| Well, we've now heard two different stories. According to Ben, there were two events. The first time they took your server offline and contacted you to tell you about it, they did not however lock your account. When the second event occurred with you being unable to provide a reasonable explanation and apparently being unable to deal with whatever compromise occurred, they took the system down again and this time also locked your account. Your explanation of the events only mentions a single occurrence, at which time your account was locked in addition to the server being shutdown. In either case, a server engaging in malicious activity, is normally taken offline as soon as the malicious activity is discovered to prevent further damage from occurring. You'd get a similar response from just about any other hosting provider you care to name. If you're lucky, and they're feeling generous, they might work with you to find the problem prior to taking the system offline, but normally standard procedure is to take the system offline immediately. The fact that you seem surprised about this shows you don't have much experience administering your own servers. The standard response usually goes something like: 1) Server is discovered doing something malicious 2) Server is taken offline/shutdown 3) Administrator is notified 3a) Read only copy of the old server HD is brought online on a new server to allow administrator to perform forensic and backup work* 4) Administrator must bring up new server to replace old compromised one *Sometimes the provider will provide you the old HD image, sometimes not, really depends on the provider. |