[Dshield] Hosting Provider Refuses to Share Server Logs - How to Proceed?

Mrcorp mrcorp at yahoo.com
Tue Aug 2 13:16:48 GMT 2005

I would even take this a step up from Johannes.  What would you do if they gave you the logs? 
Would you prosecute?  Would you retaliate?  Is it just to serve a common interest on who is
attacking?  Sometimes the conversations on this forum side with people taking actions into their
own hands.  You should avoid this if in the US.  If outside the US, do as your laws describe.

>From a company perspective, is your stance to pursue and prosecute?  If so, then you need to
involve your legal representation immediatly.  No hosting company , ISP or any other has ever
given provided me with logs without a subpeona.  In order for you to get one, and you must be able
to prove a law was broken.  Then provide the evidence for your legal group to take action.

Also, keep in mind when dealing with the Comcasts and others, they often times do not keep logs
for more than a week.  This is due to the sheer volume of logs and not wanting to prosecute every
one of their customers.  ;)

I worked on a FAQ for SANS entitled Interfacing with Law Enforcement.  Take a read of that, it may
also provide some pointers.


--- "Johannes B. Ullrich" <jullrich at euclidian.com> wrote:

> > I have some questions about the procedures to follow in the aftermath of
> > a phishing attack on a website.  The situation is complicated by the
> > fact the site that the intrusion occurred on is hosted by a website
> > hosting company, and we are their customers.
> To me it looks like:
> - your web server got hacked.
> - the intruder used your web server to setup a phishing site.
> I think you should involve law enforcement in this. It *may* be to late
> (evidence got likely modified too much by now to be useful in court).
> But law enforcement should be able to issue subpoenas for the logs. The
> earlier they can get it out the better.
> Is this a shared server? If it is, the provider may be concerned that
> full access to logs would be a privacy problem for other users of the
> same hardware. If it is a dedicated server: Offer to buy it from the
> hosting provider. In many cases, they will sell you the hard disk for
> the price of a new one (so they can replace it).
> Overall: Switch hosting providers ;-). For business critical systems I
> would always use a dedicated server.
> > 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list