Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 6 July 2011

When is a 24 hour warning not a 24 hour warning? (aka HostNOC/Burst finally suspend Renos server) was first reported to HostNOC/Burst, on July 2nd, both via e-mail and via telephone. When speaking to them on the phone, I was advised they'd give the customer a 24 hour warning.

Watching the new domains popping up each day, I continued to send them reports, and resorted to a second phone call last week (Sunday if memory serves), to be told yet again, they'd give the customer a 24 hour warning. I further sent them a plethora of data regarding cases related to it, suggesting they're most likely all from a single or single group, of resellers.

Today alas, the server was still active, and still spitting out the Renos trojan. Finally, I called them a third time, and I'm happy to report, they suspended the server whilst I was on the phone to them. The problem however, is the initial 24 hour warning they claimed they'd given the customer - what happened to it? what happened to the followup warnings?

More importantly, why did a 24 hour warning end up being a 4 day and 18 cases later, warning? Especially given I was told today that they had STILL not received a response from their customer to the first warning, let alone any followups.

HostNOC/Burst don't exactly have the best reputation when it comes to responses and actioning as it is, and this kind of behaviour isn't exactly making them look any better. So HostNOC/Burst - what's going on?

The files and domains, incase you're wondering, that were seen on this IP are;


20110706131440    21788    21788 NOC - Network Operations Center Inc.    2dd41d1a98e1ce8a3f86470d13b835e7
20110706123458    21788    21788 NOC - Network Operations Center Inc.    2b87456df654bf67e0d211627ad2178d
20110706120608    21788    21788 NOC - Network Operations Center Inc.    99056c48ba0b1874685e345554ebf5ed
20110706010127    21788    21788 NOC - Network Operations Center Inc.    6356dfc5e06c7ad8bc5d42da4eb417e7
20110705183732    21788    21788 NOC - Network Operations Center Inc.    ec07140302db6323158cbb3e85eda18a
20110705181038    21788    21788 NOC - Network Operations Center Inc.    38ba8a5a1a3c5bf428d51f7eddc6db57
20110705171005    21788    21788 NOC - Network Operations Center Inc.    3b8bdfae5921435c60e0d8e3a87c14bc
20110705093049    21788    21788 NOC - Network Operations Center Inc.    c11fc869f0c56e5d6910710722a68628
20110705081810    21788    21788 NOC - Network Operations Center Inc.    5f9482cf5acf727cdc9967f06a5ce60d
20110704151032    21788    21788 NOC - Network Operations Center Inc.    0652305c8f908d3fd8a28a49f4d7c952
20110704140657    21788    21788 NOC - Network Operations Center Inc.    7b4f2fd9b8cb589a1fe264a5c09f8442
20110704133148    21788    21788 NOC - Network Operations Center Inc.    280680e1ea1ab36c3a5a68cd780563d4
20110703162314    21788    21788 NOC - Network Operations Center Inc.    3da761fbba34911c4c90eedd37525cc4
20110703161412    21788    21788 NOC - Network Operations Center Inc.    235af318637e7025a4946dc9a3a98d8e
20110702135140    21788    21788 NOC - Network Operations Center Inc.    5a787b5919655340997684186001c0b1
20110702134545    21788    21788 NOC - Network Operations Center Inc.    b12a2f9bbc45f9ebab540842628adee8
20110702134533    21788    21788 NOC - Network Operations Center Inc.    1bf8251130ebf43128e42c6f590057f8
20110702132920    21788    21788 NOC - Network Operations Center Inc.    cbfffe7397b3f628c74c0aad5556db04
20110702132831    21788    21788 NOC - Network Operations Center Inc.    4660794189deedc9dcaf77e8d8fdab5b

And it's worth noting, the filename isn't static, the various filenames in the list above, would've worked for all of the domains, just as they've done on previous IPs/domains.

/update 15:08

And predictably, they've moved to yet another HostNOC/Burst IP;



Part 5: Interserver, malware, and the Scottish weather

Part 4: Interserver, malware, and the Scottish weather

Part 3: Interserver, malware, and the Scottish weather

Part 2: Interserver, malware, and the Scottish weather

Interserver, malware, and the Scottish weather

No comments: