[Chapter-delegates] a problem with the Isoc India Chennai blog

Eduard Tric eduard.tric at isoc.ro
Thu Feb 16 02:00:43 PST 2012 

Thank you Joly.
It would be useful to create a document for chapters  about " (survival) tools for publishing  on Internet" with a hosting and security part. People are more likely to use fully featured engenieered solutions.


----- Original Message -----
From: "Elena Zvarici" <elena.zvarici at isoc.ro>
To: joly at punkcast.com
Cc: "Chapter Delegates" <chapter-delegates at elists.isoc.org>
Sent: Thursday, February 16, 2012 11:43:01 AM
Subject: Re: [Chapter-delegates] a problem with the Isoc India Chennai blog



Thank you Joly, 
Very useful plugins, I installed them too. I hope they will be enough to guard against attacks. 


Elena Zvarici 
Communication manager 
Internet Society Romania 
+40726128728 
http://www.isoc.ro 
www.twitter.com/isocro 
https://www.facebook.com/pages/Internet-Society-Romania/188191997871404?ref=tn_tnmn 


From: "Joly MacFie" <joly at punkcast.com> 
To: "Sivasubramanian M" <isolatedn at gmail.com> 
Cc: "Chapter Delegates" <chapter-delegates at elists.isoc.org> 
Sent: Thursday, February 16, 2012 11:22:26 AM 
Subject: Re: [Chapter-delegates] a problem with the Isoc India Chennai blog 

Hi Siva, 


The sad truth is that WordPress sites do sometimes get compromised despite the best efforts of both users and hosts, and one just has to clean up and get on with life. 


At ISOC-NY we use all number of prophylactic plugins including Bad Behavior , Exploit Scanner, SABRE, Wordpress Firewall 2, and WP Security Scan, and also DBC Backup for chron backups . 


Wordpress Firewall 2 in particular defeats apparent SQL injection attempts on an almost daily basis. 
WP Security Scan have recently upgraded their product and it is now really remarkable, immediately reporting any changes to one's entire installation. 
See http://www.websitedefender.com/ - I recommend it. Free for a single non commercial site. 


j 




On Wed, Feb 15, 2012 at 9:36 AM, Sivasubramanian M < isolatedn at gmail.com > wrote: 


Hello 


For the third time we are experiencing some problem with our Chapter Blog: 

1. isocindiachennai.in site was under attack in 2009, and the hosting service provider was unsupportive and unreasonable. 

2. The same URL, after three years, was found listed in spamhaus, and communication to spamhause to remove the domain did not elicit a response. Any email sent with the URL on the message was blocked by spamhaus, this was not known for 3 years. 

3. Isocindiachennai.org is now infected, while being hosted at another hosting service provider 


(on a possibly related note, isocchennai twitter account is not on hashtag stream) 



All these instances could be normal, non-specific malicious attacks, or perhaps not. 

This is the communication received from the hosting service, when I noticed and raised a query on why the site was down this afternoon: 



> Please note that , the above domain is suspended due to the malicious files uploaded. Our system found the below files under the public_html of the domain which is malicious root exploit files . 
> 
> HEX}php.injector.genol.444 : /home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/756dfa9b1ec0d8000e1ed6abd22ec632.php 
> {HEX}php.injector.genol.444 : /home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/dc73ae75cc2426896738e4f1efd7fe64.php 
> Kindly check on this and you need to terminated the domain and have to reupload all the contents after you have secured the site. This will prevent the other sites hosted under your reseller account from getting deface. Kindly update us the time during which you need us to unsuspend the site to take the backup . 

I have responded by saying this: 



This is NOT due to any work we did. We did NOT alter anything from the cpanel or from wp-admin during the last few days and we are surprised at this problem. 
However as suggested we can delete and reupload the site, but AFTER TAKING A BACK UP ... 



On least on this instance the hosting provider is supportive. A back up may be possible, and a solution is in sight. We are working on it :) 


------------- 

The following is the communication on the previous incidence wrt to the isocindiachennai.in domain: 


---------- Forwarded message ---------- 
From: Rajnesh D. Singh < 
Date: Wed, Apr 1, 2009 at 10:48 AM 
Subject: RE: Require help in pursuing an issue with CERT 
To: Sivasubramanian Muthusamy < 




Hello Shiva, 

Your hosting provider’s actual hosting is in the USA rather than India, and its quite possible that the account was actually suspended by their provider (i.e. whoever Squarebrothers buys their services from). 
Squarebrothers appears to me as just a reseller of hosting and domain name services. In case you didn’t know, your site is actually hosted in Dallas, Texas. 
In this instance, I am not sure what CERT-IN can do. The site is physically in the US, and as such outside of their “jurisdiction”. I assume you have access to your website (e.g. CPanel or Plesk, etc.) so you can manage things like email addresses, databases, etc. that run on it. If you do, then you should also have access to some of the log files. You will need to look for this and see if you can get some information that way. 
Other than that, have you filed an incident report with CERT-IN as per the form they provide on http://www.cert-in.org.in/incidentreporting.htm ? 
Link to the file is http://www.cert-in.org.in/documents/certinirform.pdf 
If you haven’t filed this form with them, I suggest you do. Once you have done this, call their helpdesk, refer to the incident report form you filed, explain the issue, including the fact that your site is hosted in the US, and what assistance they can provide or what do they suggest you do. The only “Indian” aspect I see here is that you have registered a “.IN” domain name, but this is open for anyone to register (and as such does not mean much). 
You can also always change your hosting service provider (and advise them you are doing so because of the issues you have had). 
HTH. 
Regards, 
R. 







________________________________ 

From: Sivasubramanian Muthusamy [mailto: isolatedn at g. ..] 
Sent: Wednesday, 1 April 2009 12:06 AM 
To: Rajnesh D. Singh; chapter-support 
Subject: Require help in pursuing an issue with CERT 


Hello Rajnesh, 


I have already copied you on a message sent to a local web-hosting service - a small, single owner outfit www.squarebrothers.com which hosted isocindiachennai.in , a static website with one email account chennni at isocindiachennai.in which was more of an unused account. The site was noticed down and when contacted the webhost sent a reply without explanation that the site was suspended for sending bulk mails, and when asked for log files to be sent to CERT, the reaction was adverse and rude - received a communication that the site is shut down and the support ticket closed. 

This is likely to be due to the vulnerability of their hosting infrastructure and if the chapter address had been used for sending bulk mails, it is necessary to understand the origin of this incident, understand the type and volume of messages sent, to the type of addresses to which the message was sent. It is necessary to get down to the bottom of it. 

I need some help on this. Is there a way by which you could help us get CERT to pay a closer attention and a thorough investigation ? 

Sivasubramanian Muthusamy 

---------- Forwarded message ---------- 
From: Sivasubramanian Muthusamy < isolatedn 
Date: Tue, Mar 31, 2009 at 5:26 PM 
Subject: Re: [SUPPORT #IIT-225158]: Domain not working. 
To: "Support, Square Brothers." < support at squarebrothers.com >, incident at cert 
Cc: Tamil < tamilmalaravan at bhara >, Chandramohan < chandramohan at bhar >, "Chandramohan, BharatPlanet - Chennai" < tcmohan at gm > 

hello 

In response to the following mail, you have chosen not to give us further details or log files as your response indicates, we suggest that you do not delete the log files or suppress details until this issue is looked into by CERT. 

This message is copied to CERT with a request to note that you have been notified of the importance of the full importance for an investigation into this incident. 

Thank you. 



On Tue, Mar 31, 2009 at 3:02 PM, Support : Square Brothers < support at squarebrothers > wrote: 

Hi, 
Sending bulk/spam mails & resource abuse is again our AUP & terms of service. 
If the hosting account violated AUP or the terms of service, your account will be stopped without any notice or mail. 

~ Support Team ~ 


(the above message appears to be a retaliation to the suggestion of taking this up with CERT) 


Sivasubramanian Muthusamy 

On Tue, Mar 31, 2009 at 12:54 PM, Sivasubramanian Muthusamy < isolatedn at gmail > wrote: 

Hello, 

You have not sent us any communication to inform us about this serious security lapse which is a possibility due to a vulnerability in your hosting infrastructure. We would like to have the details and log files now as we prefer a complaint to the CERT. 

ISOC India Chennai is part of ISOC ( http://www.isoc.org ) and we need to take this issue seriously. Please let us have the complete details of this incident. 

Sivasubramanian Muthusamy 


On Tue, Mar 31, 2009 at 12:21 PM, Chandramohan < chandramohan at bharatplanet > wrote: 



Hi, 
With reference to the mail below, we have not sent any bulkmail or 
whatsoever from the account. 
May I have any references regarding the same. 
Regards, 
Chandramohan 
-----Original Message----- 
From: Support : Square Brothers [mailto: support at squarebrothers 
Sent: 30 ?????? 2009 20:24 
To: tamilmalaravan at bharatplane t 
Cc: chandramohan at bharatplanet 
Subject: [SUPPORT #IIT-225158]: Domain not working. 




Hi, 
This account was suspended for sending bulk mails. 
Make sure that there will be any bulk/spam mails from this hosting account. 
regards 

R.Ilangovan 
Member - Support 
Square Brothers Information Technologies (P) Ltd., 
AA-9, Second Avenue, Annanagar, 
Chennai, Tamilnadu, India. PIN : 600040 
Tel : +91.44.26205355 / 26205356 
e-Mail : support at squarebrothers 
url : www.squarebrothers.com 

Ticket Details 
=================== 
Ticket ID: IIT-225158 
Department: Support 
Priority: Medium 
Status: Closed 






-- 
--------------------------------------------------------------- 
Joly MacFie 218 565 9365 Skype:punkcast 
WWWhatsup NYC - http://wwwhatsup.com 
http://pinstand.com - http://punkcast.com 
VP (Admin) - ISOC-NY - http://isoc-ny.org 
-------------------------------------------------------------- 
- 

_______________________________________________ 
Chapter-delegates mailing list 
Chapter-delegates at elists.isoc.org 
https://elists.isoc.org/mailman/listinfo/chapter-delegates 



_______________________________________________
Chapter-delegates mailing list
Chapter-delegates at elists.isoc.org
https://elists.isoc.org/mailman/listinfo/chapter-delegates

More information about the Chapter-delegates mailing list