Portal Home > Knowledgebase > Articles Database > berry.pw/epidrive: Problems & Falsely accused of DDOS attack
berry.pw/epidrive: Problems & Falsely accused of DDOS attack
| Posted by blaize9, 01-18-2015, 10:35 PM |
|
This is an Active Investigation/Accusation
First off let me say the service effected was provided by berry.pw, owned and operated by Epidrive Webhosting Solutions.
(Please note the times might be off by 5 hours as berry.pw timezone in different then mine, and the information listed are Approximations)
11/16/14: Ordered "Dewberry" VPS from berry.pw, Hey I'm their 15th DewBerry VPS.
Well here is where the first problem started they forgot to assign an IPV4 Address!. Well problem was resolved 3 hours later.
For about a month the VPS was untouched untill..
12/14/2014: I decided it was time to use the VPS until I tried to run apt-get update, well resolv.conf was invalid or incorrectly set-up (unable to resolve domains).
I resolved this issue myself then support responded to the ticket 8 hours later.
Go foward after not touching the VPS for a month.
01/13/2015 7:45PM:
I needed a API Request load balancer for https://www.filebot.net, So I took 10 my unused VPS/Hosting providers.
Some time later I decided that 4 should be good enough so I started send requests at random split between 4 different VPS and Web Hosting Providers.
(Each provider has a random token that's required for the request to go through the page in order to prevent public access)
These requests would return an XML file between ~1-50KB (~10% range from 51KB - 150KB) on average at approximately 150(149.75)
requests per provider between the times of 01/13/2015 7:47PM to 01/14/2015 7:53PM with a total of 599 Requests.
There was no wasted request as they are cached for 2 weeks and any duplicates would get pulled from the cache.
The request patten was 1-5 requests every ~2 minutes as I was loading each season into FileBot and confirming by hand.
Between 01/14/2015 12:46AM to 01/15/2015 01:02AM there was approximately an extra 400 requests totaling 6MB this happened about 1 more time.
Again the requests are between 4 different VPS and Web Hosting Providers.
The reason for this was Plex also requested this information, however FileBot did not provide and easy access to the data and I did not cache at the webserver (my mistake i'm sorry).
ALL REQUESTS FROM API REQUEST LOAD BALANCER HAVE ENDED AT 01/15/2015 01:19AM.
01/15/2015 03:28AM:
Created support ticket because the VPS and the VPS Control panel has been down for few hours.
Support responced at 09:34AM saying "We had to perform a file system check on server to improve the performance, it has been completed and server is back online now."
01/16/2015 08:17PM:
In my email I got the following message from support@berry.pw
"This have caused problems with the whole network and we have recieved chargebacks in return. We have to charge you for the damages this have caused us. I have already invoiced you a $50 standard penalty please pay for it as soon as possible and you would have to promise this no longer happens again so we can have your service reactivated.
We can show you logs if you want just please let us know."
01/16/2015 09:04PM:
Created a ticket to get more information on the suspension.
01/18/2015 03:49PM:
Received support ticket response listing the same message as 01/16/2015 08:17PM
01/18/2015 07:22PM:
Requested logs on everything coming in and out of the VPS, and have also requested logs information on the client area and VPS Control Panel.
Currently Awaiting Logs from berry.pw
Last edited by blaize9; 01-18-2015 at 10:39 PM.
|
| Posted by WW_P, 01-19-2015, 01:37 PM |
|
Their ToS do not list this fee, i also doubt the story about chargebacks heavily - Demand proof for damage caused. I would not pay it and leave.
|
| Posted by BitronicTech-Bryan, 01-19-2015, 02:09 PM |
|
Seems like a bit of a nightmare. Do they have any proof of the DDoS?
|
| Posted by HostingTiger, 01-19-2015, 03:18 PM |
|
I would never purchase anything from a domain name .pw
stick to .com and .net in worst cases.
|
| Posted by blaize9, 01-19-2015, 03:54 PM |
|
Aparently in the logs(mail only) I've been sending a whole bunch of mail commands from random accounts starting at Jan 7 to 10am as the rest of the logs have been magicly truncated.
If this was really affecting their network to the point of collapse you think they would shutdown the vps sooner.
The only unknown now is how they got into the VPS with a password like "!nPqX&rU18Ye5GzQqq".
|
| Posted by blaize9, 01-20-2015, 01:44 AM |
|
Ok good news, they have decided to drop the $50 standard penalty fee and reactivate the VPS after a reinstall.
Well Looks like in the end they did the right thing, hopefully this wont become an issue ever again.
|
| Posted by kpmedia, 01-20-2015, 02:15 AM |
|
.pw = "professional web" (retcon rebranding)
|
| Posted by blaize9, 01-20-2015, 02:21 AM |
|
The thing I really dont like is that they sent me an invoice for $50, how ridiculous is that. On top of that to make it worse, it was not even listed in the TOS.
|
| Posted by NeoGen, 01-20-2015, 02:30 AM |
|
This is quite hilarious. Sorry, I couldn't control myself.
Have they given any official reason for that $50 invoice?
Waiting for update
|
| Posted by blaize9, 01-20-2015, 03:19 AM |
|
Yes, they said the reason in an email.
"This have caused problems with the whole network and we have recieved chargebacks in return. We have to charge you for the damages this have caused us."
|
| Posted by NeoGen, 01-20-2015, 03:41 AM |
|
Seems like just another kiddie host.. thanks for update.
|
| Posted by Host4Geeks-Kushal, 01-20-2015, 07:04 AM |
|
First a FSCK to improve performance and then a DDoS? :p If they use SolusVM or anything you should be able to see your network traffic in the graphs there.
|
| Posted by Nnyan, 01-20-2015, 01:13 PM |
|
I'm going to climb out on a limb and give you some unsolicited advice. Take this time to go find yourself a solid host, I am willing to bet that this will not end well in the long run for you. At least now you can't say you weren't warned.
|
| Posted by blaize9, 01-20-2015, 06:34 PM |
|
I have multiple hosts from AWS to RamNode and a dedicated server. But at 10$/y I decided hey might as well buy it.
Looks like its time to invest into some proxies, reverseproxies.com is my next choice of poison.
But thanks for the comment, it will be useful for whoever else reads it.
Last edited by blaize9; 01-20-2015 at 06:40 PM.
|
| Posted by Nnyan, 01-20-2015, 07:58 PM |
|
Very glad to hear it, you'd be surprised how uncommon this is around here.
|
| Posted by brysonems, 01-22-2015, 05:34 AM |
|
Hello,
Sorry for the late reply. Just to clarify on this, the server of the client has been compromised and was sending out massive amounts of data packets. We got notified that the client was doing such but the suspension came out just a bit late hence our support rep was not aware that the client was suspended for DDoS, and had to do an fsck but that was unrelated.
I have already provided the client all the logs he has asked for including the graphs.
|
| Posted by WW_P, 01-22-2015, 05:35 AM |
|
Please quote the part of your Tos that justify the 50$ invoice. You don't seem to have any term for this and thus it is not justified.
|
| Posted by NeoGen, 01-22-2015, 06:54 AM |
|
But OP says that he has been falsely accused of DDoS, while all he was doing was API Request load balancing.
|
| Posted by domainbop, 01-22-2015, 07:27 AM |
|
the host doesn't need a password if it's OpenVZ...
[host-node]# vzctl enter CTID
entered into container CTID
[container]#
|
| Posted by DeltaAnime, 01-22-2015, 08:06 AM |
|
A hosts will to protect a customers privacy & morals should be stopping any of that. While the host has the ability to enter/mount a users filesystem/dump their memory, a customer should feel safe/secure with a host and know their privacy isn't being violated for whatever reason.
Francisco
|
| Posted by brysonems, 01-22-2015, 08:11 AM |
|
Please read the indemnification policy in our tos - https://www.berry.pw/tos.html
Apparently he wasn't aware his vps was compromised until I showed him all the logs and everything.
|
| Posted by NeoGen, 01-22-2015, 09:30 AM |
|
After reading that, seriously one has to stay away from this host.
Well guest was not aware, then who knows who compromised the server. May be ..
|
| Posted by domainbop, 01-22-2015, 11:04 AM |
|
Your TOS doesn't state the jurisdiction. Which country/state's laws is it governed by?
The TOS states the contract is between "Berry Servers" and the buyer so I'm assuming that "Berry Servers" is a legal entity (i.e. a registered business). Which country is "Berry Servers" registered in (I'm asking since you have chosen to hide your domain's WHOIS information and your website has absolutely no address information on it)?
Amazingly, google shows there's 1,700 other hosts who have copied that same indemnification policy, including that nonsensical mangled sentence.
If you're going to point to a TOS as a reason for imposing a $50 penalty you should try to actually write a TOS that would stand up in court instead of copying and pasting something (complete with errors) that you found on the web and obviously didn't even have a lawyer look over before you copied and pasted it to your site..
|
| Posted by brysonems, 01-22-2015, 11:29 AM |
|
That is your opinion, but I also have no interest in doing any business with you. The client somehow acknowledged his server was indeed compromised, so stop posting your useless comments, that's not helping.
|
| Posted by NeoGen, 01-22-2015, 12:40 PM |
|
Interesting $50 ponzi scheme with a loosely defined and copy-lifted TOS.:
|
| Posted by WW_P, 01-22-2015, 01:58 PM |
|
I would avoid you and can only recommend this to anyone else - Your "Tos" (which are stolen from another website) are far too broad for anything.
|
| Posted by Nnyan, 01-22-2015, 02:00 PM |
|
I'm assuming that you're on WHT b/c you want to interact with your customers AND potential customers. There have been a number of legitimate concerns raised by several members but you seem to be ignoring those and engaging around the fringe. I think addressing concerns head on would be a better route to new customers instead of avoiding the hard questions.
|
| Posted by blaize9, 01-22-2015, 03:46 PM |
|
Looks like there is conflicting support staff and slow reply, they are still trying to charge me with a $50 standard penalty fee.
Well I'm now back to where this all started.
They did give me a bandwidth usage graph last night.
Last edited by blaize9; 01-22-2015 at 03:53 PM.
|
| Posted by NeoGen, 01-22-2015, 03:52 PM |
|
I think you should move on, forget and dump this host. My 2c.
However, I am still curious to know about this $50 standard fee model to make some extra money
|
| Posted by BitronicTech-Bryan, 01-22-2015, 05:00 PM |
|
They probably got babdwidth overages from the upstream abd want the customer to pay it. You need to have some proactive network traffic monitoring going on and suspend the VPS temporarily if you see outlandish traffic. Before the VPS uses terabytes of pipe.
|
| Posted by blaize9, 01-22-2015, 06:00 PM |
|
The plan has a limit of 300GB per month, I would expect some sort of notification or suspension when you reach your bandwidth limit but going 3x over before they even take action is unheard-of.
http://i.imgur.com/1Qey5xb.png
|
| Posted by BitronicTech-Bryan, 01-22-2015, 06:17 PM |
|
Thoroughly agree. Nobody as watching and it obviously isnt automated. DDOS suck all around.
|
| Posted by domainbop, 01-22-2015, 06:37 PM |
|
The graphs show a maximum out rate of 378K and total outward bandwidth of 375 Mb for the 7 hour period which hardly qualifies as "sending out massive amounts" and from the graph it doesn't look like the VPS was being used to send a DDoS attack. Inbound max rate 833M and 7 hour inbound total of 1.2Tb bandwidth so from that graph it looks like the VPS was the target of a DDoS attack.
The traffic graph is from the afternoon of the 16th and they received chargebacks almost immediately? The banking system doesn't work that fast.
|
| Posted by blaize9, 01-22-2015, 06:42 PM |
|
Sorry about that the inbound and outbound are switched, I have included a note in the image for people in the future.
Bryson L || Staff 22/01/2015 07:45
"I have attached the VM outbound and inbound log. We have requested this from the DC and we are noted that they're there is an error with the graph because the outbound is inbound and inbound is outbound, they are correcting that. Please check and see."
Last edited by blaize9; 01-22-2015 at 06:46 PM.
|
| Posted by NeoGen, 01-22-2015, 08:54 PM |
|
Who claimed that the graph colors are switched?
Hmmm.. so is host lying?
|
| Posted by blaize9, 01-22-2015, 09:21 PM |
|
I've asked for proof of chargebacks when I requested logs and none have been provided.
But it is understandable that they don't want to disclose that, but I will assume that it had no effect on their customer base.
However chargebacks take time and I highly doubt that they they are getting chargebacks considering they were down for about 9 hours starting at around 15/01/2015 00:00 without notice because
15/01/2015 09:34
"Apologize for the inconvenience caused, we had to perform a file system check on server to improve the performance, it has been completed and server is back online now."
Last edited by blaize9; 01-22-2015 at 09:33 PM.
|
| Posted by blaize9, 01-27-2015, 03:31 AM |
|
Well looks like this issue will never be solved, it shall die in the graveyard with all the other tickets.
|
| Posted by averagefury, 08-05-2016, 06:01 AM |
|
Sorry resurrecting the topic, but I'm curious about your problem. Did it get solved?
I'm facing a similar issue. In my case, the service was stopped by "phishing" (lol)
|
| Posted by blaize9, 08-05-2016, 12:55 PM |
|
I just told them I'm not going to pay their extortion fees or "damages" and took a loss on the remaining VPS time.
Make sure to cancel the auto renew!
|
| Posted by SenseiSteve, 08-05-2016, 01:41 PM |
|
Didn't realize this thread was from a year and a half ago, but I agree the fee was obnoxious and should never have been paid.
|
| Posted by averagefury, 08-06-2016, 08:24 AM |
|
Grab the chair... now phishing has changed to another thing.
My ip it's (well... was) 104.206.199.177, and the had sent me this message:
"Hello,
Please find below heading from DC, your vps was one of the culprit for this situation, so if you want your VPS to re-enable for data migration, you should Pay $30 as restoration fee. Please confirm, so that we can generate invoice for you.
------------
Ref: SBL305431
104.206.199.199/32 is listed on the Spamhaus Block List - SBL
2016-07-28 20:43:55 GMT | infinitie.net
phish & crime hosting
------------
"
I will be posting all the data at imgur.
<>
Last edited by Postbox; 08-06-2016 at 08:37 AM.
|
| Posted by averagefury, 08-06-2016, 08:26 AM |
|
If you check his facebook site, you will encounter that it is a typical practice of epidrive.
The problem is that I'm a sysadmin and I cannot believe that my vps had been compromised.
I usually check it for issues and update the server (I don't update the content, only the software & related at the server)
www(dot)tcpiputils(dot)com(slash)browse(slash)ip-address(slash)104.206.199.177
Last edited by averagefury; 08-06-2016 at 08:30 AM.
|
| Posted by Infinitnet, 08-06-2016, 10:14 AM |
|
How does your IP 104.206.199.177 have anything to do with the blacklisting of 104.206.199.199/32? After reading this thread it pretty much sounds like a scam operation to me.
|
| Posted by domainbop, 08-06-2016, 11:13 AM |
|
The ultrashort 5 paragraph unprofessional TOS should have been a warning signal before you signed up, and if you had done some research before signing up you would have discovered that the owner of Epidrive used to be an active member of, and advertise his previous company FrapHost on HackForums, which should have been another warning signal to look elsewhere (see this old lowendtalk post by Epidrive where he tried to justify his HF membership)
Other than that, I'd suggest sending the provider a link to a remedial course on IP ranges if he doesn't understand that a /32 is one IP address and a SBL that only blacklists the .199 /32 can not be caused by illicit activity on the .177 /32.
If the provider clearly states in their TOS that they charge account restoration fees/chargeback fees/SBL cleanup fees/etc. then I think the fees are acceptable since both parties agreed to them in the contract, but in this case I don't think charging the client an additional random fee amount is acceptable since there is no mention of any fees in EpiDrive's 5 paragraph TOS (and no mention of any fees in their FAQ/knowledgebase which only has one entry).
Last edited by domainbop; 08-06-2016 at 11:18 AM.
Reason: typo
|
| Posted by brysonems, 08-06-2016, 12:09 PM |
|
Sorry to hop in late on this thread. My support technician referenced a wrong sbl number which was supposedly addressed to another client. Our sincerest apologies for that.
But the report against the client is true. Along with the blacklisting of the mistakenly referenced sbl number, we have also received a report from spamhaus containing a list of domains/websites/ips that are marked as potentially dangerous and the client was included in the list. The report for that does not indicate a blacklist yet but is considered a warning and we take this very seriously. Considering the contesting of the client, we are currently in the process of validating the report.
We are also working on resolving this issue as soon as possible, and everything shall be compensated accordingly.
@domainbop what does this have got to do with me being part of the HF community? I am a member of several communities why keep bringing up HF alone?
|
| Posted by domainbop, 08-06-2016, 12:29 PM |
|
If you really don't understand why you being a part of a community like HackForums where criminal activity, and the condoning of criminal activity by many of its members, openly takes places could negatively impact the perception people have of your business then I feel sorry for you. The fact that in the past you have chosen to be a part of a community like HF where booters, hacking, stressers, and services offering other criminal activity are openly for sale by skids doesn't reflect well on you. That is the reason for "bringing up HF alone"
As far as what HF has to do with this thread: it is an example of ethics (or lack of). The same questionable ethics that is displayed by belonging to a community like HF where criminal services are openly bought and sold is also on display in this thread with the imposition of random fee amounts that weren't contractually agreed upon by the clients prior to signing up.
Last edited by domainbop; 08-06-2016 at 12:43 PM.
|
| Posted by brysonems, 08-06-2016, 01:15 PM |
|
Dont feel sorry for me. I asked you this question hoping for you to realize that what you are bringing up isnt even an issue and eventually stop. Your analogy is also flawed, I joined the community for their categories of coding, gaming, website management, to webhosting and not for the blackhat activities youve mentioned.
My account over at HF was my personal account and does not represent this business. It is also an OLD account from 2010 and NEVER been involved in any of the criminal activities you are mentioning. Forum statistics are open for public, you are free to check.
|
| Posted by averagefury, 08-06-2016, 02:29 PM |
|
.-.U sigh.
My main problem is that I get very serious about my own security. So I'm getting pretty paranoid about this.
Currently I'm checking the ip & domains in almost every service. For example, Senderbase lookup service throws me a pretty cool "0 email sent in the last month" count.
But if you check the whole range of ip's (104.206.199.*) ... omg. It's a completely mess (with domains as "cool" as xbg6vp-dot-com and fishcokd-dot-com < both of them with spammers ¿landing pages?).
I think that's the problem, someone reported somewhere all the whole range of ip's //facepalm
|
| Posted by averagefury, 08-23-2016, 02:50 AM |
|
I'm back from holidays and still trying to get my service back.
What a pity.
|
| Posted by MartynD, 08-23-2016, 11:25 AM |
|
why are people buying from there?...
signs are there... whois info is hidden, Generic Copy and Paste T&C.. + mores crap in the thread
Suggest getting your money back from PayPal, you paid for a service, you haven't received that service, it's your right to get your money back.
seems like anyone can create a crappy host and get away with it...
(buy's Dedi from OVH and sells VPS and start charging people random amounts of money for issues)
|
Add to Favourites 
Print this Article
Also Read
