Cenzic 232 Patent
Paid Advertising
web application security lab

Just Another Day at ha.ckers.org

I don’t think I need to introduce this email, I think it speaks for itself:

Valued Road Runner Business Class Customer,

This email is in regards to the Time Warner (Road Runner) account for the following location

–snip–

The Road Runner Abuse Control Department has received a complaint of network abuse originating from a computer connected to your cable modem. We recognize that most Internet abuse complaints are the result of computers infected with viruses/worms or compromised by a trojan horse( a.k.a. “trojan” for short). Trojans allow malicious third parties to gain access to your system(s) for the purpose of using your Internet connection to intentionally commit the abuse in question. The abuse commonly comes in the form of either unsolicited email ( a.k.a. “spam”) or port scanning (connection attempts to other systems across the Internet for the purpose of finding vulnerable systems to infect or exploit). However, if not addressed in a timely manner, your machine(s) potentially may be used for other more illegal activities

A portion of the complaint we have received is copied below for your review:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|date |id |virusname |ip
|domain |Url|
+—————————————————————————
——————–
|2010-04-14 02:20:04 CEST |514019 |unknown_html_RFI
|71.41.152.29 |ckers.org |http://ha.ckers.org/xss.js

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If your recognize this activity and it was intentionally sent, you may be in violation of our Acceptable Use Policy (AUP) and it’s important that you contact us immediately to discuss. If you do not recognize this, you likely have a compromised or infected system connected to your cable modem and will need to take action to clean and secure all Internet connected-computers as soon as possible. We take these complaints very seriously and further substantiated complaints could, at some point, require us to disable your cable modem in an effort to protect the integrity of our network. We obviously have no desire to interfere with your ability to conduct business and would prefer to not take such action, so please pursue whatever measures are necessary (up to and including the formatting of hard drives and/or assistance from a third party IT professional) to correct the problem with due urgency.

If it would be helpful, Road Runner does offer free anti-virus and firewall software for commercial use. You will need your Road Runner account information to register the software, so you may need to contact your local Time Warner office for assistance. For more information, please visit the following link:

http://www.rr.com/pss

Additionally, we have a suggested course of action on our Website, but please be aware that it is intended for use by residential customers to clean a single computer and may not be feasible for use in a commercial environment. Moreover, some of the suggested software is licensed for personal use only. We cannot accept responsibility for compliance with software licenses, so please be aware of rules and restrictions related to the installation and use of any applications suggested. If interested in this course of action, please visit the following link:

http://www.rrsecurity-abuse .com

If you have a network connected via a router, you may be able to view the router logs, looking for either a large amount of email activity or the port scanning activity specified above. This may indicate which computer is the offending system and thus help you simplify the solution.

The corrective action taken is entirely your responsibility. We are merely making contact to alert you to the problem in an effort to both protect our network and enforce our policies. But we ask that you do take corrective action as soon as possible and contact us to advise, preferably by simply replying to this email. Also feel free to contact us with any questions you have regarding this issue.

Thank You,
Time Warner Cable (Road Runner) Abuse Control, Regional Office
twcsecurity-abuse@texas.rr.com
1-877-588-8508

I didn’t realize 2 lines of completely benign JavaScript that can be included on websites is now considered abusive. I can’t wait until someone ads Google Adsense as unknown_html_RFI. If you know who submitted this, please smack them upside the head for me and then sit them down and help them find a job that doesn’t require a keyboard. kthanksbye.

12 Responses to “Just Another Day at ha.ckers.org”

  1. id Says:

    Some quick clarification, this was the letter they sent me after someone from the TW security team called me to warn us that our network was compromised and probably had a trojan. Maybe I shouldn’t have laughed as she was talking…she was polite, but clearly didn’t understand what she was talking about.

    She kept telling me I could scan it, and that would probably tell me what was wrong with it, or she could get me free anti-virus software…

  2. Lysogen Says:

    If I were you, I’d take the xss.js file down for a day or two. While its down, call TW’s security team and tell them you installed SEVERAL anti-virus softwares, purged your network of all the trojan condoms, and installed a few walls of fire for added protection. Wait two days as someone from the TW security team checks off your IP from a list, then put the xss.js file back up. NOTE: when on the phone, act as if whom ever you are talking to are elite gods of IT security and you’re not even worthy of talking to their greatness. That should do it =)~

    If they keep bothering you just tell them you got into an argument with someone in China while playing World of Warcraft. Tell them you think the Chinese are trying to steal your gaming account. Then make sure they are doing everything in their power as an ISP to keep you WoW account safe.

  3. RSnake Says:

    @Lysogen - hahah! You have obviously talked with customer service before, I see.

  4. skyphire Says:

    ISP’s are getting more dictatorial by the day, thanks to the new Cyber security bill. Be prepared to give up even more rights, because that is the road we’re on. Look at Microsoft, who shutdown http://cryptome.org/ for a couple of days because cryptome released a intern document provided by an M$ employee, the ISP listened to Microsoft, giving companies far more power than the right to host stuff. In the new “net” you will have no rights.

  5. skyphire Says:

    I forgot to add: Microsoft didn’t even had a supoena nor a court order, the ISP in question shut cryptome down just because M$ thought it was a good idea. And that just for a simple document exposing M$ for spying practices in Windows 7 & their MSN network, which obviously they tried to censor. So we must entertain our rights, and simply do not give way to those who try to censor one without a court order. But sadly, I think this will be common practice more often.

  6. thrill Says:

    I would ask them to explain exactly what this ‘virus’ does.. and I would record that phone call for posterity sake and a good laugh when gathered with friends and family..

  7. zdaleka Says:

    @skyphire: M$ used a credible DMCA takedown notice in that case.

  8. Tom T. Says:

    RSnake’s been pwned? Oh, the irony!!! :-)

    @ RSnake: Just out of curiosity, what *were* the lines of js? Can you post them?

    I’d look myself, but I guess you’ve removed them. View Page Source shows no js. JSView shows no scripts, only the one css, and NoScript isn’t showing any either. There’s a NS menu option to allow ha.ckers.org, but the balloon tip shows none blocked. I allowed it, but still nothing in JSView or in the NoScript balloon of scripts running.

    Hint: When you put it back up, rename it to Skins.js or something else innocuous. It could be something as trivial as the “xss.js” in the page source that triggered their alarms as it passed over the wire.

    Oh, and, uh, no offense intended by default-blocking your site in NoScript. It’s just my default practice for *any* site, unless I need that functionality. Nothing personal! ;)

    @ Lysogen: What’s even funnier about your suggestion is that while it’s usually not possible to run more than one AV at a time (there could be exceptions of which I’m unaware), the person on the other end probably doesn’t know even that much, and will be very pleased. More laughs!

  9. RSnake Says:

    @Tom T - No, ha.ckers.org wasn’t compromised. It was just some idiot who doesn’t understand what our xss.js script is: http://ha.ckers.org/xss.js

  10. Tom T. Says:

    @ RSnake: I was being facetious in the first line. The joke was not at your expense, but at the expense of your ISP warning you of the “dangers”. Sorry if that wasn’t clear.

  11. Vince Says:

    This is some funny shit, your not the only one that got something like this..

  12. Mephisto Says:

    I’d call TW everytime I saw one of their trucks in your neighborhood to confirm it was a valid technician and not someone attempting to hack into your computer and social engineer you…cause I know it’s possible I saw it on Dateline one night!

    Or maybe call the police everytime you see a person walk into a bank with a hat and sunglasses on!!!