abuse handling - SANS Internet Storm Center

abuse handling
A number of years ago fellow handler Pedro Bueno created a number of malware challenges. They contained malware that could be analyzed as part of the challenge. This was hosted for years on our "handlers server" at handlers.dshield.org and as those of you who know how to use tools like whois can figure out easily, this server is currently hosted at 1and1, a well known hosting company. Yesterday, Johannes Ullrich, received following email from the abuse department at 1and1: Your contract number: [censored] Your customer ID: [censored] Our reference: [censored] Note: Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1 Internet Inc. Dear Mr. Johannes Ullrich, We received an external complaint stating that your 1&1 Server hosts a phishing or malware site. The site is to be found at: http://handlers.dshield.org/pbueno/malwares-quiz/malware-quiz.exe This certainly results from a hacking attack to your server. Please proceed as follows to reestablish the security of your 1&1 Server: 1. Immediately delete all content on your 1&1 Server related to the phishing or malware site. 2. Run an exhaustive search for any further foreign content. Hackers will mostly have stored files to grant them future access to your 1&1 Server. Delete those files as well. 3. Secure the leak that permitted the attack. You will find the intrusion point through an analysis of your log files. 4. Please get back to us with a short report on the measures you will have undertaken. Simply reply to this e-mail leaving our reference [censored] in your message. The following general information on hacking attacks may serve you: I. Attacks of this sort often occur through insecure PHP-files or outdated modules of popular CMS like Joomla!, Contenido or phpBB. Up-dating your software will considerably increase it's security level. II. Further intrusion points are compromised passwords, often spied out by a virus installed on your local drive. TIP: Passwords to the administration section of CMS are also often manipulated during hacking attacks. III. In most cases hackers upload malicious files to grant them future access to your Server. It therefore is of particular importance to scan your Server for malicious content. If you should require further information, please simply reply to this e-mail, preserving our reference [censored] in your message. We appreciate your cooperation and look forward continuing to provide you with safe and secure hosting. Kind regards, Abuse Team -- Abuse Department 1&1 Internet Inc. Some censoring and some reformatting to increase readability have been done Well there's not much wrong with that form letter except that it's not a result of getting hacked, but that we placed the stuff there intentionally, without any malicious intent obviously. So our reply: Dear Abuse Department: the sample referenced below is intentionally placed on the site as part of a reverse engineering quiz. It is not the result of an attack. thx. was replied to our amazement with: Your customer number: [censored] Your contract number: [censored] Our reference: [censored] Dear Mr. Johannes Ullrich, Thank you for getting back to us and the measures you have undertaken. You contributed considerably to re-establishing the security of your account - thanks a lot! In case we should receive further alerts, you will promptly be notified. Please stay attentive to the security of your account. Best regards Abuse Team -- Abuse Department 1&1 Internet Inc. It's most likely another form letter so we'll skip over the content itself, but are they really closing the issue and happy to let us host malware? Even if we have not even removed it? Just because we said it was intentional and not a result of being hacked was enough? Just to clarify: we probably should have password protected the sample to prevent accidents and/or misunderstandings, and are changing that as we write this. We often end up being those that report abuse and -well- it's frustrating to see well below par responses to our reports, but if this is how easy they let the bad guys get away with hosting malware, then that's no wonder at all. While I was running abuse departments at ISPs I've always defended the concept that abuse and sales/support are opposing forces in the company. Abuse chases away bad/unwanted customers and/or cripples the service till they do comply with the relevant policies. Surely you end up with those customers that are victims themselves and those customers deserve all possible attention and help, but the abuse department only works well if it's independent from that support and can be the proverbial stick without having to wield carrots all the time. -- Swa Frantzen -- Section 66	Swa 760 Posts Aug 9th 2011
Thread locked Subscribe	Aug 9th 2011 1 decade ago
Sounds like their abuse handler doesn't know who you guys are...	Anonymous
Quote	Aug 9th 2011 1 decade ago
This is very amusing. I have a 1&1 server and their support is usually clueless. Reading this exchange has been very entertaining. Did you know that their phone agents actually ask you for your account password before you can order anything or make account changes over the phone? I have to change it to something as I talk to them and change it back every time.	oleksiy 34 Posts
Quote	Aug 9th 2011 1 decade ago
Speaking of reporting incidents: when our WAF rules are triggered (i.e. PHP vulnerability scans), I'm usually sending out two emails: one to the company hosting the payload and one to the host running the already compromised server. Generally speaking, the cheaper the hosting offer, the worse the defenses and response time / actual response. There are of course exceptions and some small hosters are fast to react, while other large hosters take several days to remove files or disconnect a server, if they act at all. Most of the time, compromised websites are lacking contact useful information (either not present at all or outdated). Just as no care is taken to provide accurate content, the software isn't updated either and the site ends up being defaced or entirely compromised.	oleksiy 5 Posts
Quote	Aug 9th 2011 1 decade ago
Actually, it is funny to see that 50% of the AVs detect it when actually is it not a malware :) I explained what it does here, back in 2006: handlers.sans.org/pbueno/… :)	Pedro 155 Posts ISC Handler
Quote	Aug 9th 2011 1 decade ago
Well, we are hardly a big company, but when they finally get tired of sending form letters instead of using actual intelligence to realize what you are doing (and instead just block your account), we would be happy to donate/barter some space/bandwidth to host it for you. We don't have a single form letter in our organization. :) I imagine there are a few other providers on here that would be happy to do the same if you need mirror capabilities.	Anonymous
Quote	Aug 9th 2011 1 decade ago
Bwhahahaha. That fits my personal 1&1 experience perfectly! Those guys are like from the past and have no clue at all! Have you tried pointing them to your site? Or ask him to run the malicious file, so that he can see, that it is no trojan! I'll bet there is a 50-60% chance, that they will do it!	Anonymous
Quote	Aug 10th 2011 1 decade ago

A number of years ago fellow handler Pedro Bueno created a number of malware challenges. They contained malware that could be analyzed as part of the challenge. This was hosted for years on our "handlers server" at handlers.dshield.org and as those of you who know how to use tools like whois can figure out easily, this server is currently hosted at 1and1, a well known hosting company.

Yesterday, Johannes Ullrich, received following email from the abuse department at 1and1:

Your contract number: [censored]
Your customer ID: [censored]
Our reference: [censored]
Note: Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1 Internet Inc.

Dear Mr. Johannes Ullrich,

We received an external complaint stating that your 1&1 Server hosts a phishing or malware site. The site is to be found at:

http://handlers.dshield.org/pbueno/malwares-quiz/malware-quiz.exe

This certainly results from a hacking attack to your server. Please proceed as follows to reestablish the security of your 1&1 Server:

1. Immediately delete all content on your 1&1 Server related to the phishing or malware site.
2. Run an exhaustive search for any further foreign content. Hackers will mostly have stored files to grant them future access to your 1&1 Server. Delete those files as well.
3. Secure the leak that permitted the attack. You will find the intrusion point through an analysis of your log files.
4. Please get back to us with a short report on the measures you will have undertaken. Simply reply to this e-mail leaving our reference [censored] in your message.

The following general information on hacking attacks may serve you:

I. Attacks of this sort often occur through insecure PHP-files or outdated modules of popular CMS like Joomla!, Contenido or phpBB. Up-dating your software will considerably increase it's security level.
II. Further intrusion points are compromised passwords, often spied out by a virus installed on your local drive.
TIP: Passwords to the administration section of CMS are also often manipulated during hacking attacks.
III. In most cases hackers upload malicious files to grant them future access to your Server. It therefore is of particular importance to scan your Server for malicious content.
If you should require further information, please simply reply to this e-mail, preserving our reference [censored] in your message.
We appreciate your cooperation and look forward continuing to provide you with safe and secure hosting.

Kind regards,

Abuse Team
--
Abuse Department
1&1 Internet Inc.

Some censoring and some reformatting to increase readability have been done

Well there's not much wrong with that form letter except that it's not a result of getting hacked, but that we placed the stuff there intentionally, without any malicious intent obviously.

So our reply:

Dear Abuse Department:

the sample referenced below is intentionally placed on the site as part of a reverse engineering quiz. It is not the result of an attack.

thx.

was replied to our amazement with:

Your customer number: [censored]
Your contract number: [censored]
Our reference: [censored]

Dear Mr. Johannes Ullrich,

Thank you for getting back to us and the measures you have undertaken.
You contributed considerably to re-establishing the security of your account - thanks a lot!
In case we should receive further alerts, you will promptly be notified. Please stay attentive to the security of your account.

Best regards

Abuse Team
--
Abuse Department
1&1 Internet Inc.

It's most likely another form letter so we'll skip over the content itself, but are they really closing the issue and happy to let us host malware? Even if we have not even removed it? Just because we said it was intentional and not a result of being hacked was enough?

Just to clarify: we probably should have password protected the sample to prevent accidents and/or misunderstandings, and are changing that as we write this.

We often end up being those that report abuse and -well- it's frustrating to see well below par responses to our reports, but if this is how easy they let the bad guys get away with hosting malware, then that's no wonder at all.

While I was running abuse departments at ISPs I've always defended the concept that abuse and sales/support are opposing forces in the company. Abuse chases away bad/unwanted customers and/or cripples the service till they do comply with the relevant policies. Surely you end up with those customers that are victims themselves and those customers deserve all possible attention and help, but the abuse department only works well if it's independent from that support and can be the proverbial stick without having to wield carrots all the time.

--
Swa Frantzen -- Section 66

Swa

760 Posts

Aug 9th 2011

Sounds like their abuse handler doesn't know who you guys are...

Anonymous

This is very amusing. I have a 1&1 server and their support is usually clueless. Reading this exchange has been very entertaining. Did you know that their phone agents actually ask you for your account password before you can order anything or make account changes over the phone? I have to change it to something as I talk to them and change it back every time.

oleksiy

34 Posts

Speaking of reporting incidents: when our WAF rules are triggered (i.e. PHP vulnerability scans), I'm usually sending out two emails: one to the company hosting the payload and one to the host running the already compromised server.

Generally speaking, the cheaper the hosting offer, the worse the defenses and response time / actual response. There are of course exceptions and some small hosters are fast to react, while other large hosters take several days to remove files or disconnect a server, if they act at all.

Most of the time, compromised websites are lacking contact useful information (either not present at all or outdated). Just as no care is taken to provide accurate content, the software isn't updated either and the site ends up being defaced or entirely compromised.

oleksiy
5 Posts

Actually, it is funny to see that 50% of the AVs detect it when actually is it not a malware :) I explained what it does here, back in 2006: handlers.sans.org/pbueno/… :)

Pedro

155 Posts
ISC Handler

Well, we are hardly a big company, but when they finally get tired of sending form letters instead of using actual intelligence to realize what you are doing (and instead just block your account), we would be happy to donate/barter some space/bandwidth to host it for you. We don't have a single form letter in our organization. :) I imagine there are a few other providers on here that would be happy to do the same if you need mirror capabilities.

Anonymous

Bwhahahaha. That fits my personal 1&1 experience perfectly! Those guys are like from the past and have no clue at all!

Have you tried pointing them to your site? Or ask him to run the malicious file, so that he can see, that it is no trojan! I'll bet there is a 50-60% chance, that they will do it! :-D

Anonymous