[Chapter-delegates] a problem with the Isoc India Chennai blog

[Sivasubramanian M]

Hello


For the third time we are experiencing some problem with our Chapter Blog:

1. isocindiachennai.in site was under attack in 2009, and the hosting
service provider was unsupportive and unreasonable.

2. The same URL, after three years, was found listed in spamhaus, and
communication to spamhause to remove the domain did not elicit a response.
Any email sent with the URL on the message was blocked by spamhaus, this
was not known for 3 years.

3. Isocindiachennai.org is now infected, while being hosted at another
hosting service provider

(on a possibly related note, isocchennai twitter account is not on hashtag
stream)

*All these instances could be normal, non-specific malicious attacks, or
perhaps not.*

This is the communication received from the hosting service, when I noticed
and raised a query on why the site was down this afternoon:

> Please note that , the above domain is suspended due to the malicious
> files uploaded. Our system found the below files under the public_html of
> the domain which is malicious root exploit files .
> >
> > HEX}php.injector.genol.444 :
> /home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/756dfa9b1ec0d8000e1ed6abd22ec632.php
> > {HEX}php.injector.genol.444 :
> /home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/dc73ae75cc2426896738e4f1efd7fe64.php
> > Kindly check on this and you need to terminated the domain and have to
> reupload all the contents after you have secured the site. This will
> prevent the other sites hosted under your reseller account from getting
> deface. Kindly update us the time during which you need us to unsuspend the
> site to take the backup .



I have responded by saying this:

This is NOT due to any work we did. We did NOT alter anything from the
> cpanel or from wp-admin during the last few days and we are surprised at
> this problem.
> However as suggested we can delete and reupload the site, but AFTER TAKING
> A BACK UP ...
>
>

On least on this instance the hosting provider is supportive. A back up may
be possible, and a solution is in sight. We are working on it :)

-------------

The following is the communication on the previous incidence wrt to the
isocindiachennai.in domain:


---------- Forwarded message ----------
From: Rajnesh D. Singh <
Date: Wed, Apr 1, 2009 at 10:48 AM
Subject: RE: Require help in pursuing an issue with CERT
To: Sivasubramanian Muthusamy <


> Hello Shiva,
>
> Your hosting provider’s actual hosting is in the USA rather than India,
> and its quite possible that the account was actually suspended by their
> provider (i.e. whoever Squarebrothers buys their services from).
> Squarebrothers appears to me as just a reseller of hosting and domain name
> services. In case you didn’t know, your site is actually hosted in Dallas,
> Texas.
> In this instance, I am not sure what CERT-IN can do. The site is
> physically in the US, and as such outside of their “jurisdiction”. I assume
> you have access to your website (e.g. CPanel or Plesk, etc.) so you can
> manage things like email addresses, databases, etc. that run on it. If you
> do, then you should also have access to some of the log files. You will
> need to look for this and see if you can get some information that way.
> Other than that, have you filed an incident report with CERT-IN as per the
> form they provide on http://www.cert-in.org.in/incidentreporting.htm ?
> Link to the file is http://www.cert-in.org.in/documents/certinirform.pdf
> If you haven’t filed this form with them, I suggest you do. Once you have
> done this, call their helpdesk, refer to the incident report form you
> filed, explain the issue, including the fact that your site is hosted in
> the US, and what assistance they can provide or what do they suggest you
> do. The only “Indian” aspect I see here is that you have registered a “.IN”
> domain name, but this is open for anyone to register (and as such does not
> mean much).
> You can also always change your hosting service provider (and advise them
> you are doing so because of the issues you have had).
> HTH.
> Regards,
> R.









________________________________

From: Sivasubramanian Muthusamy [mailto:isolatedn at g...]
Sent: Wednesday, 1 April 2009 12:06 AM
To: Rajnesh D. Singh; chapter-support <chapter-support at isoc.org>
Subject: Require help in pursuing an issue with CERT


Hello Rajnesh,


I have already copied you on a message sent to a local web-hosting service
- a small, single owner outfit www.squarebrothers.com which hosted
isocindiachennai.in,  a static website with one email account
chennni at isocindiachennai.in which was more of an unused account. The site
was noticed down and when contacted the webhost sent a reply without
explanation that the site was suspended for sending bulk mails, and when
asked for log files to be sent to CERT, the reaction was adverse and rude -
received a communication that the site is shut down and the support ticket
closed.

This is likely to be due to the vulnerability of their hosting
infrastructure and if the chapter address had been used for sending bulk
mails, it is necessary to understand the origin of this incident,
understand the type and volume of messages sent, to the type of addresses
to which the message was sent. It is necessary to get down to the bottom of
it.

I need some help on this. Is there a way by which you could help us get
CERT to pay a closer attention and a thorough investigation ?

Sivasubramanian Muthusamy

---------- Forwarded message ----------
From: Sivasubramanian Muthusamy <isolatedn <isolatedn at gmail.com>
Date: Tue, Mar 31, 2009 at 5:26 PM
Subject: Re: [SUPPORT #IIT-225158]: Domain not working.
To: "Support, Square Brothers." <support at squarebrothers.com>,
incident at cert<incident at cert-in.org.in>
Cc: Tamil <tamilmalaravan at bhara <tamilmalaravan at bharatplanet.com>>,
Chandramohan <chandramohan at bhar <chandramohan at bharatplanet.com>>,
"Chandramohan, BharatPlanet - Chennai" <tcmohan at gm <tcmohan at gmail.com>>

hello

In response to the following mail, you have chosen not to give us further
details or log files as your response indicates, we suggest that you do not
delete the log files or suppress details until this issue is looked into by
CERT.

This message is copied to CERT with a request to note that you have been
notified of the importance of the full importance for an investigation into
this incident.

Thank you.

On Tue, Mar 31, 2009 at 3:02 PM, Support : Square Brothers <
> support at squarebrothers <support at squarebrothers.com>> wrote:
>
> Hi,
> Sending bulk/spam mails & resource abuse is again our AUP & terms of
> service.
> If the hosting account violated AUP or the terms of service, your account
> will be stopped without any notice or mail.
>
> ~ Support Team ~
>


 (the above message appears to be a retaliation to the suggestion of taking
this up with CERT)


Sivasubramanian Muthusamy

On Tue, Mar 31, 2009 at 12:54 PM, Sivasubramanian Muthusamy
<isolatedn at gmail<isolatedn at gmail.com>>
wrote:

Hello,

You have not sent us any communication to inform us about this serious
security lapse which  is a possibility due to a vulnerability in your
hosting infrastructure. We would like to have the details and log files now
as we prefer a complaint to the CERT.

ISOC India Chennai is part of ISOC ( http://www.isoc.org ) and we need to
take this issue seriously. Please let us have the complete details of this
incident.

Sivasubramanian Muthusamy


On Tue, Mar 31, 2009 at 12:21 PM, Chandramohan
<chandramohan at bharatplanet<chandramohan at bharatplanet.com>>
wrote:

Hi,
> With reference to the mail below, we have not sent any bulkmail or
> whatsoever from the account.
> May I have any references regarding the same.
> Regards,
> Chandramohan


-----Original Message-----
From: Support : Square Brothers
[mailto:support at squarebrothers<support at squarebrothers.com>
Sent: 30 ?????? 2009 20:24
To: tamilmalaravan at bharatplane <tamilmalaravan at bharatplanet.com>t
Cc: chandramohan at bharatplanet <chandramohan at bharatplanet.com>
Subject: [SUPPORT #IIT-225158]: Domain not working.


> Hi,
> This account was suspended for sending bulk mails.
> Make sure that there will be any bulk/spam mails from this hosting account.
> regards
>
> R.Ilangovan
> Member - Support
> Square Brothers Information Technologies (P) Ltd.,
> AA-9, Second Avenue, Annanagar,
> Chennai, Tamilnadu, India. PIN : 600040
> Tel : +91.44.26205355 / 26205356
> e-Mail : support at squarebrothers <support at squarebrothers.com>
> url : www.squarebrothers.com



Ticket Details
===================
Ticket ID: IIT-225158
Department: Support
Priority: Medium
Status: Closed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20120215/22b7be42/attachment.htm>