Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

abuse handling

Published: 2011-08-09
Last Updated: 2011-08-09 15:59:22 UTC
by Swa Frantzen (Version: 2)
6 comment(s)

A number of years ago fellow handler Pedro Bueno created a number of malware challenges. They contained malware that could be analyzed as part of the challenge. This was hosted for years on our "handlers server"  at handlers.dshield.org and as those of you who know how to use tools like whois can figure out easily, this server is currently hosted at 1and1, a well known hosting company.

Yesterday, Johannes Ullrich, received following email from the abuse department at 1and1:

Your contract number:  [censored]
Your customer ID:  [censored]
Our reference:  [censored]
Note:  Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1 Internet Inc.

Dear Mr. Johannes Ullrich,

We received an external complaint stating that your 1&1 Server hosts a phishing or malware site. The site is to be found at:

http://handlers.dshield.org/pbueno/malwares-quiz/malware-quiz.exe

This certainly results from a hacking attack to your server. Please proceed as follows to reestablish the security of your 1&1 Server:

1.  Immediately delete all content on your 1&1 Server related to the phishing or malware site.
2.  Run an exhaustive search for any further foreign content. Hackers will mostly have stored files to grant them future access to your 1&1 Server. Delete those files as well.
3.  Secure the leak that permitted the attack. You will find the intrusion point through an analysis of your log files.
4.  Please get back to us with a short report on the measures you will have undertaken. Simply reply to this e-mail leaving our reference [censored] in your message.

The following general information on hacking attacks may serve you:

I.   Attacks of this sort often occur through insecure PHP-files or outdated modules of popular CMS like Joomla!, Contenido or phpBB. Up-dating your software will considerably increase it's security level.
II.  Further intrusion points are compromised passwords, often spied out by a virus installed on your local drive.
TIP: Passwords to the administration section of CMS are also often manipulated during hacking attacks.
III. In most cases hackers upload malicious files to grant them future access to your Server. It therefore is of particular importance to scan your Server for malicious content.
If you should require further information, please simply reply to this e-mail, preserving our reference [censored] in your message.
We appreciate your cooperation and look forward continuing to provide you with safe and secure hosting.

Kind regards,

Abuse Team
--
Abuse Department
1&1 Internet Inc.

Some censoring and some reformatting to increase readability have been done

Well there's not much wrong with that form letter except that it's not a result of getting hacked, but that we placed the stuff there intentionally, without any malicious intent obviously.

So our reply:

Dear Abuse Department:

the sample referenced below is intentionally placed on the site as part of a reverse engineering quiz. It is not the result of an attack.

thx.

was replied to our amazement with:

Your customer number: [censored]
Your contract number: [censored]
Our reference: [censored]

Dear Mr. Johannes Ullrich,

Thank you for getting back to us and the measures you have undertaken.
You contributed considerably to re-establishing the security of your account - thanks a lot! 
In case we should receive further alerts, you will promptly be notified. Please stay attentive to the security of your account.

Best regards

Abuse Team
--
Abuse Department
1&1 Internet Inc.

It's most likely another form letter so we'll skip over the content itself, but are they really closing the issue and happy to let us host malware? Even if we have not even removed it? Just because we said it was intentional and not a result of being hacked was enough?

Just to clarify: we probably should have password protected the sample to prevent accidents and/or misunderstandings, and are changing that as we write this.

We often end up being those that report abuse and -well- it's frustrating to see well below par responses to our reports, but if this is how easy they let the bad guys get away with hosting malware, then that's no wonder at all.

While I was running abuse departments at ISPs I've always defended the concept that abuse and sales/support are opposing forces in the company. Abuse chases away bad/unwanted customers and/or cripples the service till they do comply with the relevant policies. Surely you end up with those customers that are victims themselves and those customers deserve all possible attention and help, but the abuse department only works well if it's independent from that support and can be the proverbial stick without having to wield carrots all the time.

UPDATE:

After we published this diary, Johannes received another email:

Your customer number: [censored]
Your contract number: [censored]
Our reference: [censored]

Dear Mr. Johannes Ullrich,

We have just noticed, that the file is still reachable from every host, without any restrictions.
Please have a look at the results of the current virus total scan test:
http://www.virustotal.com/file-scan/report.html?id=2e08663dd7b09a12af9e87a774ff2e0bfe9ddb44c94019812103f746b4db14da-1312901619
I kindly request you, to remove this malicious file within *12 hours* (from now on). If I don't recieve any clarification, why you guys host a malicious file that is known as a trojan on your server for "a reverse engineering quiz" in the wild, I will close your server instantly, and keep the lock in place till the rest of the contractual period!
If you should require further information, please reply to this e-mail, leaving our reference [censored] in your message.
Thank you for your attention to this matter. We appreciate your cooperation and look forward continuing to improve the security of your 1&1 account.

Best regards,

[name censored]
--
Abuse Department
1&1 Internet Inc.

That's more like it!

--
Swa Frantzen -- Section 66

Keywords: abuse
6 comment(s)
Diary Archives