[Chapter-delegates] a problem with the Isoc India Chennai blog

Thu Feb 16 01:22:26 PST 2012

Hi Siva,

The sad truth is that WordPress sites do sometimes get compromised despite
the best efforts of both users and hosts, and one just has to clean up and
get on with life.

At ISOC-NY we use all number of prophylactic plugins including *Bad Behavior
*, *Exploit Scanner,* *SABRE, *Wordpress Firewall 2, and *WP Security Scan,
*and also *DBC Backup *for chron backups*.*
*
*
Wordpress Firewall 2 in particular defeats apparent SQL injection attempts
on an almost daily basis. *
**WP Security Scan *have recently upgraded their product and it is now
really remarkable, immediately reporting any changes to one's entire
installation.
See  http://www.websitedefender.com/  - I recommend it. Free for a single
non commercial site.

j

On Wed, Feb 15, 2012 at 9:36 AM, Sivasubramanian M <isolatedn at gmail.com>wrote:

> Hello
>
>
> For the third time we are experiencing some problem with our Chapter Blog:
>
> 1. isocindiachennai.in site was under attack in 2009, and the hosting
> service provider was unsupportive and unreasonable.
>
> 2. The same URL, after three years, was found listed in spamhaus, and
> communication to spamhause to remove the domain did not elicit a response.
> Any email sent with the URL on the message was blocked by spamhaus, this
> was not known for 3 years.
>
> 3. Isocindiachennai.org is now infected, while being hosted at another
> hosting service provider
>
> (on a possibly related note, isocchennai twitter account is not on hashtag
> stream)
>
>  *All these instances could be normal, non-specific malicious attacks, or
> perhaps not.*
>
> This is the communication received from the hosting service, when I
> noticed and raised a query on why the site was down this afternoon:
>
> > Please note that , the above domain is suspended due to the malicious
>> files uploaded. Our system found the below files under the public_html of
>> the domain which is malicious root exploit files .
>> >
>> > HEX}php.injector.genol.444 :
>> /home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/756dfa9b1ec0d8000e1ed6abd22ec632.php
>> > {HEX}php.injector.genol.444 :
>> /home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/dc73ae75cc2426896738e4f1efd7fe64.php
>> > Kindly check on this and you need to terminated the domain and have to
>> reupload all the contents after you have secured the site. This will
>> prevent the other sites hosted under your reseller account from getting
>> deface. Kindly update us the time during which you need us to unsuspend the
>> site to take the backup .
>
>
>
> I have responded by saying this:
>
> This is NOT due to any work we did. We did NOT alter anything from the
>> cpanel or from wp-admin during the last few days and we are surprised at
>> this problem.
>> However as suggested we can delete and reupload the site, but AFTER
>> TAKING A BACK UP ...
>>
>>
>
> On least on this instance the hosting provider is supportive. A back up
> may be possible, and a solution is in sight. We are working on it :)
>
> -------------
>
> The following is the communication on the previous incidence wrt to the
> isocindiachennai.in domain:
>
>
> ---------- Forwarded message ----------
> From: Rajnesh D. Singh <
> Date: Wed, Apr 1, 2009 at 10:48 AM
> Subject: RE: Require help in pursuing an issue with CERT
> To: Sivasubramanian Muthusamy <
>
>
>> Hello Shiva,
>>
>> Your hosting provider’s actual hosting is in the USA rather than India,
>> and its quite possible that the account was actually suspended by their
>> provider (i.e. whoever Squarebrothers buys their services from).
>> Squarebrothers appears to me as just a reseller of hosting and domain
>> name services. In case you didn’t know, your site is actually hosted in
>> Dallas, Texas.
>> In this instance, I am not sure what CERT-IN can do. The site is
>> physically in the US, and as such outside of their “jurisdiction”. I assume
>> you have access to your website (e.g. CPanel or Plesk, etc.) so you can
>> manage things like email addresses, databases, etc. that run on it. If you
>> do, then you should also have access to some of the log files. You will
>> need to look for this and see if you can get some information that way.
>> Other than that, have you filed an incident report with CERT-IN as per
>> the form they provide on http://www.cert-in.org.in/incidentreporting.htm?
>> Link to the file is http://www.cert-in.org.in/documents/certinirform.pdf
>> If you haven’t filed this form with them, I suggest you do. Once you have
>> done this, call their helpdesk, refer to the incident report form you
>> filed, explain the issue, including the fact that your site is hosted in
>> the US, and what assistance they can provide or what do they suggest you
>> do. The only “Indian” aspect I see here is that you have registered a “.IN”
>> domain name, but this is open for anyone to register (and as such does not
>> mean much).
>> You can also always change your hosting service provider (and advise them
>> you are doing so because of the issues you have had).
>> HTH.
>> Regards,
>> R.
>
>
>
>
>
>
>
>
>
> ________________________________
>
> From: Sivasubramanian Muthusamy [mailto:isolatedn at g...]
> Sent: Wednesday, 1 April 2009 12:06 AM
> To: Rajnesh D. Singh; chapter-support <chapter-support at isoc.org>
> Subject: Require help in pursuing an issue with CERT
>
>
> Hello Rajnesh,
>
>
> I have already copied you on a message sent to a local web-hosting service
> - a small, single owner outfit www.squarebrothers.com which hosted
> isocindiachennai.in,  a static website with one email account
> chennni at isocindiachennai.in which was more of an unused account. The site
> was noticed down and when contacted the webhost sent a reply without
> explanation that the site was suspended for sending bulk mails, and when
> asked for log files to be sent to CERT, the reaction was adverse and rude -
> received a communication that the site is shut down and the support ticket
> closed.
>
> This is likely to be due to the vulnerability of their hosting
> infrastructure and if the chapter address had been used for sending bulk
> mails, it is necessary to understand the origin of this incident,
> understand the type and volume of messages sent, to the type of addresses
> to which the message was sent. It is necessary to get down to the bottom of
> it.
>
> I need some help on this. Is there a way by which you could help us get
> CERT to pay a closer attention and a thorough investigation ?
>
> Sivasubramanian Muthusamy
>
> ---------- Forwarded message ----------
> From: Sivasubramanian Muthusamy <isolatedn <isolatedn at gmail.com>
> Date: Tue, Mar 31, 2009 at 5:26 PM
> Subject: Re: [SUPPORT #IIT-225158]: Domain not working.
> To: "Support, Square Brothers." <support at squarebrothers.com>,
> incident at cert <incident at cert-in.org.in>
> Cc: Tamil <tamilmalaravan at bhara <tamilmalaravan at bharatplanet.com>>,
> Chandramohan <chandramohan at bhar <chandramohan at bharatplanet.com>>,
> "Chandramohan, BharatPlanet - Chennai" <tcmohan at gm <tcmohan at gmail.com>>
>
> hello
>
> In response to the following mail, you have chosen not to give us further
> details or log files as your response indicates, we suggest that you do not
> delete the log files or suppress details until this issue is looked into by
> CERT.
>
> This message is copied to CERT with a request to note that you have been
> notified of the importance of the full importance for an investigation into
> this incident.
>
> Thank you.
>
> On Tue, Mar 31, 2009 at 3:02 PM, Support : Square Brothers <
>> support at squarebrothers <support at squarebrothers.com>> wrote:
>>
>> Hi,
>> Sending bulk/spam mails & resource abuse is again our AUP & terms of
>> service.
>> If the hosting account violated AUP or the terms of service, your account
>> will be stopped without any notice or mail.
>>
>> ~ Support Team ~
>>
>
>
>  (the above message appears to be a retaliation to the suggestion of
> taking this up with CERT)
>
>
> Sivasubramanian Muthusamy
>
> On Tue, Mar 31, 2009 at 12:54 PM, Sivasubramanian Muthusamy <
> isolatedn at gmail <isolatedn at gmail.com>> wrote:
>
> Hello,
>
> You have not sent us any communication to inform us about this serious
> security lapse which  is a possibility due to a vulnerability in your
> hosting infrastructure. We would like to have the details and log files now
> as we prefer a complaint to the CERT.
>
> ISOC India Chennai is part of ISOC ( http://www.isoc.org ) and we need to
> take this issue seriously. Please let us have the complete details of this
> incident.
>
> Sivasubramanian Muthusamy
>
>
> On Tue, Mar 31, 2009 at 12:21 PM, Chandramohan <chandramohan at bharatplanet<chandramohan at bharatplanet.com>>
> wrote:
>
> Hi,
>> With reference to the mail below, we have not sent any bulkmail or
>> whatsoever from the account.
>> May I have any references regarding the same.
>> Regards,
>> Chandramohan
>
>
> -----Original Message-----
> From: Support : Square Brothers [mailto:support at squarebrothers<support at squarebrothers.com>
> Sent: 30 ?????? 2009 20:24
> To: tamilmalaravan at bharatplane <tamilmalaravan at bharatplanet.com>t
> Cc: chandramohan at bharatplanet <chandramohan at bharatplanet.com>
> Subject: [SUPPORT #IIT-225158]: Domain not working.
>
>
>> Hi,
>> This account was suspended for sending bulk mails.
>> Make sure that there will be any bulk/spam mails from this hosting
>> account.
>> regards
>>
>> R.Ilangovan
>> Member - Support
>> Square Brothers Information Technologies (P) Ltd.,
>> AA-9, Second Avenue, Annanagar,
>> Chennai, Tamilnadu, India. PIN : 600040
>> Tel : +91.44.26205355 / 26205356
>> e-Mail : support at squarebrothers <support at squarebrothers.com>
>> url : www.squarebrothers.com
>
>
>
> Ticket Details
> ===================
> Ticket ID: IIT-225158
> Department: Support
> Priority: Medium
> Status: Closed
>
>
>

-- 
---------------------------------------------------------------
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
 VP (Admin) - ISOC-NY - http://isoc-ny.org
--------------------------------------------------------------
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20120216/23f60b7b/attachment.htm>