I would like to know what ThePlanet's policy is on hosting and taking down sites like this, which is currently hosted on a Planet dedicated server:

** Link/IP Removed **
(the link the moderator removed was the IP address of a Planet dedicated server, and the site on it was a scat porn membership site with photos of people urinating and defecating into each other's mouths)

I have attached a "safe" screenshot of the site, in which I used a paint program to cover up the nudity / obscene parts of the page.

That IP address was just caught (by mod_security) trying to run SQL Injection attacks against "normal" sites on my dedicated servers, and to say I'm infuriated would be an understatement.

I have firewalled the IP from my servers and I submitted a ticket to The Planet's abuse department, including mod_security logs showing the attack, and also called ThePlanet support to let them know about it.

But in the meantime, I want to know:

1. What is ThePlanet's policy on hosting such sites?

2. How long after you have been submitted solid proof that a site/server at your data center running attack scripts does it take for you to shut them down?

The answers are important to me, because I have dedicated servers at The Planet and intend to purchase more, but if sites like these are allowed to stay up even after you've been alerted to them it's not very encouraging and is quite uncomfortable. I don't want to begin investing more money in servers at a data center that allows scat-porn sites running SQL injection cross-script attacks are allowed to remain up and running even after you are fully aware of them.

I'm not trying to hassle anyone - this is a legitimate question that I could not get an answer to when I called, and IMO this is a genuine concern for anyone with servers at The Planet.

I look forward to your response, thank you,
David

Sorry I had to remove the screenshot and IP from your post - Even the "clean screenshot" made me throw up in my mouth.


Firewalling out the IP is a great first step - Contacting the abuse department was a great second. Just make sure to include log excerpts: That seems to help quite a deal.


I know they allow pornography, and although completely disgusting (judging from the screenshot,) this site still falls under that category.


The abuse department tends to keep things pretty confidential (as all abuse departments should,) but I've seen results in as little as 48 hours.

I realize the policy of allowing those pornography guys to host at The Planet might take away from the company's integrity - Although I can't say I agree with the content, it's a big industry, and even they need to host somewhere, I guess.

Happy hosting and good luck with getting your problem resolved, David08.
PS: Keep in mind I'm just a customer/mod, not a staff member, so this reply is not an official reply.

Since you just completely edited / changed your post, why don't you just go ahead and delete this reply now. Personally I think what you just pulled was kind of shady.

I think Mark was doing exactly what a moderator should do. Seeing a screenshot and posting the URL/IP Address are both superfluous in the context of your question. It's unnecessary to subject everyone on the forums to the objectionable content. If it is offensive to you and you are seeking for it to be removed, it would probably be best to not actively share or promote the content.

I had written a simple "You have to email abuse@theplanet.com" post but decided to edit it with some more information to help answer each of your questions.

I spoke with one of the guys over in Abuse. He was able to confirm that, while it may be gross, it is not illegal. To be more specific as long as it isn't illegal in the State of Texas or the United States it's allowed. Everyone is entitled to their piece of internet no matter how taste[full|less] it is.

-

As for the attack, I was able to locate the ticket you put into abuse regarding it. They are taking the necessary action. Unfortunately for legal reasons we are not permitted to disclose any further information.

Hi Kevin,

I had no problem whatsoever with Mark removing the IP address or censored screenshot from my original post, even though they were/are completely relevant by example to two questions I asked. Next to the IP I posted I also placed a note warning that it contained obscene content so that users could choose not to view it while Planet Staff could see an active example of what I was talking about.

What I did have a problem with is that Mark made a response to the post that all but ignored the information I provided in my initial post and had almost nothing to do with the questions that I asked, and then when I replied to it he went back and edited his post which in turn made my reply look stupid and out of context. Therefore, I asked that he go ahead an delete my reply to his original un-edited response. Of course, as you can see, he obviously left my second post - I'll leave it up to you to decide why but after years of watching his techniques on this board it's obvious to me.

While my forum account may appear new here, I've been reading this board for several years and watching Mark's tactics and quite frankly I don't like them. He has often twisted things, ignored valid post content, convoluted threads that should have only been handled by / intervened with by actual Planet staff members, and in my opinion has abused his moderator status here on many occasions.

I could go back and post exactly what he originally posted and my original response, but that would be a waste of more time and I have no desire to argue. The only reason I'm responding to you Kevin, is so that you have some facts to go on about something you did not witness and was manipulated. I have neither the time nor desire to argue the point.

Thank you for your replay James.

You definitely clarified for me the answer to my first question. However, the second question remains un-answered to some extent since nothing in The Planet AUP or ticket responses gives a direct answer to the question - how long is an abusive scripting site allowed to stay up on a Planet server after it's been reported/proven to be running attacks. It seems the only answer anywhere is the "taking necessary action" one, but at least you posted a response to my questions instead of simply deleting the content and ignoring the text of my post, as Mark did in his original response before he edited it.

While I appreciate you considering me an abusive mod, my only mistake was posting my initial post: Editing it to contain more useful information would be considered a good thing, so please don't condemn me for helping you.

Both of you need to stop.

The reason my response was "taking necessary action" is because we can't disclose what was/is/maybe done in regards to other customer accounts.

As for the policies, I will speak to someone in Abuse tomorrow, and see if I can find out a few specifics for you.

Mark, I really don't want to debate this, but you know as well as I do that your initial post before you edited it indicated that you didn't read the important parts of my initial post, and then when you did edit it you made my response to the initial un-edited version of yours look out of context. What possible reason would you have to not simply delete my second post after pulling such a maneuver? If you'd simply removed mine after finally making yours more relevant to the questions I posted, then Kevin (and anyone else) would not have been left under the mistaken impression that I had some problem with you editing my initial post, which I clearly did not. I can so no reason why you would not have simply deleted my second post at my request, other than to let it be taken out of context and make it look like I was in the wrong and complaining about something other than what was intended.

If you had simply deleted my second post after you conveniently "adjusted" yours after reading my second one, then Kevin wouldn't have been under the impression that I had a problem with you removing any content, and these useless wasteful posts wouldn't be here, nor either of us wasting our time with this.

I've seen you do this type of thing time and time again, and for a "moderator" you sure do seem to have helped contribute to the amount of garbage that gets posted on this board over the years. I'm not interested in pointing out examples or arguing with you - my opinion stands that I'm amazed that after all this time ThePlanet still allows you to remain a moderator here.

I would never condemn someone for trying to help me, but I would definitely take issue with someone ignoring the text of something they're responding to, and then going back and changing their response. To quote your initial response to my initial questions, before you edited it:



To which I responded "Mark, not trying to give you a hard time, but did you even read my post?" etc... because my initial post clearly indicated that I had done every step you mentioned. Did I complain about you removing content from my post? No. But after your edit job and then leaving my reply to your real initial post, you left mine there to let be taken out of context exactly the way Kevin did. My second post was there to point out that you obviously did nothing but ignore the questions I asked, deleted some the initial posts content, and didn't bother to read what I'd actually written.

So while I'm not here to bicker with you, I would appreciate it if you would let The Planet staff answer questions when I ask them, as I would rather not deal with you or seek help from you. I was not here for support, I was here to have 2 questions answered by ThePlanet and I stated that in my second post before you edited yours. I completely understand that as a moderator you felt it your duty to remove the IP address from my post, and I have no problem with that, but I would prefer not to deal with you when it comes to posting questions intended for ThePlanet staff in the future. It would be nice if we could mutually ignore each other, outside of your actual "moderator" duties of course, especially after some of the things I've witnessed and been subjected to by you here before. Thank you.

I'm not going to argue with you, David08. Sorry I've offended you.

EDIT: Also, next time I will add "EDIT: ..." (like I did now) instead of overwriting my post's content.

EDIT EDIT: From my understanding, it went like this:
1) You posted
2) I posted a response
3) I re-read your post and
4) Edited my response with better information

Again, Sorry.

Thank you once again for the relevant response James. Please don't go too far out of your way if it's a hassle for you. My experience so far regarding that specific question has been this:

- I call and ask support how long they will allow a malicious scripting site to remain up. Support tells me I would need to get that info from the Abuse department.

- I ask the Abuse department the same question, and they tell me that the answer to my question is at http://www.theplanet.com/about-us/legal_do...olicy%20AUP.pdf , and they repeat that they cannot disclose any information but are taking necessary action.

- I read http://www.theplanet.com/about-us/legal_do...olicy%20AUP.pdf word for word, and it does not answer the question, it simply states that sites/servers running a malicious script are prohibited.

Wash, rinse, repeat. In the meantime the offending server/site I reported is still up almost 24 hours after solid proof was submitted that it was script attacking other servers. I'm not offended by the porn, I'm offended by the fact that the server is still up after dishing out attacks against my sites and my customers and other servers, yet 3 years ago when one of my customer's "normal" photo gallery scripts got cross-scripted (not a porn one either, I do not host adult sites), ThePlanet called me and told me that if I didn't delete the offending site within 1 hour they were going to shut down my server. So why is it that when a non-adult site gets hacked at ThePlanet, a small host like myself gets threatened with having an entire server shut down in 60 minutes, yet when an adult site does much worse, they're still up and running a day later? I hate to make assumptions, but from past experience at other data centers, that happens when one customer is spending a lot of money on servers and a smaller company is not.

This is why I would appreciate a clearly defined policy on this. Is it really 60 minutes to shut down an entire box of innocent customers? Or is it days or more, depending on how much money that customer is spending at ThePlanet?

Pardon me if I seem a bit miffed, but something seems a bit out of alignment on this policy. A nature photographer gets 60 minutes to have their site deleted or TP will shut down an entire server, yet a scat site running a malicious script stays up and running apparently as long as it wants to.

5) Ignored my request to have my second post deleted so that we wouldn't end up exactly where we are right now.

Questions:
1.) was the "solid proof" you submitted really proof that couldn't be forged by anyone with a text editor such as pico or notepad?
I'm not defending a slow abuse response, but it seems all cases will need to be investigated because there's zero room for error when interrupting all the legitimate customers on the server. I would think you supplied solid evidence, but not solid proof since a snip of logs could be forged by a malicious person.
2.) how serious was the attack (something that will be caught by default mod security rules, or something more advanced) and is it currently ongoing against your firewall or was it a one time attack that subsided (I believe your post above says yes the attack is still going hitting your firewall every x-seconds/minutes, but I just want to be 100% clear on this)? I think abuse must balance giving the server owner time to investigate and respond (so as not to down 299 legitimate sites also on the server) against the severity of the harm being done while the investigation is ongoing. It would be useful to have it clarified on whether the default policy for x-severity of abuse case is to give 60 minutes or 24 hours or 48 hours to remove the threat. Also if the attack is ongoing, do you keep emailing abuse every x-hours? For example what if the server with the compromised account tells abuse that it's taken care of because the attack is a crafty one that subsides, or is non-constant by nature, but the server owner is wrong and it's still ongoing? Possibly you as the party being attacked should keep emailing fresh logs every 6 hours it continues to abuse so they are aware the issue is not resolved.

The Planet staff have the ability to log in to my server (since it is a dedicated in their data center) and view the logs and mod_security results themselves, or even just log into my WHM > Plugins > Mod Security and see the attack right there (if there was any doubt as to the validity of the ticket I submitted), so I'm not sure how much more solid you can get. A malicious person trying to forge an abuse report wouldn't submit a ticket and then simultaneously call TP support and offer/ask them to log in to their own server to see for themselves what was happening, which is exactly what I did as soon as I saw it happening. Though I try to avoid calling support whenever possible, it's always best to call them and ask them to look at the server so that they can see for themselves exactly what is happening while it's happening.



I'm not quite sure how you personally define the seriousness of an attack, but this was an SQL Injection attack against the PHP script / database of sites that are powered by PHP scripts and use galleries. This is a typical / common method that porn spammers use to execute their own scripts through the victim's PHP/database-driven site for purposes of everything from utilizing the victims site to send out spam all the way to using the search results of a legitimate victim site to raise search engine rankings and create spoof links to the offenders porn site. My mod_security alert logs show that the attack was hitting every 1.5 seconds until my security system blocked them off. As far as "ongoing", it likely would have been but I then permanently blocked the IP via my LFD iptables firewall software, since the mod_security blocks are only temporary (so as not to permanently block a false-positive from a legitimate user or script), so it didn't "subside", I subsided it myself, so-to-speak.

Just to give you an idea of the type of attack, here is a small excerpt from the mod_security log (all IP's and site/hostnames and other identifiers replaced with X's so as not to upset anyone):

IP of attacker: xx.xx.xx.x (x.xx.xxxx.static.theplanet.com)
[client xx.xx.xx.x] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(??:s(?:elect\\\\b(?:.{1,100}?\\\\b(??:length|count|top)\\\\b.{1,100}?\\\\bfrom|from\\\\b.{1,100}?\\\\bwhere)|.*?\\\\b(?(?:ump\\\\b.*\\\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))
|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:gallery_id. [id "950001"] [msg "SQL Injection Attack. Matched signature <union select>"] [severity "CRITICAL"]
[hostname "xxxxxxxxxxxxx.com"] [uri "/gallery2.php?gallery_id=30%20union%20select%20null%2Cnull%2C%27just_a_test_3_%20%3C%3Fphp%20echo%28md5%28%22just_a_test%22%29%
29%3B%20echo%28%40unlink%28%22%2Fhome%2Fxxxxxx%2Fpublic_html%2Fjatest.php%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22.
%22linked%22%29%20%3F%3E%27%20into%20outfile%20%27%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fjatest.php%27"] [unique_id "WtS@xxxxxxxxxxxxxx-xxxxxxx"]

As you can see, the offending server in that instance is running a script that is attempting to execute an SQL command in the gallery portion of the PHP script on the victim's site, attempt to plant a file in the public_html folder of the victim, and testing to see if they could get the uploader portion of the script to accept/execute their own script, for various purposes which you can imagine - everything from using the script to send out spam, to spoofing search links, to defacing / disabling the victims pages.

To me, any such attack is "serious" and any site/server executing it should be immediately suspended, which can be done without taking down an entire server or affecting other customers on it. As a host yourself, you probably know that all you have to do is log in to your server and suspend that particular site's account and log in / remove the scripting files from their account.

I just spoke with the Manager of our Abuse department.

They will be addressing this issue via the ticket you opened.

Should you not receive an update in a reasonable amount of time, please PM me and let me know.