[Intrusions] Hosting Provider Refuses to Share Server Logs - How to Proceed?
opiesan
opiesan at opiesan.com
Tue Aug 2 08:48:28 GMT 2005
Hey GM.
That's a tough situation. As the customer, I would demand more flexibility from the provider. If that doesn't work I suggest talking to your legal department. If for no other reason than to begin the CYA process. If you take the offensive, you may be able to apply pressure on the provider to prove your company is in the wrong (which, theoretically, would require logs as evidence).
I've never been in your shoes so take this for what its worth. As a customer, keep in mind the provider works for you and is beholden to you per the TOS you both agreed to. It may take a lawyer to 'splain that to them. At this point they've shut you down and possibly caused your company an undue outage based on little more than an outside report of your site being tainted. However, its the server that's been compromised (which is not under your management or control). Your site just happens to be the symptom of that problem. Unless the server has been cleansed, a qualified audit should prove the point. Hope this helps.
Scott H.
---- GeeEm <youreallythoughtiwouldgiveyoumy-dshield at yahoo.com> wrote:
>
> Hi Everyone,
>
> I have some questions about the procedures to follow in the aftermath of
> a phishing attack on a website. The situation is complicated by the
> fact the site that the intrusion occurred on is hosted by a website
> hosting company, and we are their customers.
>
> Earlier this week, an entity reported to us (via email) that our
> webspace was hosting a phishing site and had demanded that we remove the
> offending content (no problem here, I completely understand their
> concern, and would I have had a chance, I would have been happy to
> comply ;-) Unfortunately, I did not receive the email until after our
> hosting provider was contacted by their upstream ISP and asked to remove
> the offending content (the hosting company has not shared any of the
> emails they received in this incident with us, even after they made
> promises to do so). Our hosting company complied with their ISP's
> request (unfortunately without contacting us first), and closed our
> account with them, effectively shutting down our website, email service,
> and of course, the phishing pages.
>
> Now, up till this point, I do not really have a problem with the hosting
> company's actions, or the actions of any of the other parties involved.
> From what I understand, the course of action that was taken is
> understandable as per provider etiquette/the hosting company's TOS. My
> issues are with what followed in the aftermath.
>
> I contacted our hosting company as quickly as I could after I received
> the email alerting me to the activities on our website, and was given a
> direct number to an employee at the hosting company. The hosting
> company's employee and I have had a few conversations up to this point,
> but they (the hosting company) have been unwilling to release any
> information pertaining to the intrusion/phishing site to us (their
> clients). They refuse to let us view the logs of the attack, or even
> tell us how the attack began in the first place. We still do not know
> how the attacker gained access to our site in the first place (which was
> hosted on a shared server, with other clients of the hosting company --
> we did not have a webserver dedicated just to us). The possibilities
> abound: the server could have been rooted, a software exploit might
> have been used, an intrusion through their internal network, a
> misconfiguration, or a brute-force attack was run against our logins,
> who can say without hard facts and evidence (logs)? What makes this
> situation even more stressful is the hosting company's attitude toward
> the whole affair -- they claim that since the intrusion/phishing
> occurred on our webspace, we are to blame, and of course they would
> never contact us to tell us to shut down the phishing site, because we
> must have been the individuals who set it up, since the account that was
> fraudulating [/sic/] was ours (alright, I can understand their logic,
> but I do not agree with it. Their refusal to consider other
> possibilities in this situation is mind-boggling, and doesn't seem
> kosher. Before this whole thing occurred, I would have assumed a hosting
> company would want to work along with their client to resolve any
> disputes or issues. I guess I shouldn't assume :-).
>
> I've never dealt with an intrusion before, but I am the tech for the
> website. I've been doing research on suggested company policy for
> phishing attacks (using the SANS Reading Room, and CERT.org), and
> gathering information on forensic practices pertaining to this type
> intrusion, but nothing I have read yet really covers this. I have gone
> over the TOS we agreed to with our hosting provider, and this
> eventuality does not seem to be covered by it. Does anyone have any
> suggestions as to what our rights are (if any exist), or any suggestions
> as to a course of action or resources to check into? Our main concern is
> less on how it happened, and more proving the intrusion was not caused
> by us (and hopefully limiting our liability in this situation). Mainly,
> we want to see the raw logs (if they even exist), and any other
> information pertaining to the phishing attack. In any case, US law
> should apply, as well as any Connecticut or California State Laws (the
> hosting providers are in CT, we are in CA). If further clarification is
> needed please either post to the list or reply to me privately. Thanks
> in advance, any suggestions are greatly appreciated.
>
>
>
> GM
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
More information about the Intrusions
mailing list