Abuse

[fasmide]

Today i received the following message from the remote.moe service hosting provider:

Dear Mr Kristian Mide,

We have received a notification regarding phishing from [soc@phishlabs.com](mailto:soc@phishlabs.com).

Please check the notification for the details of the problem, and then resolve this issue as soon as possible.

We also request that you send a statement within 24 hours to us and to the complainant. This statement should make it clear how the issue occurred, and what you have done to prevent it from happening again.

How to proceed:
- Solve the issue
- Send us a statement by using the following link: <removed>
- Send a response by email to the complainant

The statement you send us will be checked by a staff member, who will then coordinate any further proceedings. If you fail to comply within the stated deadline, the IP may be locked.

Important note:
When replying to us, please leave the abuse ID [AbuseID:<removed>] unchanged in the subject line.

Kind regards

Abuse department

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 505-0
Fax: +49 9831 505-3
[abuse@hetzner.com](mailto:abuse@hetzner.com)
[www.hetzner.com](http://www.hetzner.com/)

Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: [www.hetzner.com/datenschutzhinweis](http://www.hetzner.com/datenschutzhinweis)

> During an investigation of fraud, we discovered a compromised website (iu...2a.remote.moe) that is being used to attack our client and their customers.
>
> In addition to the website owner, we have addressed this report to the responsible authoritative providers who have the ability to disable the malicious content in question. Based on your relationship to the content in question, please see our specific request below.
>
> This threat has been active for at least 0.1 hours.
>
> hXXps://iuf..52a.remote.moe/
>
> First detection of malicious activity: 11-21-2022 12:12:44 UTC
> Most recent observation of malicious activity: 11-21-2022 12:15:54 UTC
> Associated IP Addresses:
> 159.69.126.209
>
> ===   HOSTING  PROVIDER   ===
> If you agree that this is malicious, we kindly request that you take steps to have the content removed as soon as possible.  It is highly likely that the intruder who set up this phishing content has also left additional fraudulent material on this server such as illegitimate access points.
>
> ===     WEBSITE OWNER     ===
> We recommend taking the following actions to secure the web site and prevent the attackers from returning:
>     - Update your web applications including CMS, blog, ecommerce, and other applications (and all add-on modules/components/plugins).
>     - Search all of your web directories for suspicious files as attackers commonly leave backdoors.
>     - Scan the computer from which you login to your web hosting control panel or ftp server with anti-virus software.
>     - Change your web hosting provider if this is an ongoing issue.
>
> If your provider has disabled your account because of this incident, you must coordinate a resolution with them directly as PhishLabs has no control over this aspect.
>
> If we have contacted you in error, or if there is a better way for us to report this incident, please let us know so that we may continue our investigation.
>
> We are grateful for your assistance. 
>
>
> Kind regards, 
> SOC Team
> PhishLabs Security Operations
> 12023866001
> Available 24/7
>
>
> [PL-3342487]
>

I will try to explain to these guys what remotemoe is all about, but it might very well be the end of "remote.moe the service" (of cause, not the software). But we will see how this plays out

Around that same time, it seems to be impossible to resolve the remote.moe domain - I have no idea if these is somehow related - maybe the PhishLabs guys also contacted one.com and made them deactivate the domain

To be continued...

[r3a1d3a1]

Is it possible to use remote.moe using its IP address in the absence of DNS? (You could kindly keep us posted of any IP changes, if not static.)

[fasmide]

Is it possible to use remote.moe using its IP address in the absence of DNS? (You could kindly keep us posted of any IP changes, if not static.)

That should indeed be possible - you won't be able to verify certificates, but it should be reachable.

btw, it's at 159.69.126.209

[r3a1d3a1]

Awesome. Thank you!

[fasmide]

A possible future solution for this is discussed in #14