[Chapter-delegates] a problem with the Isoc India Chennai blog

[Victor NDONNANG]

Thanks Joly,

It will be useful for our Chapter web site too.

Best regards,

Victor

ISOC Cameroon Chapter

 

De : chapter-delegates-bounces at elists.isoc.org
[mailto:chapter-delegates-bounces at elists.isoc.org] De la part de Joly MacFie
Envoyé : jeudi 16 février 2012 10:22
À : Sivasubramanian M
Cc : Chapter Delegates
Objet : Re: [Chapter-delegates] a problem with the Isoc India Chennai blog

 

Hi Siva,

 

The sad truth is that WordPress sites do sometimes get compromised despite
the best efforts of both users and hosts, and one just has to clean up and
get on with life.

 

At ISOC-NY we use all number of prophylactic plugins including Bad Behavior,
Exploit Scanner, SABRE, Wordpress Firewall 2, and WP Security Scan, and also
DBC Backup for chron backups.

 

Wordpress Firewall 2 in particular defeats apparent SQL injection attempts
on an almost daily basis. 
WP Security Scan have recently upgraded their product and it is now really
remarkable, immediately reporting any changes to one's entire installation.

See  http://www.websitedefender.com/  - I recommend it. Free for a single
non commercial site.

 

j

 

 

On Wed, Feb 15, 2012 at 9:36 AM, Sivasubramanian M <isolatedn at gmail.com>
wrote:

Hello


For the third time we are experiencing some problem with our Chapter Blog:

1. isocindiachennai.in site was under attack in 2009, and the hosting
service provider was unsupportive and unreasonable.

2. The same URL, after three years, was found listed in spamhaus, and
communication to spamhause to remove the domain did not elicit a response.
Any email sent with the URL on the message was blocked by spamhaus, this was
not known for 3 years.

3. Isocindiachennai.org is now infected, while being hosted at another
hosting service provider

 

(on a possibly related note, isocchennai twitter account is not on hashtag
stream)

 

All these instances could be normal, non-specific malicious attacks, or
perhaps not.


This is the communication received from the hosting service, when I noticed
and raised a query on why the site was down this afternoon:

> Please note that , the above domain is suspended due to the malicious
files uploaded. Our system found the below files under the public_html of
the domain which is malicious root exploit files .
>
> HEX}php.injector.genol.444 :
/home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/756dfa9
b1ec0d8000e1ed6abd22ec632.php
> {HEX}php.injector.genol.444 :
/home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/dc73ae7
5cc2426896738e4f1efd7fe64.php
> Kindly check on this and you need to terminated the domain and have to
reupload all the contents after you have secured the site. This will prevent
the other sites hosted under your reseller account from getting deface.
Kindly update us the time during which you need us to unsuspend the site to
take the backup .



I have responded by saying this:

This is NOT due to any work we did. We did NOT alter anything from the
cpanel or from wp-admin during the last few days and we are surprised at
this problem.
However as suggested we can delete and reupload the site, but AFTER TAKING A
BACK UP ...

 


On least on this instance the hosting provider is supportive. A back up may
be possible, and a solution is in sight. We are working on it :)

 

-------------  


The following is the communication on the previous incidence wrt to the
isocindiachennai.in domain:


---------- Forwarded message ----------
From: Rajnesh D. Singh <
Date: Wed, Apr 1, 2009 at 10:48 AM
Subject: RE: Require help in pursuing an issue with CERT
To: Sivasubramanian Muthusamy <


Hello Shiva,
 
Your hosting provider’s actual hosting is in the USA rather than India, and
its quite possible that the account was actually suspended by their provider
(i.e. whoever Squarebrothers buys their services from).
Squarebrothers appears to me as just a reseller of hosting and domain name
services. In case you didn’t know, your site is actually hosted in Dallas,
Texas.
In this instance, I am not sure what CERT-IN can do. The site is physically
in the US, and as such outside of their “jurisdiction”. I assume you have
access to your website (e.g. CPanel or Plesk, etc.) so you can manage things
like email addresses, databases, etc. that run on it. If you do, then you
should also have access to some of the log files. You will need to look for
this and see if you can get some information that way.
Other than that, have you filed an incident report with CERT-IN as per the
form they provide on http://www.cert-in.org.in/incidentreporting.htm ?
Link to the file is http://www.cert-in.org.in/documents/certinirform.pdf
If you haven’t filed this form with them, I suggest you do. Once you have
done this, call their helpdesk, refer to the incident report form you filed,
explain the issue, including the fact that your site is hosted in the US,
and what assistance they can provide or what do they suggest you do. The
only “Indian” aspect I see here is that you have registered a “.IN” domain
name, but this is open for anyone to register (and as such does not mean
much).
You can also always change your hosting service provider (and advise them
you are doing so because of the issues you have had).
HTH.
Regards,
R.


 

 

 

 
________________________________

From: Sivasubramanian Muthusamy [mailto:isolatedn at g...]
Sent: Wednesday, 1 April 2009 12:06 AM
To: Rajnesh D. Singh; chapter-support <mailto:chapter-support at isoc.org> 
Subject: Require help in pursuing an issue with CERT


Hello Rajnesh,


I have already copied you on a message sent to a local web-hosting service -
a small, single owner outfit www.squarebrothers.com which hosted
isocindiachennai.in,  a static website with one email account
chennni at isocindiachennai.in which was more of an unused account. The site
was noticed down and when contacted the webhost sent a reply without
explanation that the site was suspended for sending bulk mails, and when
asked for log files to be sent to CERT, the reaction was adverse and rude -
received a communication that the site is shut down and the support ticket
closed.

This is likely to be due to the vulnerability of their hosting
infrastructure and if the chapter address had been used for sending bulk
mails, it is necessary to understand the origin of this incident, understand
the type and volume of messages sent, to the type of addresses to which the
message was sent. It is necessary to get down to the bottom of it.

I need some help on this. Is there a way by which you could help us get CERT
to pay a closer attention and a thorough investigation ?

Sivasubramanian Muthusamy

---------- Forwarded message ----------
From: Sivasubramanian Muthusamy <isolatedn <mailto:isolatedn at gmail.com> 
Date: Tue, Mar 31, 2009 at 5:26 PM
Subject: Re: [SUPPORT #IIT-225158]: Domain not working.
To: "Support, Square Brothers." <support at squarebrothers.com>, incident at cert
<mailto:incident at cert-in.org.in> 
Cc: Tamil <tamilmalaravan at bhara <mailto:tamilmalaravan at bharatplanet.com> >,
Chandramohan <chandramohan at bhar <mailto:chandramohan at bharatplanet.com> >,
"Chandramohan, BharatPlanet - Chennai" <tcmohan at gm
<mailto:tcmohan at gmail.com> >

hello

In response to the following mail, you have chosen not to give us further
details or log files as your response indicates, we suggest that you do not
delete the log files or suppress details until this issue is looked into by
CERT.  

This message is copied to CERT with a request to note that you have been
notified of the importance of the full importance for an investigation into
this incident.

Thank you.

On Tue, Mar 31, 2009 at 3:02 PM, Support : Square Brothers
<support at squarebrothers <mailto:support at squarebrothers.com> > wrote:

Hi,
Sending bulk/spam mails & resource abuse is again our AUP & terms of
service.
If the hosting account violated AUP or the terms of service, your account
will be stopped without any notice or mail.

~ Support Team ~

 

 (the above message appears to be a retaliation to the suggestion of taking
this up with CERT) 


Sivasubramanian Muthusamy

On Tue, Mar 31, 2009 at 12:54 PM, Sivasubramanian Muthusamy <isolatedn at gmail
<mailto:isolatedn at gmail.com> > wrote:

Hello,

You have not sent us any communication to inform us about this serious
security lapse which  is a possibility due to a vulnerability in your
hosting infrastructure. We would like to have the details and log files now
as we prefer a complaint to the CERT.

ISOC India Chennai is part of ISOC ( http://www.isoc.org ) and we need to
take this issue seriously. Please let us have the complete details of this
incident.

Sivasubramanian Muthusamy


On Tue, Mar 31, 2009 at 12:21 PM, Chandramohan <chandramohan at bharatplanet
<mailto:chandramohan at bharatplanet.com> > wrote:

Hi,
With reference to the mail below, we have not sent any bulkmail or
whatsoever from the account.
May I have any references regarding the same.
Regards,
Chandramohan


-----Original Message-----
From: Support : Square Brothers [mailto:support at squarebrothers
<mailto:support at squarebrothers.com> 
Sent: 30 ?????? 2009 20:24
To: tamilmalaravan at bharatplane <mailto:tamilmalaravan at bharatplanet.com> t
Cc: chandramohan at bharatplanet <mailto:chandramohan at bharatplanet.com> 
Subject: [SUPPORT #IIT-225158]: Domain not working.


Hi,
This account was suspended for sending bulk mails.
Make sure that there will be any bulk/spam mails from this hosting account.
regards

R.Ilangovan
Member - Support
Square Brothers Information Technologies (P) Ltd.,
AA-9, Second Avenue, Annanagar,
Chennai, Tamilnadu, India. PIN : 600040
Tel : +91.44.26205355 <tel:%2B91.44.26205355>  / 26205356
e-Mail : support at squarebrothers <mailto:support at squarebrothers.com> 
url : www.squarebrothers.com



Ticket Details
===================
Ticket ID: IIT-225158
Department: Support
Priority: Medium
Status: Closed







 

-- 
---------------------------------------------------------------
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
 VP (Admin) - ISOC-NY - http://isoc-ny.org
--------------------------------------------------------------
-

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20120220/0b92321e/attachment.htm>