Last week I wrote about infections which seem to plauge web host ThePlanet. A lot of information has come in since then that explains a bit of what is going on. First I have not received any official communications from ThePlanet regarding the infections. If someone at the this company would like to talk to us about how to incorporate this data into their abuse fighting efforts we’d love to help. I am sure there are others in this field who would offer the same.
Secondly we are not the only ones who found this problem percolating at ThePlanet. Intrepid reporter Brian Krebs pointed to research at FIRE that shows ThePlanet at the top of their most infected list. He goes on to say that a majority of the other badware trackers out there feel the same.
Lastly I was tipped off to the RWhois server at ThePlanet to allow a finer grain of resolution on the infections. I ran the top infections through and the results are eye opening. Two clients stand out as the majority source of issues.
| IP Address | Infected | RWHOIS org name |
| 174.120.120.151 | 2360 | Skenzo FZE |
| 74.54.82.209 | 704 | Skenzo FZE |
| 174.123.118.242 | 701 | WebsiteWelcome |
| 209.85.84.167 | 501 | Skenzo FZE |
| 74.54.82.151 | 294 | Skenzo FZE |
| 209.85.51.171 | 187 | Skenzo FZE |
| 70.85.203.98 | 154 | Bahram Boutorabi |
| 66.98.226.63 | 107 | unknown |
| 174.132.114.66 | 104 | WebsiteWelcome |
| 209.62.72.250 | 102 | Skenzo FZE |
| 74.54.82.223 | 90 | Skenzo FZE |
| 66.98.145.18 | 82 | unknown |
| 70.84.243.130 | 72 | WebsiteWelcome |
| 174.133.93.58 | 72 | server sea |
| 74.55.113.68 | 63 | Payam Torkian |
| 74.55.100.8 | 60 | Skenzo FZE |
| 75.125.230.50 | 59 | 007express.com |
| 74.55.26.91 | 57 | Fakhreddin |
| 174.132.194.9 | 56 | WebsiteWelcome |
| 74.54.62.162 | 53 | Xieno |
| 74.53.162.242 | 52 | xpower.net |
| 74.52.114.250 | 52 | brian bennett |
| 74.52.105.66 | 48 | WebsiteWelcome |
| 67.19.92.170 | 48 | PQC Service, LLC |
| 67.19.140.10 | 44 | NV Avid Corp. |
| 209.85.51.176 | 44 | Skenzo FZE |
| 74.52.111.226 | 42 | Websouls |
| 70.86.72.202 | 40 | hub4host |
| 209.62.105.19 | 39 | Skenzo FZE |
| 75.125.148.76 | 36 | 4.CN |
| 209.62.55.197 | 34 | Payam Torkian |
| 67.15.126.22 | 33 | unknown |
| 174.123.249.210 | 33 | WebsiteWelcome |
| 209.85.84.165 | 32 | Skenzo FZE |
| 75.125.198.122 | 31 | i4serv |
| 74.54.131.210 | 31 | WebsiteWelcome |
| 74.53.241.66 | 31 | WebsiteWelcome |
| 74.52.142.66 | 30 | WebsiteWelcome |
I’m told, but have not confirmed that Skenzo is a domain parking service and WebsiteWelcome is somehow associated to HostGator. If anyone from these two organizations would like to talk I’m here to help. I plan to use some of our historical data to chart how the infections grew in these two organizations and see if they correlate with any other security events. I’m hoping to see something like a spike around the time of a PHP bug or something similar.
I’ve also thought long and hard about how I would advise hosting firms like ThePlanet if I were in a position to do so. My current opinion, always subject to change, is that a graduated response should be used. Notify the client first in cases of extreme infections with a week of waiting. If there is no contact in a week then pull the sites offline (unplug the network connection only not the power) until the client makes contact. Then allow only IP addresses they designate through to allow them to clean up the server but not allow future infections to occur. If there is no contact at all within some maximum amount of time then keep the box offline until it occurs.
This is not something I’m ready to defend yet so if there are suggestions or comments I’m totally open to hear them. But it reflects a mixture of the best ideas I’ve heard from friends and colleagues about the situation.
EDIT: added line breaks to data section to make it readable
Those are some good points Oliver.
The idea with bulding a security zone around boxes that have been compromised is nice. But the administration of such a thing would have to rely on some equipment that was capable of “mostly” automating or at least assist in condemning an area of servers or IP addresses.
The problem for a hosting company would likely be the wide variety of connections that had to go through a set of access lists, and it would not be a workable solution for a lot of places.
If it was possible to build a small gateway which could be put between the compromised hosts, or even stuck on the entire rack that had been compromised, then we’d be talking something that may be usable.
I would think a stand alone unit could do the trick, I’m thinking of a bridge type unit with access filtering ability. – It has to be small, quick to install, and most of all have remote capabaility as to allow the supporters to enable the access to the network/server/rack when contacted by the customer.
Since speed would not be the problem – the network is sort of taken offline anyway, I’d expect a small “pizza box” linux could theoretically do the trick.
Would be interesting to know how many pizza boxes one would need for a reasonably large hosting facility … (add a few with real pizza to the guys installing the boxes though).
I am a reseller with HostGator and I can verify that WebsiteWelcome is indeed the DNS servers used for the shared reseller boxes. I have brought this matter to the attention of HostGator’s Network Admins and am currently awaiting a reply; it looks like I may be moving here very shortly.
In the past 3 months:
1) My site was offline a total of 3 weeks due to DDoS attacks, that weren’t even directed at any of my IPs. It took them 5 days to figure out to simply block the offending IPs, it took another 2 MONTHS to talk ThePlanet into putting a hardware firewall on the box.
2) I use Catch-All Email with my domains and the email used ONLY in the HostGator billing system (hostgator@example.com) is severely flooded with Indian Pharmacy Spam. When brought to HostGator’s attention, they tried to blame it on a dictionary attack; out of literally millions of possible combinations the spammers just happened to choose HostGator@ to spam? Yes, they actually expected me to believe that.
Now this. Thankfully none of my own IPs are on that list but to say what little faith I had left in HostGator has been rattled would be an overt understatement. The security of my client’s information, CC #s, etc. is extremely paramount to me & I’m saddened to see that one of the biggest datacenters on the face of the internet (ThePlanet) obviously doesn’t take it nearly as seriously as I do.
The truly disturbing part is that I found this blog after getting blocked from a site by Google which leads me to assume that this site is a main contributor to Google’s new(ish) site-blocking policies. If my sites were to end up blocked by Google due to the crap going on at ThePlanet, my small e-firm would be dead. Thank you for the article, as well as pointing me toward Brian’s blog & FIRE. It’s been a very enlightening read.
Hi Oliver
I have been informed about this blog post on infections on the Skenzo infrastructure.
Skenzo’s IP’s ARE NOT DISTRIBUTING MALWARE and are only showing up as A FALSE POSITIVE because of the way you are assigning IP addresses to malware domains. There are no infections actually present on our infrastructure, nor are there any drive by downloads.
In your research you have taken all identified malware domains and done a reverse lookup on their IP addresses and then grouped them together by IP. While in theory this provides you with a starting point, you would need to add more filters to make your report accurate. It is currently subject to false positives, like in our case — if a domain was being used for malware in the past, expires and starts pointing to Skenzo due to the DNS change made by the domain registrar — you will get the current Skenzo IP address as the IP for the domain that had malware in the past. However, the original infecting IP would have been the previous IP hosting this domain and NOT the Skenzo IP. Moreover, it seems that the list that you’re using maintains domains as infected if malware was discovered anytime in the last 90 days (or more?).
EVERY domain that expires with almost all domain registrars globally points to our infrastructure post expiry as almost all of them use the Skenzo service. This would be THOUSANDS of new domains on a daily basis. At any point of time, we have MILLIONS of domains pointing to our infrastructure.
Skenzo has a 24 x 7 compliance team that proactively blocks domains. Also, in case of any complaint – malware, spyware, spam, 419 scam, hate etc – we block the domain immediately. At Skenzo, this is the case even if the issue no longer exists on the domain. In your method, even if a URL is blocked by us you will continue to show that ‘x’ infected sites are on our infrastructure as the DNS of these domains would continue pointing to us. In most cases Skenzo does not have DNS control of the domains, this is retained by the domain registrar.
We are of course happy to put in to place a process whereby, you can share a list of domains with us in some automated manner, that our compliance team would process immediately. As of right now, we do not even have the list of domains/URLs from you. We can block these as soon as you send them to us – i.e. if they are not already blocked.
On a separate note, I would appreciate it if you can post an update to your blog post above with this new information. As of right now, your blog post gives a wrong impression that Skenzo is involved in the distribution of malware. This is untrue. Directi (Skenzo’s Parent Company) and Skenzo are both large service providers that have a history of taking significant & continuous action for making the internet safer and better. It is only fair that our actions are reflected correctly.
Thanks.
Warm Regards,
Vishal Manjalani
Director, Business Development
http://www.skenzo.com
vishal.ma (at) skenzo.com