abuse handling
A number of years ago fellow handler Pedro Bueno created a number of malware challenges. They contained malware that could be analyzed as part of the challenge. This was hosted for years on our "handlers server" at handlers.dshield.org and as those of you who know how to use tools like whois can figure out easily, this server is currently hosted at 1and1, a well known hosting company.
Yesterday, Johannes Ullrich, received following email from the abuse department at 1and1:
Your contract number: [censored]
Your customer ID: [censored]
Our reference: [censored]
Note: Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1 Internet Inc.
Dear Mr. Johannes Ullrich,
We received an external complaint stating that your 1&1 Server hosts a phishing or malware site. The site is to be found at:
http://handlers.dshield.org/pbueno/malwares-quiz/malware-quiz.exe
This certainly results from a hacking attack to your server. Please proceed as follows to reestablish the security of your 1&1 Server:
1. Immediately delete all content on your 1&1 Server related to the phishing or malware site.
2. Run an exhaustive search for any further foreign content. Hackers will mostly have stored files to grant them future access to your 1&1 Server. Delete those files as well.
3. Secure the leak that permitted the attack. You will find the intrusion point through an analysis of your log files.
4. Please get back to us with a short report on the measures you will have undertaken. Simply reply to this e-mail leaving our reference [censored] in your message.
The following general information on hacking attacks may serve you:
I. Attacks of this sort often occur through insecure PHP-files or outdated modules of popular CMS like Joomla!, Contenido or phpBB. Up-dating your software will considerably increase it's security level.
II. Further intrusion points are compromised passwords, often spied out by a virus installed on your local drive.
TIP: Passwords to the administration section of CMS are also often manipulated during hacking attacks.
III. In most cases hackers upload malicious files to grant them future access to your Server. It therefore is of particular importance to scan your Server for malicious content.
If you should require further information, please simply reply to this e-mail, preserving our reference [censored] in your message.
We appreciate your cooperation and look forward continuing to provide you with safe and secure hosting.
Kind regards,
Abuse Team
--
Abuse Department
1&1 Internet Inc.
Some censoring and some reformatting to increase readability have been done
Well there's not much wrong with that form letter except that it's not a result of getting hacked, but that we placed the stuff there intentionally, without any malicious intent obviously.
So our reply:
Dear Abuse Department:
the sample referenced below is intentionally placed on the site as part of a reverse engineering quiz. It is not the result of an attack.
thx.
was replied to our amazement with:
Your customer number: [censored]
Your contract number: [censored]
Our reference: [censored]
Dear Mr. Johannes Ullrich,
Thank you for getting back to us and the measures you have undertaken.
You contributed considerably to re-establishing the security of your account - thanks a lot!
In case we should receive further alerts, you will promptly be notified. Please stay attentive to the security of your account.
Best regards
Abuse Team
--
Abuse Department
1&1 Internet Inc.
It's most likely another form letter so we'll skip over the content itself, but are they really closing the issue and happy to let us host malware? Even if we have not even removed it? Just because we said it was intentional and not a result of being hacked was enough?
Just to clarify: we probably should have password protected the sample to prevent accidents and/or misunderstandings, and are changing that as we write this.
We often end up being those that report abuse and -well- it's frustrating to see well below par responses to our reports, but if this is how easy they let the bad guys get away with hosting malware, then that's no wonder at all.
While I was running abuse departments at ISPs I've always defended the concept that abuse and sales/support are opposing forces in the company. Abuse chases away bad/unwanted customers and/or cripples the service till they do comply with the relevant policies. Surely you end up with those customers that are victims themselves and those customers deserve all possible attention and help, but the abuse department only works well if it's independent from that support and can be the proverbial stick without having to wield carrots all the time.
UPDATE:
After we published this diary, Johannes received another email:
Your customer number: [censored]
Your contract number: [censored]
Our reference: [censored]
Dear Mr. Johannes Ullrich,
We have just noticed, that the file is still reachable from every host, without any restrictions.
Please have a look at the results of the current virus total scan test:
http://www.virustotal.com/file-scan/report.html?id=2e08663dd7b09a12af9e87a774ff2e0bfe9ddb44c94019812103f746b4db14da-1312901619
I kindly request you, to remove this malicious file within *12 hours* (from now on). If I don't recieve any clarification, why you guys host a malicious file that is known as a trojan on your server for "a reverse engineering quiz" in the wild, I will close your server instantly, and keep the lock in place till the rest of the contractual period!
If you should require further information, please reply to this e-mail, leaving our reference [censored] in your message.
Thank you for your attention to this matter. We appreciate your cooperation and look forward continuing to improve the security of your 1&1 account.
Best regards,
[name censored]
--
Abuse Department
1&1 Internet Inc.
That's more like it!
--
Swa Frantzen -- Section 66
Comments
joeblow
Aug 9th 2011
1 decade ago
Alex
Aug 9th 2011
1 decade ago
Generally speaking, the cheaper the hosting offer, the worse the defenses and response time / actual response. There are of course exceptions and some small hosters are fast to react, while other large hosters take several days to remove files or disconnect a server, if they act at all.
Most of the time, compromised websites are lacking contact useful information (either not present at all or outdated). Just as no care is taken to provide accurate content, the software isn't updated either and the site ends up being defaced or entirely compromised.
steve
Aug 9th 2011
1 decade ago
Pedro
Aug 9th 2011
1 decade ago
Rick
Aug 9th 2011
1 decade ago
Have you tried pointing them to your site? Or ask him to run the malicious file, so that he can see, that it is no trojan! I'll bet there is a 50-60% chance, that they will do it! :-D
alibert
Aug 10th 2011
1 decade ago