How Shared Hosting Can Affect Your Reputation?

A quick blog post about the risks associated with shared hosting solutions. Today it’s very easy to rent some space on the intertubes. They are tons of companies which give you some gibabytes of storage and bandwidth for a few bucks per month. It’s easy as 1-2-3, even Granny is able to open a website! Today, a web presense is a business requirement for most of companies. This is often the first contact that your customers or partners will have with you.

My home network is protected by common best practices, amongst them, an IDS. I don’t have a classic home network and I’m running some nasty stuffs from time to time and I’ve to keep an eye on my packets. Yesterday I received the following alert:

10/16/2013-06:57:41.365442 [**] [1:2404111:3224] \
ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 12) \
[**] [Classification: A Network Trojan was detected] [Priority: 1] \
{TCP} 192.168.254.202:51189 -> 213.186.33.19:80

First reaction: “WTF!“. All my known devices receive a fixed IP address via DHCP at home. This is more convenient to track such incidents. The source IP address was my iPhone!? This looked even more suspicious. Let’s log on the IDS box and inspect the corresponding PCAP file. Some HTTP requests were indeed sent to this IP address. My iPhone tried to reach the virtual host “www.dcode.fr“. This website is clean and was accessed again when I closed a lot of tabs in my mobile Safari (I visited it a few days before). But why I did not get alerts when I accessed this URL for the first time? I checked my IDS daily updates and the rule which was fired was updated the 15th of October:

alert ip $HOME_NET any -> [213.186.33.19,213.5.182.124,213.57.77.220,216.172.154.37,216.176.100.240,216.215.112.149,216.240.163.147,216.55.177.238,217.12.199.60,217.12.219.148,217.23.152.116,218.61.10.188,221.132.39.132,23.22.33.59,31.148.219.85,31.170.179.179,31.186.3.99] any (msg:"ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 12)"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; reference:url,palevotracker.abuse.ch;reference:url,spyeyetracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404111; rev:3221;)

Within a shared hosting solution, all websites on a server have the same IP. Communications between some IP addresses can be a good IoC (“Indicator of Compromize“). The IP address mentioned above delivered malicious content as reported by virustotal.com! It’s was a false positive in my case but some organizations might decide to block communications to malicious (reported as) IP and make your website unreachable. What to conclude?

• Keep your IDS rules updated! Rules change almost daily and botnets are using new C&C all the time!
• Shared hosting can have an impact on your online reputation!
• If a vhost has been compromized to install a new C&C, your website can be at risk too!