I have a couple of sites (mysite.org and mysite.net) hosted by "Virpus" as VPS, Virpus seem to have a bad reputation which did not worry me because these sites are still unused and were first hosted by a "reputable" company, I think their name was "networksolutions", that used them for advertising, something I found completely disgusting when I discovered it, as long as my sites are not used for advertising, I am happy.

Lately, I was notified that "Virpus" was taken over by another company and a few weeks ago, I received an email complaint from them saying that one of my sites was attacking their system, today I received an email notification that I successfully logged on on the 29/7/2015 which I never did, I appreciate the warning very much but the sites are not used and I am, in theory, the only one having access to them since they are "password-protected".

I have a number of questions:

Do I need to do anything regarding the complaint or the warning? (Following the attack complaint, I have advised them the sites are unused and password-protected and they are free to do whatever they see fit to find and eradicate the attacker, including wiping out any content.)

Is it possible that anybody has got control over my sites? (OS installed on these VPS is Debian 5 - server only)

Is it likely these problems are due to their own lack of experience?

I do not care much if "Virpus" or its new owner undertake any drastic action, like disabling the site, as long as I can easily change to another host when I am ready to expose these sites to the world sometimes early 2016, can I assume I am safe to leave the sites with them and can I easily transfer the sites to a more secure hosting company in due time? How long does that take?

On the assumption Virpus is unreliable (bad reviews for many years) should I consider moving my sites to a more reliable host before opening them to the world?

When I transfer the sites to another hosting company, is it possible to transfer just the domain names and have a fresh start?

Virpus is cheap at less than or around $US100 per year for each VPS, what should I expect to pay for a decent VPS provider for starting on low traffic? Any example?

How can I select a reputable hosting company with wich I can start small (with a VPS) and gradually grow to a dedicated hosted server?

Any advice or tip most welcome.

Thank you for your help.

If you have systems on the web that you are not updating, that happen to be running public facing services, it is your job to keep those systems secured. It is very likely that those systems were compromised because they were not updated regularly. Leaving a public facing server unattended for long periods of time is irresponsible and is the reason why we have problems like botnets. Whether these web sites are being used or not, it makes no matter. It is not your vps or dedicate host's job to secure your systems. If you are looking for a host that will secure your system for you, then go with managed web hosting instead.

You cannot blame your web hosting provider for your lack of effort in administering those systems. If for some reason you did update those systems and they were still compromised, it is another issue, likely a system misconfiguration on your behalf as well.

As far as VPS hosts go, I would recommend Linode or Digital Ocean. Both companies have similar hosting plans. I found Linode to have better support, security and web panel. Digital Ocean is convenient and easily accessible to developers. Remember though, cheaper isn't better when it comes to VPS or dedicated hosting.

There are many other VPS hosts out there, but those are the hosts I have had most success and a greater customer service experience.

1 members found this post helpful.

Also, it is imperative (IMHO) that you do not use "Plesk" or any similar web-based computer management system. These are effortlessly compromised.

I'm quite sure that your VPS has been "beheaded," and that you will be reinstalling it from scratch.

1 members found this post helpful.

The terms "botnet" and "beheaded" are new to me, I had a look on the Internet to find what that meant, given the set up of these hosted sites, a botnet seems very unlikely to me but my experience in this field is practically nil, could an attacker make use of a strict server and nothing else? I also found the definition of "beheading" a computer is removing the screen, keyboard etc, obviously it has a different meaning in sundialsvcs answer. Is a password-protected, unused site that only has a server OS (debian 5/apache) on it considered as "?

You may be surprised by these questions but my main aim was to stop the hosting company I mentioned above to advertise on these sites and so far, I have not been concerned about what is happening to whatever is on these sites, however, if someone is able to use any of them to make a nuisance of themselves, I want to be a good citizen and stop that also, please give me a hint or a link to visit on what I can do till the sites are used and maintained properly by someone more experienced than myself.

Thank you both for the good suggestions.

---------- Post added 08-02-15 at 08:12 PM ----------

The terms "botnet" and "beheaded" are new to me, I had a look on the Internet to find what that meant, given the set up of these hosted sites, a botnet seems very unlikely to me but my experience in this field is practically nil, could an attacker make use of a strict server and nothing else? I also found the definition of "beheading" a computer is removing the screen, keyboard etc, obviously it has a different meaning in sundialsvcs answer. Is a password-protected, unused site that only has a server OS (debian 5/apache) on it considered as "?

You may be surprised by these questions but my main aim was to stop the hosting company I mentioned above to advertise on these sites and so far, I have not been concerned about what is happening to whatever is on these sites, however, if someone is able to use any of them to make a nuisance of themselves, I want to be a good citizen and stop that also, please give me a hint or a link to visit on what I can do till the sites are used and maintained properly by someone more experienced than myself.

Thank you both for the good suggestions.

The confusion stems from sundialsvcs' misuse of the term as "beheaded" isn't a term used on LQ in relation to typical Linux security problems. All the more confusing since he regularly crusades against misuse of terminology like here...


Since your experience is practically nil it would be better to not make any assumptions until you have actually (gained minimal knowledge and) investigated the matter. Check your Linux distributions basic user, admin and security documentation. For starters check which accounts and services are (publicly) accessible, check the login records and system and daemon logs. Use Logwatch on system and daemon logs (+archived logs!) for potential quick wins. Post actual tool output / log excerpts / reporting if unsure.



Indeed your priorities should not be with trivial "nuisances" (when compared to security probs) like advertising but being a good netizen. The best way to avoid problems is to harden and regular update and audit the server completely (or making it completely inaccessible to all until fixed or better: removing the offending software and sites).

To unSpawn: linuxquestions should have the following question: "Did you find this post helpful? Yes No
I would have clicked "no".
I stated which should let you understand I do not intend to get experience on a complicated subject but you are telling me to get experience and you are telling me inexperienced people are not welcome by highlighting all the things I should, in your view, learn BEFORE even posting.

You may not see the problems created by advertising but there are people who do and your priorities may be about "netizen" but there are people who also want to be a good citizen and advertising on one's site without the owner's permission is a basic security netizen like you fail to understand. If you want security, you must start at the very beginning, saying "I will tolerate this but I will not tolerate that" will never work and I personnaly find it disgraceful that internet software developers are allowing big business to exploit society at my expenses.

It seems, in your view, computer security is much more important than the damages created by advertising, the reality is the other way but, of course, you need to realize that computers are not everything there is in life.

Your answer appears to ignore my explanation that I have nothing on those password-protected sites but a Debian 5 server software, my question regarding a quick fix to the possibility that someone else has gained access to one of my sites and uses it for malware remains a valid question, nobody including yourself has said "there is no quick fix" and I am sure there is one even if it is not elegant, even if it consists of removing everything since I intend to insure nobody is able to use my sites for advertising.

However, in all your explanations which may be very useful for an experienced security person but broadly meaningless to me, you say: does "inaccessible to all" mean including myself? If not, this could be what I have been wanting all the time, what should I look at to accomplish that - securely?

Lastly, it seems to me there are times when a moderator needs to be moderated.

As there's apparent sensitivities at play I'll forego responding and refer to the responsibilities mralk3 clearly outlined...


Rest assured that any LQ Rule violations, netiquette or other problems you report will be dealt with. Not by me, as I'm participating as LQ member in this thread, but by one of my fellow moderators. Do feel free to report my post.

unSpawn doesn't have any ill will towards you. All of the replies to this thread were honest and respectful. You have responded by becoming defensive.

When you ask for advice you really shouldn't take offense when you receive that advice. Especially when others have gone out of their way to use their own free time to respond. It's just plain rude. We aren't here to serve you. We are here to help you.

All of the provided advice is common practice for IT professionals.

We are just trying to help you and steer you in the right direction.

Aye, mea culpa.

I do tend to use the first word that comes to mind. However, I have also actually seen "a chicken with his head cut off," and maybe that's where the simile came from.

Now, sit back and read the rest of unSpawn's excellent post, about fifteen or twenty times will do, and don't you dare let yourself "take offense" about it. He has twenty-eight thousand posts here. If you took offense, then you misunderstood.

Let's go on the assumption I have been too sensitive although you find it normal to express your own sensitivities as "volunteer teachers" for whom it is unethical to give a solution, so we all have expressed our sensitivities.

-These sites have a server OS with a server (Apache) which is not activated (Apache is not configured and it is not running).
-There is no service enabled.
-There is no content.
-There will be no log of any kind to inspect.

-One of these sites is assumed as having been compromised but, if it has been compromised it is, in my view, completely irrelevant, checking logs and so on, if there was any, as suggested by one and supported by others as a course of action to follow, would be a matter of satisfying one's curiosity and would achieve nothing else.

-All I can do (as I learned) is assume the sites are compromisable, if any log were showing nothing, it does not mean the sites could no be compromised.

-Remember as explained above, resolving that undesirable possible situation is of no benefit to me - it would only benefit the hosting company who claimed one of my sites has been "attacking their system" (which, if I understand correctly, is their responsibility according to one answer:
in the circumstances, the hosting company's job to keep their system secured) and hypothetically, internet users who could hypothetically suffer from the same malware situation.

-Again, what is on these sites is only there as a place-holder, like putting something on a chair to prevent anybody sitting on it, like pretending the sites are doing something, and I even assumed, according to the bad reviews I read, this hosting company was very likely to mangle any content, at some time and in some way, which I did not care if they did.

-I cannot afford and I have no intention to learn what it is suggested I learn because it is far too much for what needs to be accomplished to be a good "netizen" and as far as my own interest is concerned, I can easily forget about the whole thing without any bad consequences, someone experienced (to be found in due time) will have the job of making the sites secure and I have other things to do.

-The fact remains, I do not ask for a solution, as suggested above, it is suggested I can only be steered in the right direction which is not happening, there has not been any steering following the suggestion:
in which I showed interest and this would be the only thing I am prepared to investigate and learn.

I have the feeling professionals like yourselves are reluctant to consider the unprofessional situation I present which is fine with me but then the learning advices are misplaced and give my question a false direction.

When I ask a question, my phylosophy is it is perfectly normal not to get an answer even if some of the readers know of one, if there is no answer after a few days, I consider it is the end of it and never try to insist or whatever answer I get must satisfy me even if it does not solve the problem, which happens regularly, so do not think I am trying to be "served" as suggested above, I do not think there is in any of my questions any ground for that conclusion.

All the work I do is also unpaid but I do not try to cover myself with the volunteer shield because there is a fact you all must know, there is no genuine volunteering action, if we do it, it is for ourselves because it makes us happy to do it, in other words it is a form of selfishness - do not raise the altruism manta, you are only fooling yourself.

If not apache, what makes this a 'site'?
We need a perspective of word 'site' in context, if not apache.

Thanks!

I and most contracts disagree here.
They gave it to you secured, it wasn't until after delivery that it became insecure. It is the Responsibility of the principal account holder to maintain a secure environment.
If I buy a car and never take it to the shop, can I sue Ford for failing to 'secure' my brakes? Hell No.

We are running in circle.

The advertising is added as a default page to the domain name which is aggregated by your domain registrar. If you domain name (mysite.org) has advertising on it, that means your domain is parked. Just about every web hosting provider will put advertisements on a parked domain. If you really want to remove the advertising, you need to point your domain(s) at your VPS and configure Apache (on your VPS) with a place holder site, and start Apache. There is no other way to go about avoiding this type of advertising. So again, it is your job to manage your domain name(s), any servers, and any such sites for which you have purchased services!

You cannot blame your web host for your lack of knowledge or lack of effort. Sure, some web hosts have bad reviews. Bad reviews do not change how secure the shipped operating systems are that are installed on hosted servers. Bad reviews only pertain to things like:

• Customer service (mostly this)
• Cost of hosting plans (and mostly this)
• Speed of processors
• Speed of network connection

If you read a review somewhere that a particular hosting company is less secure than another, fine. Usually this is a result of unskilled, unprofessional individuals who want to blame their lack of knowledge or skill on their web hosting company. All hosting companies use similar software to provide VPS hosting (Xen, OpenVZ, KVM, etc).

The whole point of my responses to your questions were not to address how bad your web host is. I am concerned that your server is hosting malware, is apart of a botnet and that you are doing nothing to fix it. Maybe it is all a misunderstanding. Maybe you have secured your system and you know how to do so in your sleep. I apologize if I am mistaken in regards to your intent and skill set. However, if you do not know how to do so, it is highly unethical to leave a compromised system online. Especially if you have been notified by your hosting provider that your system could potentially be hacked. You are causing harm to others at such a point.

All you really need to do is very simple and should take 10-20 minutes:

1. Log onto your hosting web panel
2. Back up anything important (if there is anything)
3. Reinstall the VPS operating system
4. Update the system
5. Create a web site place holder with Apache
6. Create a cron job that automatically updates your system

1 members found this post helpful.

Thank you mralk3 for the very good explanations and instructions.
I got into it straight away and I thought I would first check the complaint of the hosting company in order to learn something, but I need to make it very clear what I am asking now has nothing to do with the need to make my systems secure, it has to do with my lack of understanding of what the hosting company is doing, it may all be correct in which case I may not need to change to another hosting company later or it may be messy in which case I may need to do so. Nobody is under any pressure to answer, if there is an answer it is a bonus and the answer can be as short as: "It is/is not correct".

They had a similar complaint in 2012 (which I probably had forgotten or was never issued), about one of my sites attacking their systems but, at close inspection, the IP address they mentioned is not one of those associated with any of my sites, if one of my sites used (the second number being true) they mentioned and that part of the log seems to have been followed by an internal comment "Disregard". It looks as if some human work had been done inserting a human mistake.

In their recent complaint, they mention a correct IP number in a number of sentences but then, they say if more attempts are made (which apparently did not happen), they will block a range of IPs that have nothing to do with any of my sites as only the 2 first numbers correspond to the alleged attacking site.

(The 2 last numbers 48.0/20 being taken from their message.)

The hosting company has given a status "Close" to the complaint and the log they mention is given a link:
(xxx.xxx.xxx.xxx being the ip number)
but this link says "no data" when clicked.

There is an option to "see which machine is behind" my IP and this is the result:

Needless to highlight the fact this IP/host is not one of mine, do I understand it is the IP that infected my hosted site?.
I am confused.