateperennate Member, Provider

      nexusrain said: Alright, so obviously they have fixed it now or OP ran something else then MySQL.

      I think what @kcaj said is more likely (they aren't just going off the process names)?

    • Woops

      Crissic in crisis condition

      CEO of PT. Rokok Kopi Internet Tidur Tbk.

    • @perennate said:
      I think what kcaj said is more likely (they aren't just going off the process names)?

      Alright, addition: or OP did whatever / faked the hole email to harm Crissic's reputation. Would be pretty nasty.

      ¦ x64Dash ¦

    • samblingsambling Member
      edited August 2015

      Quadranet / Crissic wrongly suspended me. A quick ticket and I got - basically instantly- a very friendly reply and the issue was resolved. I'm very impressed by the support quality at the new Crissic. I only wish the migration notification had been a bit further out from the actual migration.

      https://o0.nz - A free and fast image host. Powered by a Bunny and a Pony!

    • @nexusrain said:
      Edit: And why does the quoting with @[user] work this badly in the last few days for me. So many answering and quoting me without @..

      Because Vanillaforums sucks.

      Thanked by 1Dillybob

      Favourite host in general: Ramnode (affiliate link)
      Favourite host for hourly billing/custom ISOs: Vultr ($50 free credit for new accounts, affiliate link)

    • getvpsgetvps Member
      edited August 2015

      "Process name detected: mysql" , single thing which sucks is abuse message template here.. they can tell you what evil connections you made, maybe a copy of binary to understand if someone hacked you and spoffed process name.. and i can not understand why they not automatically delete evil files if they scans your vps..

      Thanked by 2MikePT netomx
    • @getvps said:
      spoffed process name

      What is "spoffing"? I only know spoofing.

      ¦ x64Dash ¦

    • Any updates on this? Crissic should've responded by now.

    This discussion has been closed.