Hosting Provider Refuses to Share Server Logs - How to Proceed?

[GeeEm <youreallythoughtiwouldgiveyoumy-dshield () yahoo com>]

Hi Everyone,

I have some questions about the procedures to follow in the aftermath of
a phishing attack on a website.  The situation is complicated by the
fact the site that the intrusion occurred on is hosted by a website
hosting company, and we are their customers.

Early last week, an entity reported to us (via email) that our
webspace was hosting a phishing site and had demanded that we remove the
offending content (no problem here, I completely understand their
concern, and would I have had a chance, I would have been happy to
comply ;-) Unfortunately, I did not receive the email until after our
hosting provider was contacted by their upstream ISP and asked to remove
the offending content (the hosting company has not shared any of the
emails they received in this incident with us, even after they made
promises to do so).  Our hosting company complied with their ISP's
request (unfortunately without contacting us first), and closed our
account with them, effectively shutting down our website, email service,
and of course, the phishing pages.

Now, up till this point, I do not really have a problem with the hosting
company's actions, or the actions of any of the other parties involved.
 From what I understand, the course of action that was taken is
understandable as per provider etiquette/the hosting company's TOS. My
issues are with what followed in the aftermath.

I contacted our hosting company as quickly as I could after I received
the email alerting me to the activities on our website, and was given a
direct number to an employee at the hosting company. The hosting
company's employee and I have had a few conversations up to this point,
but they (the hosting company) have been unwilling to release any
information pertaining to the intrusion/phishing site to us (their
clients).  They refuse to let us view the logs of the attack, or even
tell us how the attack began in the first place.  We still do not know
how the attacker gained access to our site in the first place (which was
hosted on a shared server, with other clients of the hosting company --
we did not have a webserver dedicated just to us).  The possibilities
abound:  the server could have been rooted, a software exploit might
have been used, an intrusion through their internal network, a
misconfiguration, or a brute-force attack was run against our logins,
who can say without hard facts and evidence (logs)?  What makes this
situation even more stressful is the hosting company's attitude toward
the whole affair -- they claim that since the intrusion/phishing
occurred on our webspace, we are to blame, and of course they would
never contact us to tell us to shut down the phishing site, because we
must have been the individuals who set it up, since the account that was
fraudulating [/sic/] was ours (alright, I can understand their logic,
but I do not agree with it. Their refusal to consider other
possibilities in this situation is mind-boggling, and doesn't seem
kosher. Before this whole thing occurred, I would have assumed a hosting
company would want to work along with their client to resolve any
disputes or issues. I guess I shouldn't assume :-).

I've never dealt with an intrusion before, but I am the tech for the
website. I've been doing research on suggested company policy for
phishing attacks (using the SANS Reading Room, and CERT.org), and
gathering information on forensic practices pertaining to this type
intrusion, but nothing I have read yet really covers this. I have gone
over the TOS we agreed to with our hosting provider, and this
eventuality does not seem to be covered by it. Does anyone have any
suggestions as to what our rights are (if any exist), or any suggestions
as to a course of action or resources to check into? Our main concern is
less on how it happened, and more proving the intrusion was not caused
by us (and hopefully limiting our liability in this situation). Mainly,
we want to see the raw logs (if they even exist), and any other
information pertaining to the phishing attack.  In any case, US law
should apply, as well as any Connecticut or California State Laws (the
hosting providers are in CT, we are in CA). If further clarification is
needed please either post to the list or reply to me privately. Thanks
in advance, any suggestions are greatly appreciated.



GM


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/