[Chapter-delegates] a problem with the Isoc India Chennai blog

Sun Feb 19 17:24:33 PST 2012

there's not much to add to what I already wrote. Those plugins do a
good job of changing mysql prefix's, getting rid of admin user, etc.
They are easy to find via "add new"

I like everyone else, am waiting for the new chapters WP theme to be
handed down from on high. Then maybe we can look to a WordPress for
Chapters tutorial and best practices project.

j

On Sun, Feb 19, 2012 at 6:46 PM, Victor NDONNANG
<ndonnang at isoc-cameroon.org> wrote:
> Thanks Joly,
>
> It will be useful for our Chapter web site too.
>
> Best regards,
>
> Victor
>
> ISOC Cameroon Chapter
>
>
>
> De : chapter-delegates-bounces at elists.isoc.org
> [mailto:chapter-delegates-bounces at elists.isoc.org] De la part de Joly MacFie
> Envoyé : jeudi 16 février 2012 10:22
> À : Sivasubramanian M
> Cc : Chapter Delegates
> Objet : Re: [Chapter-delegates] a problem with the Isoc India Chennai blog
>
>
>
> Hi Siva,
>
>
>
> The sad truth is that WordPress sites do sometimes get compromised despite
> the best efforts of both users and hosts, and one just has to clean up and
> get on with life.
>
>
>
> At ISOC-NY we use all number of prophylactic plugins including Bad
> Behavior, Exploit Scanner, SABRE, Wordpress Firewall 2, and WP Security
> Scan, and also DBC Backup for chron backups.
>
>
>
> Wordpress Firewall 2 in particular defeats apparent SQL injection attempts
> on an almost daily basis.
> WP Security Scan have recently upgraded their product and it is now really
> remarkable, immediately reporting any changes to one's entire installation.
>
> See  http://www.websitedefender.com/  - I recommend it. Free for a single
> non commercial site.
>
>
>
> j
>
>
>
>
>
> On Wed, Feb 15, 2012 at 9:36 AM, Sivasubramanian M <isolatedn at gmail.com>
> wrote:
>
> Hello
>
>
> For the third time we are experiencing some problem with our Chapter Blog:
>
> 1. isocindiachennai.in site was under attack in 2009, and the hosting
> service provider was unsupportive and unreasonable.
>
> 2. The same URL, after three years, was found listed in spamhaus, and
> communication to spamhause to remove the domain did not elicit a response.
> Any email sent with the URL on the message was blocked by spamhaus, this was
> not known for 3 years.
>
> 3. Isocindiachennai.org is now infected, while being hosted at another
> hosting service provider
>
>
>
> (on a possibly related note, isocchennai twitter account is not on hashtag
> stream)
>
>
>
> All these instances could be normal, non-specific malicious attacks, or
> perhaps not.
>
>
> This is the communication received from the hosting service, when I noticed
> and raised a query on why the site was down this afternoon:
>
>> Please note that , the above domain is suspended due to the malicious
>> files uploaded. Our system found the below files under the public_html of
>> the domain which is malicious root exploit files .
>>
>> HEX}php.injector.genol.444 :
>> /home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/756dfa9b1ec0d8000e1ed6abd22ec632.php
>> {HEX}php.injector.genol.444 :
>> /home/isocic/public_html/wp-content/themes/thedawn/lib/scripts/cache/dc73ae75cc2426896738e4f1efd7fe64.php
>> Kindly check on this and you need to terminated the domain and have to
>> reupload all the contents after you have secured the site. This will prevent
>> the other sites hosted under your reseller account from getting deface.
>> Kindly update us the time during which you need us to unsuspend the site to
>> take the backup .
>
>
>
> I have responded by saying this:
>
> This is NOT due to any work we did. We did NOT alter anything from the
> cpanel or from wp-admin during the last few days and we are surprised at
> this problem.
> However as suggested we can delete and reupload the site, but AFTER TAKING A
> BACK UP ...
>
>
>
>
> On least on this instance the hosting provider is supportive. A back up may
> be possible, and a solution is in sight. We are working on it :)
>
>
>
> -------------
>
>
> The following is the communication on the previous incidence wrt to the
> isocindiachennai.in domain:
>
>
> ---------- Forwarded message ----------
> From: Rajnesh D. Singh <
> Date: Wed, Apr 1, 2009 at 10:48 AM
> Subject: RE: Require help in pursuing an issue with CERT
> To: Sivasubramanian Muthusamy <
>
>
> Hello Shiva,
>
> Your hosting provider’s actual hosting is in the USA rather than India, and
> its quite possible that the account was actually suspended by their provider
> (i.e. whoever Squarebrothers buys their services from).
> Squarebrothers appears to me as just a reseller of hosting and domain name
> services. In case you didn’t know, your site is actually hosted in Dallas,
> Texas.
> In this instance, I am not sure what CERT-IN can do. The site is physically
> in the US, and as such outside of their “jurisdiction”. I assume you have
> access to your website (e.g. CPanel or Plesk, etc.) so you can manage things
> like email addresses, databases, etc. that run on it. If you do, then you
> should also have access to some of the log files. You will need to look for
> this and see if you can get some information that way.
> Other than that, have you filed an incident report with CERT-IN as per the
> form they provide on http://www.cert-in.org.in/incidentreporting.htm ?
> Link to the file is http://www.cert-in.org.in/documents/certinirform.pdf
> If you haven’t filed this form with them, I suggest you do. Once you have
> done this, call their helpdesk, refer to the incident report form you filed,
> explain the issue, including the fact that your site is hosted in the US,
> and what assistance they can provide or what do they suggest you do. The
> only “Indian” aspect I see here is that you have registered a “.IN” domain
> name, but this is open for anyone to register (and as such does not mean
> much).
> You can also always change your hosting service provider (and advise them
> you are doing so because of the issues you have had).
> HTH.
> Regards,
> R.
>
>
>
>
>
>
>
>
>
> ________________________________
>
> From: Sivasubramanian Muthusamy [mailto:isolatedn at g...]
> Sent: Wednesday, 1 April 2009 12:06 AM
> To: Rajnesh D. Singh; chapter-support
> Subject: Require help in pursuing an issue with CERT
>
>
> Hello Rajnesh,
>
>
> I have already copied you on a message sent to a local web-hosting service -
> a small, single owner outfit www.squarebrothers.com which hosted
> isocindiachennai.in,  a static website with one email account
> chennni at isocindiachennai.in which was more of an unused account. The site
> was noticed down and when contacted the webhost sent a reply without
> explanation that the site was suspended for sending bulk mails, and when
> asked for log files to be sent to CERT, the reaction was adverse and rude -
> received a communication that the site is shut down and the support ticket
> closed.
>
> This is likely to be due to the vulnerability of their hosting
> infrastructure and if the chapter address had been used for sending bulk
> mails, it is necessary to understand the origin of this incident, understand
> the type and volume of messages sent, to the type of addresses to which the
> message was sent. It is necessary to get down to the bottom of it.
>
> I need some help on this. Is there a way by which you could help us get CERT
> to pay a closer attention and a thorough investigation ?
>
> Sivasubramanian Muthusamy
>
> ---------- Forwarded message ----------
> From: Sivasubramanian Muthusamy <isolatedn
> Date: Tue, Mar 31, 2009 at 5:26 PM
> Subject: Re: [SUPPORT #IIT-225158]: Domain not working.
> To: "Support, Square Brothers." <support at squarebrothers.com>, incident at cert
> Cc: Tamil <tamilmalaravan at bhara>, Chandramohan <chandramohan at bhar>,
> "Chandramohan, BharatPlanet - Chennai" <tcmohan at gm>
>
> hello
>
> In response to the following mail, you have chosen not to give us further
> details or log files as your response indicates, we suggest that you do not
> delete the log files or suppress details until this issue is looked into by
> CERT.
>
> This message is copied to CERT with a request to note that you have been
> notified of the importance of the full importance for an investigation into
> this incident.
>
> Thank you.
>
> On Tue, Mar 31, 2009 at 3:02 PM, Support : Square
> Brothers <support at squarebrothers> wrote:
>
> Hi,
> Sending bulk/spam mails & resource abuse is again our AUP & terms of
> service.
> If the hosting account violated AUP or the terms of service, your account
> will be stopped without any notice or mail.
>
> ~ Support Team ~
>
>
>
>  (the above message appears to be a retaliation to the suggestion of taking
> this up with CERT)
>
>
> Sivasubramanian Muthusamy
>
> On Tue, Mar 31, 2009 at 12:54 PM, Sivasubramanian Muthusamy
> <isolatedn at gmail> wrote:
>
> Hello,
>
> You have not sent us any communication to inform us about this serious
> security lapse which  is a possibility due to a vulnerability in your
> hosting infrastructure. We would like to have the details and log files now
> as we prefer a complaint to the CERT.
>
> ISOC India Chennai is part of ISOC ( http://www.isoc.org ) and we need to
> take this issue seriously. Please let us have the complete details of this
> incident.
>
> Sivasubramanian Muthusamy
>
>
> On Tue, Mar 31, 2009 at 12:21 PM, Chandramohan <chandramohan at bharatplanet>
> wrote:
>
> Hi,
> With reference to the mail below, we have not sent any bulkmail or
> whatsoever from the account.
> May I have any references regarding the same.
> Regards,
> Chandramohan
>
>
> -----Original Message-----
> From: Support : Square Brothers [mailto:support at squarebrothers
> Sent: 30 ?????? 2009 20:24
> To: tamilmalaravan at bharatplanet
> Cc: chandramohan at bharatplanet
> Subject: [SUPPORT #IIT-225158]: Domain not working.
>
>
> Hi,
> This account was suspended for sending bulk mails.
> Make sure that there will be any bulk/spam mails from this hosting account.
> regards
>
> R.Ilangovan
> Member - Support
> Square Brothers Information Technologies (P) Ltd.,
> AA-9, Second Avenue, Annanagar,
> Chennai, Tamilnadu, India. PIN : 600040
> Tel : +91.44.26205355 / 26205356
> e-Mail : support at squarebrothers
> url : www.squarebrothers.com
>
>
>
> Ticket Details
> ===================
> Ticket ID: IIT-225158
> Department: Support
> Priority: Medium
> Status: Closed
>
>
>
>
>
> --
> ---------------------------------------------------------------
> Joly MacFie  218 565 9365 Skype:punkcast
> WWWhatsup NYC - http://wwwhatsup.com
>  http://pinstand.com - http://punkcast.com
>  VP (Admin) - ISOC-NY - http://isoc-ny.org
> --------------------------------------------------------------
> -

-- 
---------------------------------------------------------------
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
 VP (Admin) - ISOC-NY - http://isoc-ny.org
--------------------------------------------------------------
-