Web Hosting Talk : Web Hosting Main Forums : Specialty Hosting and Markets : HostPhenom.com Violating User Data Privacy

[CafeContinent]

Dear Friends;

I'm owner of irc.cafecontinent.com network, where I have more than 10 other links from different providers. Recently I had a shocking incident from one of the links thats hosted by hostphenom.com -

This incident happened, while the client (irc.syntax-irc.net) of hostphenom.com, who's the owner of the one of the links to my server Joseph Jay Bodman, was offline. A staff named Matt logged in via the link, and accessed (Opered) himself as the owner of the link, and being the network founder when I questioned, he said I had interrupted their monthly audit, and shut down the service of Joseph Jay Bodman, purposely causing him downtime.

Later when questioned about this incident he had told my friend, that they were allowed to access their details, and log in as the owner, and impersonating as my friend. Not only do I consider this impersonation, which is not allowed on IRC networks, he had also Opered himself, being an anonymous person, directly making it a threat to the entired Network.
The company claims this is allowed on their TOS as to find out if there are any botnets on the server.
A high school kid will teach me, that by doing /lusers - /who 0 / who * - you can get an idea of currently connected users on the entire network, let alone your link.
Now being a host, you are telling me you can't monitor traffic on your own ip/machine? Thats a mystery to be solved then.

I've been running IRC Networks for almost 10 years now, and this is the first time in my IRC life, that i've come across a host who could do such a thing. This is invasion of privacy! Invasion of user data! Impersonation of your own client! By using your clients IRC access, you became an unauthorized administrator for the entire network which is not owned by your company!!!!!

[Jbodman]

This happened to me i can't belive they needed got into my stuff that bad using there power and go through my files and obtain my password and login in as me they could have just asked me. The worst thing about i would have never known untill my good bro here caught them. i have then changed to another provider


<<Signature to be set up in your profile>>

[IPv6]

hm; nothing in their tos about it

a network i'm on has opering from one hub; every single server except that hub is quarantined.

[TheChemist]

fbyne,

I suppose you as you don't have a shell on the box, or J0E and his Network didn't read the T.O.S. stated when you log into the shell.

THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. All computer systems may be monitored for all lawful purposes, including to ensure that their use is
authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security.
Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information including personal information, placed on or sent over this system may be monitored. Uses of this system, authorized or unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of any such unauthorized use collected during monitoring may be used for administrative, criminal or
other adverse action. Use of this system constitutes consent to monitoring for these purposes.

we had reports of a botnet being on the server so we performed a security audit and opered to see +s channels. Joseph Bodman had logged into that shell numerous amounts of times and it has seen the Shell T.O.S. numerous times. The T.O.S. for shells is not on the site and will be placed there tonight. But, previously (our older order system) when a shell is sold we do send them the terms of service via e-Mail before we accept payment.

We use WHMCS now and will implement the shell T.O.S. into the website. But Joe Bodman was given the shell. It was a message via IRC he asked for it and I said sure I'll setup the account and give you the login.

And just to make a point to the owner of Cafe Continent. I myself (Matt) didn't access your IRC Network. I was not told of the actions that were being taken by my Administrator in charge of Technical and Security issues but I do not dis agree with them. We now have been informed of a better security device to prevent botnets and are implementing it into our security.

Let us explain our side of the story. We gave Joseph Bodman a shell out of generosity as he had been generous to us previously. We spoke with Joe Bodman today and he apologized to us for not letting the network he linked to (CafeContinent) know about our T.O.S. for obvious reasons. He did not read them.

Bad P.R. is Bad P.R. and this thread has given bad P.R. We did nothing that constitutes a negative thread especially from someone who hasn't experienced our services. CafeContinent. This thread should be deleted.

Regards,
Matt

[Bjørn-Erik Hansen]

In Norway, you need the agreement from the curt to be able to login to someones server with or without their access.

Your ToS said it clearly, Lawful actions, doesn't that mean there has to be any breakings of the law in order for you to take action?

I take side with the OP on this, as the Providers informations was like.... Oo

[TheChemist]

and I did a /lusers on your network and received this information:

There are 50 users and 33 invisible on 9 servers
18 operator(s) online
2 unknown connection(s)
44 channels formed
I have 17 clients and 0 servers
-
Current Local Users: 17 Max: 669
Current Global Users: 83 Max: 1145

you have a current global user count of 83 and a max of 1145. Could this possibly be because we removed the botnet from our server? That is a huge gap.

I then did a /who 0
and got a response of a list of users connected to your network many of which were bots or clones.

I then entered most of the channels, tried to speak with anyone, and not one person would respond. I do note that it is 12:35AM where I am but anyone on IRC know's the IRCers do not sleep. How could a channel with 30+ users in it not respond. My assumption is that there were many clones/bots.

This thread has nothing to do with Dedicated Servers so if not deleted it should be moved. And CafeContinent, J0E was given the shell. He violated our Terms of Service and we gave him the opportunity to clear it up verbally but he (until today) didn't try to contact us. I am not trying to accuse but could this be because there was a botnet? The shell was deactivated several weeks ago.

Regards,

[themedia]

Erm .. let me get this straight. you received a report that there are closes/drones, and you impersonated your customer, played around with his personal data, everything based on ... assumptions. (which are all mostly unfounded IMHO)

You saw 83 users which most of them prolly have bouncers and don't stay online 24/7, and you did indeed think that there are drones and floodbots. I must say that your IRC experience is so limited that you don't even recognize a botnet from a legit network. You obviously have no idea how a botnet looks like.

I speak from the shell hoster admin point of view. I have my own shell company, but kiddies or not, everybody is innocent till proven guilty, and based on that i have always valued their privacy. It's not my job to question your methods, but it seems a horrible way to treat your customers. I feel sad for them. Why am i being so harsh on this matter ? Because i hate when abuse of power happens. If life would work that way, everybody would go out on the street shooting first and asking questions afterwards.

[Bjørn-Erik Hansen]

Quote:

Originally Posted by HostPhenom

I then entered most of the channels, tried to speak with anyone, and not one person would respond. I do note that it is 12:35AM where I am but anyone on IRC know's the IRCers do not sleep. How could a channel with 30+ users in it not respond. My assumption is that there were many clones/bots.
Regards,

That's the most retarded thing I've ever heard, ever thought about those whom are AFK, sleeping, or just simply ignoring you ?

IMHO, you had nothing to do on their network, it has nothing to do with you at all.
I agree with the poster above me, it's called abuse of power.

I would deff. not rent anything from you.

[CafeContinent]

Matt, if you didn't do it, I was told it was someone sent by you.
My point is: By opering on his server, you accessed the entire network, he's only a link, and the network consists of 10 other links. And we do not allow unknown persons to oper up! And I can't think of one network that does.
I hope you understand there is something called Data Protection Law, which you don't seem to regard one bit.
And I have nothing against you personally, or your company, when I did question the person who was doing this from your side, they gave me an attitutde, and shut down JOE's shell, causing him downtime, and trying to blame me, just because I questioned him. You guys really need a traffic monitoring system on your own IPs.

Here are the logs of how the incident took place:
I have added *'s to hide the real IP address.

<|UnDeRcOvEr|> who r u?
_- is nat32@E17A5BC2.8CF3A3EF.B4AEFAA.IP * non applicable
_- is using modes +ixG
_- is connecting from *@24.144.*.* 24.144.*.*
_- on #Cafe
_- using pan.syntax-irc.hub.us.com Syntax Irc
_- End of /WHOIS list.
-pan.syntax-irc.hub.us.com- *** _- (nat32@24.144.*.*) did a /whois on you.
<|UnDeRcOvEr|> please answer, or i'm sorry i'm gonna have to ban you!
<_-> i host one of the servers here just looking around i will be opering in a moment just ignore it its for investigative auditing purposes
-irc.cafecontinent.com- _- (nat32@netadmin.pan.syntax-irc.hub.us.com) [J0E] is now a network administrator (N)
-irc.cafecontinent.com- *** Global -- from OperServ: _- is now an IRC operator.
<|UnDeRcOvEr|> lollll
<|UnDeRcOvEr|> oh u !!!
<|UnDeRcOvEr|> JOE
<|UnDeRcOvEr|> u punk ***
<|UnDeRcOvEr|> where u been?
<_-> no
<_-> im JOEs host
<|UnDeRcOvEr|> ?
<|UnDeRcOvEr|> ok
<|UnDeRcOvEr|> what has Joe done?
<|UnDeRcOvEr|> as JOE's host, u know u cant OPER up?
<_-> nothing im just doing my monthly audit of all accounts on my box
<_-> makin sure theres no hidden botnets etc
-irc.cafecontinent.com- *** Notice -- Client connecting at pan.syntax-irc.hub.us.com: _- (nat32@24.144.*.*)
<|UnDeRcOvEr|> well u know u cant oper up
<|UnDeRcOvEr|> and access details
<|UnDeRcOvEr|> u can monitor connection
<|UnDeRcOvEr|> u dont need oper line to check for botnets
<|UnDeRcOvEr|> i'm gonna report u to JOE
<|UnDeRcOvEr|> and i have removed all oper lines
<|UnDeRcOvEr|> becuz thats a security threat for the entire network
<|UnDeRcOvEr|> joe is only a link here
<_-> you have interfered in the monthly audit this shell will now be closed
-irc.cafecontinent.com- *** Global -- from syntax-irc.hub.us.com: Server pan.syntax-irc.hub.us.com[64.85.*.*] closed the connection
* _- (nat32@E17A5BC2.8CF3A3EF.B4AEFAA.IP) Quit (syntax-irc.hub.us.com pan.syntax-irc.hub.us.com)

[themedia]

so .. let me get this straight. the monthrly audit means snooping through all customers accounts on a monthly basis ? how retarded is that ? oh boy this is one good thread for today.

[CafeContinent]

Matt:

"I then entered most of the channels, tried to speak with anyone, and not one person would respond. I do note that it is 12:35AM where I am but anyone on IRC know's the IRCers do not sleep. How could a channel with 30+ users in it not respond. My assumption is that there were many clones/bots"

<Haqeer> hey Matt
<Matt> Hi
<Matt> it took a whois of you to get your attention
<Haqeer>
<Haqeer> sup
<Haqeer> Matt
<Matt> Who own's this network?
<Haqeer> MaTriX

Matt was Matt@bb-*-*-*-*.*.net * Matt Green
Matt using irc.cafecontinent.com Tue Apr 29 05:12:56 2008
End of WHOWAS

Now you are also lying Matt!

[hostmyserver]

what about contacting him the proper way instead of invading his irc net?

[Bjørn-Erik Hansen]

IMHO, I would contact your lawyer, this is seriously above anything that can be tolerated.

Also, would you be so kind to show the ToS where it states that you have the right to snoop on your users shells ?

[Dictator-of-Death]

This is actually a very clear breach of the Data Protection Law, and this can also extend to state and country wide law on invasion of privacy.

A TOS is a set of rules you can apply to ones business, but it does not bine by law for clear breaches of illegal activity that has been shown of the hosting company.

I would recommend that the host read some strict laws regarding this or risk having a court case launched against you from any other customers you have done this to.

[railto]

this is good, i run a small and upcoming irc net, had been looking at several providers to create a shell with and link, but after looking at this i know to stay clear of hostphenom, if my current host ever opered on to my net i would be closing my account and filing legal action so quick that they would still be connected when the court summons arrives at their door. Its an unlawful invasion of privacy, no matter how you look at it, its illegal.

Also, the ToS that a client has to abide by is the ToS that they signed up with, you can update it on the main ToS, thats fine, but you can not post a seperate ToS on a shell login screen.