[Dshield] Hosting Provider Refuses to Share Server Logs - How to Proceed?

Johannes B. Ullrich jullrich at euclidian.com
Tue Aug 2 12:09:06 GMT 2005

> I have some questions about the procedures to follow in the aftermath of
> a phishing attack on a website.  The situation is complicated by the
> fact the site that the intrusion occurred on is hosted by a website
> hosting company, and we are their customers.

To me it looks like:

- your web server got hacked.
- the intruder used your web server to setup a phishing site.

I think you should involve law enforcement in this. It *may* be to late
(evidence got likely modified too much by now to be useful in court).
But law enforcement should be able to issue subpoenas for the logs. The
earlier they can get it out the better.

Is this a shared server? If it is, the provider may be concerned that
full access to logs would be a privacy problem for other users of the
same hardware. If it is a dedicated server: Offer to buy it from the
hosting provider. In many cases, they will sell you the hard disk for
the price of a new one (so they can replace it).

Overall: Switch hosting providers ;-). For business critical systems I
would always use a dedicated server.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050802/65b1df9a/signature.bin

More information about the list mailing list