A number of years ago fellow handler Pedro Bueno created a number of malware challenges. They contained malware that could be analyzed as part of the challenge. This was hosted for years on our "handlers server" at handlers.dshield.org and as those of you who know how to use tools like whois can figure out easily, this server is currently hosted at 1and1, a well known hosting company. Yesterday, Johannes Ullrich, received following email from the abuse department at 1and1: Your contract number: [censored] Some censoring and some reformatting to increase readability have been done Well there's not much wrong with that form letter except that it's not a result of getting hacked, but that we placed the stuff there intentionally, without any malicious intent obviously. So our reply: Dear Abuse Department: was replied to our amazement with: Your customer number: [censored] It's most likely another form letter so we'll skip over the content itself, but are they really closing the issue and happy to let us host malware? Even if we have not even removed it? Just because we said it was intentional and not a result of being hacked was enough? Just to clarify: we probably should have password protected the sample to prevent accidents and/or misunderstandings, and are changing that as we write this. We often end up being those that report abuse and -well- it's frustrating to see well below par responses to our reports, but if this is how easy they let the bad guys get away with hosting malware, then that's no wonder at all. While I was running abuse departments at ISPs I've always defended the concept that abuse and sales/support are opposing forces in the company. Abuse chases away bad/unwanted customers and/or cripples the service till they do comply with the relevant policies. Surely you end up with those customers that are victims themselves and those customers deserve all possible attention and help, but the abuse department only works well if it's independent from that support and can be the proverbial stick without having to wield carrots all the time. -- |
Swa 760 Posts Aug 9th 2011 |
Thread locked Subscribe |
Aug 9th 2011 9 years ago |
Sounds like their abuse handler doesn't know who you guys are...
|
Anonymous |
Quote |
Aug 9th 2011 9 years ago |
This is very amusing. I have a 1&1 server and their support is usually clueless. Reading this exchange has been very entertaining. Did you know that their phone agents actually ask you for your account password before you can order anything or make account changes over the phone? I have to change it to something as I talk to them and change it back every time.
|
oleksiy 34 Posts |
Quote |
Aug 9th 2011 9 years ago |
Speaking of reporting incidents: when our WAF rules are triggered (i.e. PHP vulnerability scans), I'm usually sending out two emails: one to the company hosting the payload and one to the host running the already compromised server.
Generally speaking, the cheaper the hosting offer, the worse the defenses and response time / actual response. There are of course exceptions and some small hosters are fast to react, while other large hosters take several days to remove files or disconnect a server, if they act at all. Most of the time, compromised websites are lacking contact useful information (either not present at all or outdated). Just as no care is taken to provide accurate content, the software isn't updated either and the site ends up being defaced or entirely compromised. |
oleksiy 5 Posts |
Quote |
Aug 9th 2011 9 years ago |
Actually, it is funny to see that 50% of the AVs detect it when actually is it not a malware :) I explained what it does here, back in 2006: handlers.sans.org/pbueno/… :)
|
Pedro 155 Posts ISC Handler |
Quote |
Aug 9th 2011 9 years ago |
Well, we are hardly a big company, but when they finally get tired of sending form letters instead of using actual intelligence to realize what you are doing (and instead just block your account), we would be happy to donate/barter some space/bandwidth to host it for you. We don't have a single form letter in our organization. :) I imagine there are a few other providers on here that would be happy to do the same if you need mirror capabilities.
|
Anonymous |
Quote |
Aug 9th 2011 9 years ago |
Bwhahahaha. That fits my personal 1&1 experience perfectly! Those guys are like from the past and have no clue at all!
Have you tried pointing them to your site? Or ask him to run the malicious file, so that he can see, that it is no trojan! I'll bet there is a 50-60% chance, that they will do it! ![]() |
Anonymous |
Quote |
Aug 10th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!