policies on compromised sites - Debian

This is a discussion on policies on compromised sites - Debian ; I'm curious as to how other people handle customers running cracked sites. Our Terms and Conditions are pretty much: "We can cut you off at any time for any reason" Our current policy is pretty much, 1) We'll be absolutely ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: policies on compromised sites

  1. policies on compromised sites


    I'm curious as to how other people handle customers running
    cracked sites.

    Our Terms and Conditions are pretty much:

    "We can cut you off at any time for any reason"

    Our current policy is pretty much,

    1) We'll be absolutely sure there is a problem
    2) If it isn't too ugly, 1-2 days to fix
    3) The site goes offline.

    One of our customers has a compromised Joomla install. It was
    compromised to the extent that it was exploiting IE and winsoze
    holes to do drive-by trojan downloads.

    From the CVE record, it is a version that is trivially
    exploitable. I've moved the installation out of their webspace.
    I've told them I'll be happy to send specific templates, style
    sheets and config files to them.. Alternatively, I'm willing to
    change the DNS and give them all the files so they can start
    hosting with somebody else.

    They want access to the original installation in a .htaccess
    protected directory so their "security expert" can find and fix
    problems.

    Their expert is not the original installer of software. He is a
    guy who works for a company that has developed some popular
    joomla modules.

    There without exaggeration more than 11,000 php files to review.
    I am doubtful that this can be done.

    Am I a power mad rules ninny or a stalwart defender of the
    internet here ?


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: policies on compromised sites

    On Mon March 24 2008 12:47:01 Dan MacNeil wrote:
    > I'm curious as to how other people handle customers running
    > cracked sites.


    If the cracked site does not share IPs with other sites you
    can add access lists on your router so that the cracked site
    can only be accessed from a small number of prescribed outside
    IP addresses which the site owner will use to fix the problem.

    I don't think it's reasonable to tell the owner HOW to fix the
    problem, but it is reasonable to tell the owner that if the fix
    is ineffective the site will be shut down again, and that the
    shutdown will be permanent on the second or third occurrence.

    In my experience, the end result is almost always that they
    move to some el-cheapo-hosting. You're down a few dollars a
    month but at least you're not RBL'd.

    --Mike Bird


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: policies on compromised sites

    On 24/03/08 19:47, Dan MacNeil wrote:
    > I'm curious as to how other people handle customers running cracked
    > sites.
    >
    > One of our customers has a compromised Joomla install. It was
    > compromised to the extent that it was exploiting IE and winsoze holes
    > to do drive-by trojan downloads.
    >
    > I've moved the installation out of their webspace. I've told
    > them I'll be happy to send specific templates, style sheets and config
    > files to them.. Alternatively, I'm willing to change the DNS and give
    > them all the files so they can start hosting with somebody else.


    This seems a fair and responsible action on your part to me.

    > They want access to the original installation in a .htaccess protected
    > directory so their "security expert" can find and fix problems.
    >
    > Their expert is not the original installer of software. He is a guy
    > who works for a company that has developed some popular joomla modules.
    >
    > There without exaggeration more than 11,000 php files to review. I am
    > doubtful that this can be done.
    >
    > Am I a power mad rules ninny or a stalwart defender of the internet here ?


    I think their request is reasonable, and they should be allowed the
    opportunity to rectify the issue by whatever means they choose - whether
    or not their proposed method of solving it is practical or not is not
    your responsibility. I would say that, provided you specify that you
    will not allow public access to their site until you have confirmed that
    the changes they have made have resolved the vulnerability, you have
    done your part and the ball is in their court.

    Gavin

    --

    Gavin Westwood
    Solutium

    http://www.solutium.net - Going the extra mile to provide a fast,
    helpful, reliable Web Hosting service.



+ Reply to Thread