My account was suspended! But why?!

[BigPete]

I got an email about my site being shut down because of an (alleged) attack that originated from my IP. There are a couple of things that bother me about this:

1) I was sent a copy of the email that Jag received and in that email, the person who issued the complaint used the phrase "suspicious looking connections". Now, this doesn't indicate any malice if you ask me.

2) It seems that Jag should at least have investigated a little bit on their part instead of flat out suspending my account and putting the ball in my court (what happened to innocent until proven guilty). It would be different if your support people at least said, "Hey, you have a problem and this is what it is, please fix it".

3) This is a brand new reseller account (I have been with Jag for 5+ years though). According to your support people, this isn't a case of mistaken identity because the date I started my account was Nov 26th and according to the person issuing the complain the "problem" was captured on the 28th. I still contest this is some kind of bizarre case of mistaken identity or something.

I guess what really bugs me about is that my account was just suspended for what seems (to me anyway) nothing at all. I completely understand JagPC having to respond to complaints of network abuse but certainly you have some policy of at least verifying that there is some kind of problem before shutting down customers accounts. I mean, what's to stop me from reporting peoples' websites just to eliminate competition?

This is the complaint email (Jag included a copy in my original ticket and I removed my IP):

I found these suspicious looking connections on the Undernet IRC Chat Network connecting from a netblock you control. The originating ip(s) and undernet server(s) each one was connected to is listed below. The destination port they were using is most likely port 6667. Other possible ports are included between 6000-9999 (a full list of our servers can be found at www.undernet.org/servers.php ).

@Tuttle___!~Moeller@69.73.XXX.XXX [69.73.XXX.XXX] - HELSINKI.FI.EU

Please check for a compromise, possible hidden process running and an altered process listing.
Run the updates for your system to close possible exploit holes, and send any unusual programs found to info@cyberabuse.org for investigation.

We strive to eliminate these abusive connections from our network, but
simply banning them can only be a temporary solution. We hope to work with authorities to achieve our aim of reducing abuse on our network, as well as the general internet community.

If you are not familiar with it, IRC is a text based chat communication
medium, details at:

http://www.irc.org/

and our webpage:

www.undernet.org

Time of capture for the affected IP(s) is: Fri, 28 Nov 2008 16:14:34 +0000

We have assigned an internal reference number 1116 to this report and it is included in the subject line of this e-mail message. We would appreciate your including it in the subject line of future correspondence about this
report. We would really appreciate your cooperation in looking into
this matter.

Please take into account that most bots used these days are either GTbots (used on Windows and which can be found by
searching for a file named mirc.ini which is normally required to run these bots) or emechs (used on linux/unix which can be generally found easily by doing a:
find . -exec grep -l "undernet.org" {} + )

The ticket number is 12771602 if anyone lurking on the forums could address this.

[Ron]

That's terrible. Friday night, too. Sheeeesh.

Didja try to open a ticket with support and ask them to re-instate the account until it can be straightened out on Monday or some such? Unless they have a notion of something wrong actually going on other than the email.

After all, the email was from a week ago anyway, and you've been a long standing upright client for 5 years.

That's the approach I might take at this point.

Sorry you're having these problems.

[BigPete]

Well, it's actually not a HUGE deal which is why I don't want to create a big stink about it. The reseller account is a pet project and there isn't even anything on it and I don't have any actual clients/customers. The accounts that I do have under my reseller account are still working so it's really almost a non-issue. It's mostly a principle thing.

I didn't have to open a support ticket because they opened one when they suspended my account. I got the email on my blackberry and I responded to the ticket right away (early this afternoon). I contacted Jag support and all I got was this lousy link: http://www.jaguarpc.com/support/kbase/731.html haha!

Jag support has been outstanding on every issue I have ever contacted them about and I'm not gonna turn on them because of this. I would like an explanation of why this happened and hopefully it will lead to a policy change to prevent this from happening to someone else on a production site.

[JPC-Zishan]

I contacted Jag support and all I got was this lousy link: http://www.jaguarpc.com/support/kbase/731.html haha!

These are the general guide lines that the users can follow to secure their account. These guide lines may not fit for each case but these guide lines do provide a base to start.

It seems that Jag should at least have investigated a little bit on their part instead of flat out suspending my account and putting the ball in my court (what happened to innocent until proven guilty). It would be different if your support people at least said, "Hey, you have a problem and this is what it is, please fix it".

This is the approach that Jaguar support always follow. When we receive an abuse report, we verify that the abuse report is correct and the problem still exists. In some cases, we don't have any choice but to disable the affected directory or site to stop the abuse. If this approach was not followed in your case, then we will check with the tech who handled this abuse.