abuse handling

Published: 2011-08-09
Last Updated: 2011-08-09 15:59:22 UTC
by Swa Frantzen (Version: 2)
6 comment(s)

A number of years ago fellow handler Pedro Bueno created a number of malware challenges. They contained malware that could be analyzed as part of the challenge. This was hosted for years on our "handlers server"  at handlers.dshield.org and as those of you who know how to use tools like whois can figure out easily, this server is currently hosted at 1and1, a well known hosting company.

Yesterday, Johannes Ullrich, received following email from the abuse department at 1and1:

Your contract number:  [censored]
Your customer ID:  [censored]
Our reference:  [censored]
Note:  Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1 Internet Inc.

Dear Mr. Johannes Ullrich,

We received an external complaint stating that your 1&1 Server hosts a phishing or malware site. The site is to be found at:

http://handlers.dshield.org/pbueno/malwares-quiz/malware-quiz.exe

This certainly results from a hacking attack to your server. Please proceed as follows to reestablish the security of your 1&1 Server:

1.  Immediately delete all content on your 1&1 Server related to the phishing or malware site.
2.  Run an exhaustive search for any further foreign content. Hackers will mostly have stored files to grant them future access to your 1&1 Server. Delete those files as well.
3.  Secure the leak that permitted the attack. You will find the intrusion point through an analysis of your log files.
4.  Please get back to us with a short report on the measures you will have undertaken. Simply reply to this e-mail leaving our reference [censored] in your message.

The following general information on hacking attacks may serve you:

I.   Attacks of this sort often occur through insecure PHP-files or outdated modules of popular CMS like Joomla!, Contenido or phpBB. Up-dating your software will considerably increase it's security level.
II.  Further intrusion points are compromised passwords, often spied out by a virus installed on your local drive.
TIP: Passwords to the administration section of CMS are also often manipulated during hacking attacks.
III. In most cases hackers upload malicious files to grant them future access to your Server. It therefore is of particular importance to scan your Server for malicious content.
If you should require further information, please simply reply to this e-mail, preserving our reference [censored] in your message.
We appreciate your cooperation and look forward continuing to provide you with safe and secure hosting.

Kind regards,

Abuse Team
--
Abuse Department
1&1 Internet Inc.

Some censoring and some reformatting to increase readability have been done

Well there's not much wrong with that form letter except that it's not a result of getting hacked, but that we placed the stuff there intentionally, without any malicious intent obviously.

So our reply:

Dear Abuse Department:

the sample referenced below is intentionally placed on the site as part of a reverse engineering quiz. It is not the result of an attack.

thx.

was replied to our amazement with:

Your customer number: [censored]
Your contract number: [censored]
Our reference: [censored]

Dear Mr. Johannes Ullrich,

Thank you for getting back to us and the measures you have undertaken.
You contributed considerably to re-establishing the security of your account - thanks a lot! 
In case we should receive further alerts, you will promptly be notified. Please stay attentive to the security of your account.

Best regards

Abuse Team
--
Abuse Department
1&1 Internet Inc.

It's most likely another form letter so we'll skip over the content itself, but are they really closing the issue and happy to let us host malware? Even if we have not even removed it? Just because we said it was intentional and not a result of being hacked was enough?

Just to clarify: we probably should have password protected the sample to prevent accidents and/or misunderstandings, and are changing that as we write this.

We often end up being those that report abuse and -well- it's frustrating to see well below par responses to our reports, but if this is how easy they let the bad guys get away with hosting malware, then that's no wonder at all.

While I was running abuse departments at ISPs I've always defended the concept that abuse and sales/support are opposing forces in the company. Abuse chases away bad/unwanted customers and/or cripples the service till they do comply with the relevant policies. Surely you end up with those customers that are victims themselves and those customers deserve all possible attention and help, but the abuse department only works well if it's independent from that support and can be the proverbial stick without having to wield carrots all the time.

UPDATE:

After we published this diary, Johannes received another email:

Your customer number: [censored]
Your contract number: [censored]
Our reference: [censored]

Dear Mr. Johannes Ullrich,

We have just noticed, that the file is still reachable from every host, without any restrictions.
Please have a look at the results of the current virus total scan test:
http://www.virustotal.com/file-scan/report.html?id=2e08663dd7b09a12af9e87a774ff2e0bfe9ddb44c94019812103f746b4db14da-1312901619
I kindly request you, to remove this malicious file within *12 hours* (from now on). If I don't recieve any clarification, why you guys host a malicious file that is known as a trojan on your server for "a reverse engineering quiz" in the wild, I will close your server instantly, and keep the lock in place till the rest of the contractual period!
If you should require further information, please reply to this e-mail, leaving our reference [censored] in your message.
Thank you for your attention to this matter. We appreciate your cooperation and look forward continuing to improve the security of your 1&1 account.

Best regards,

[name censored]
--
Abuse Department
1&1 Internet Inc.

That's more like it!

--
Swa Frantzen -- Section 66

Keywords: abuse
6 comment(s)

Comments

Sounds like their abuse handler doesn't know who you guys are...
This is very amusing. I have a 1&1 server and their support is usually clueless. Reading this exchange has been very entertaining. Did you know that their phone agents actually ask you for your account password before you can order anything or make account changes over the phone? I have to change it to something as I talk to them and change it back every time.
Speaking of reporting incidents: when our WAF rules are triggered (i.e. PHP vulnerability scans), I'm usually sending out two emails: one to the company hosting the payload and one to the host running the already compromised server.

Generally speaking, the cheaper the hosting offer, the worse the defenses and response time / actual response. There are of course exceptions and some small hosters are fast to react, while other large hosters take several days to remove files or disconnect a server, if they act at all.

Most of the time, compromised websites are lacking contact useful information (either not present at all or outdated). Just as no care is taken to provide accurate content, the software isn't updated either and the site ends up being defaced or entirely compromised.
Actually, it is funny to see that 50% of the AVs detect it when actually is it not a malware :) I explained what it does here, back in 2006: http://handlers.sans.org/pbueno/ma2.html :)
Well, we are hardly a big company, but when they finally get tired of sending form letters instead of using actual intelligence to realize what you are doing (and instead just block your account), we would be happy to donate/barter some space/bandwidth to host it for you. We don't have a single form letter in our organization. :) I imagine there are a few other providers on here that would be happy to do the same if you need mirror capabilities.
Bwhahahaha. That fits my personal 1&1 experience perfectly! Those guys are like from the past and have no clue at all!

Have you tried pointing them to your site? Or ask him to run the malicious file, so that he can see, that it is no trojan! I'll bet there is a 50-60% chance, that they will do it! :-D

Diary Archives