Someones managed to upload a phishing site to my VPS.
How do they normally achieve this, there has been no unauthorised root access as I get e-mail each time someone log in as root.
Is it likely they've just managed to guess my ftp password, or is it going to have something to do with a script running elsewhere?
I've got solarvps looking at it now.
We have received the complain from paypal that one of the domains were phishing. How to track it down? How to find out the method that how they uploaded? I checked /tmp file and couldn't find anything. I check access_log file for wget and couldnt find anyting.
View 2 Replies View RelatedShell uploaded - Site hacked - How to trace?
Many of my customers let me know that their websites had been hacked. I think it comes from local hacker ....
with my server i ran in to big issue with phishing sites. i have secured my server with firewall, and many other security things. but still i can see some times some one place phishing site. serverbeach suspend my server few times. i know this is not doing by users by there selfs. but however its coming in to the server. in secure side now i have to only go thorugh sites and check all writable directories.
is there any way to monitor the phishing activities? may be its some kind of scripts some one running inside the server?
I currently run a dedicated server and for the past 2 month or so have been attacked by some hackers or so. Meaning that on my sites every other day there is a folder of a phishing site. It is either paypal, ebay, exc phishing site and I know that I did not upload it there. I have tried almost anything to stop that, but it just keeps happening, my server company suggested to do os reload, but I am not sure as that will cost me $100. Was anyone faced with a problem like this that can give few suggestions? I use cpanel server.
View 8 Replies View RelatedI'm not that techy I'd like to ask why this person downloaded the file below before uploading some phishing webpages on my account ? I've changed my password numerious times from different computers and even from mobile phone just to check if the person can still get in. But again it is no use the person were able to upload phishing pages.
logs:
May 25 21:50:42 server100 pure-ftpd: (weblogin100@62.56.133.36) [NOTICE] /home/weblogin100//.htpasswds/update/Login.php downloaded (21251 bytes, 755.78KB/sec)
Right now I deleted all other scripts on the account and remain some htmls. Folder were also set to 644 no 777, while waiting if the person can still upload his phishing pages please help me why he downloaded the file above. I've check the file on my account and I cannot see Login.php. By the way I have a root login and only two accounts were a constant phishing victims.
I spotted a user on my site with the hostname: gator832.hostgator.com
This particular visitor identified themselves as a "visitor", with the user agent: Mozilla/4.8 [en] (Windows NT 6.0; U)
Upon typing the user's IP into google, a boatload of "phishing" / "bad bots" logs come up.
My question: Can I identify visitors like this via automation?
i.e.: fake users. People who masquerade themselves as a human, while they're really a bot.
(I only noticed this potentially 'bad' user because I was viewing my visitor log in real-time. -I was on at the very moment they were-)
In previous experience, not every user with the "host" phrase in their hostname are bad users, so sniffing those bits wouldn't do anything useful.
Gmail has a feature to detect email phishing and it marks them with a red header alert saying "Warning" This message may not be from whom......", I believe this red alert has nothing to do with spf record of that email, so how does it detect it as phishing email?
We have spf record and I sent an email from another server, when I received that emai the spf record was "softfail" but it does not have that red alert.
I am running a hosting service. Recently a user put a phishing site on the server, pretending to be an eBay signup page and soliciting passwords. I had all kind of truble with this, because eBay complained to my server company.
I would like to ask if you know any solution what would block such sites automatically?
It could search for some predefined texts on the page (such as "sign in to eBay") and block the page if they are found. I wasn't able to find anything in Apache documentation.
I want post here about RapidVPS hosting,
they host all scam and phishy sites like Hyip.
What is Hyip? Here-> [url]
My proof:
ablehyip. com/hyip/ (IP:208.84.144.131)
globalmarketsol. org (IP:66.35.79.68)
forexco. us/index.php?a=home (IP:66.35.79.37)
xlinvestment. us (IP:66.35.79.29)
topprofitworld. net (IP:66.35.79.94)
real-onlineforex. com (IP:66.35.79.118)
fx-88. com (IP:208.84.150.149)
marvelpartners. us (IP:66.35.79.68)
and so on too many hyip scams, very big list.
All provided IP addresses are rigistered with
OrgName: Infinitum Technologies Inc. (RapidVPS)
OrgID: INFIN-27
Address: 873 Grand Regency Pte.
Address: Suite 201
City: Altamonte Springs
StateProv: FL
PostalCode: 32714
Country: US
All IP addresses are provided for
network: Organization-Org-Name:NVHSERVER Inc
network: Organization-Name:Ha Nguyen
network: Description-Usage:Internet Service Provider
I have contacted with RapidVPS admin and this guy (name is Rick) never answer my reports,
just ignore me, ban me, I'm sure he is owner of all this scam.
I have created account on the RapidVPS forum,
and Rick ban me for my first post about hyip scam on their servers,
here is proof: [url]
If you wanna ask about this issue, contact Rick directly: rickb@rapidvps.c0m
Guys what you think about this issue or maybe it's normal for all US hosters?
Please your comments.
Thanks for this post reading and your time.
Here is more info about hyip scam:
fbi.gov/majcases/fraud/fraudschemes.htm#ponzi
sec.gov/answers/ponzi.htm
I don't know about security on servers much, and we're setting up our new server. I have the techs doing the install stuff, but I would love to know what to install security wise. My current list:
Firewall - good free one?
Antivirus - good free one?
rootkit, some way of stopping it (anti-rootkit?)
Also, is there some sort of script which searches all cPanel accounts/files for phishing sites or spam sites etc? I swear I've seen one before, in firewall form?
Oh the server setup is going to be:
php5-CGI, fCGI, mySQL 5, apache 2.2.x, centOS, ruby on rails, django, ioncube, other php libraries, mod_rewrite, I think thats everything. (cPanel).
I know Brent from HostGator reads here so thought I share this, If you are an Australian you are more than likely getting phishing emails supposedly from Commonwealth Bank (Australia's largest bank). I get about 20 a day to all my email addresses, here's one I got today:
We recorded a payment request from "HostGator -www.hostgator.com- Reseller Web Hosting"
to enable the charge of $74.95 on your account.
Because the order was made from an African internet address, we put an Exception Payment on
transaction id #POS PAYM7284 motivated by our Geographical Tracking System.
THE PAYMENT IS PENDING FOR THE MOMENT.
If you made this transaction or if you just authorize this payment, please ignore or remove this email
message. The transaction will be shown on your monthly statement as "HostGator - Reseller Web Hosting".
If you didn't make this payment and would like to decline the $74.95 billing to your card, please follow
the link below to cancel the payment :
Cancel this payment (transaction id #POS PAYM7284)
NOTE: Because email is not a secure form of communication, please do not reply to this email.
© Commonwealth Bank of Australia 2009 ABN 48 123 123 124
Of course I'm not a customer of this bank nor am I with HostGator, but these emails are getting more sophisticated by the day.. please also see [url]
Does anybody understand what is going on here?
Here is the problem:
I log in to FTP and I try and upload an updated file (the file already exists on server). It prompts me to overwrite and I say yes but when I refresh/check the site the page hasnt changed - I then tried uploading the file again and it still says the existing file size (so I know it hasnt been replace).
Any idea why it it not overwriting?
The files are CHOWNed my the owner (FTP user) which is myself.
I want to filter any files uploaded and i have put this line at php.ini
suhosin.upload.verification_script = /my path
But my problem till now i can not make this script. (Disable upload php files)
I uploaded my file to web server(html, image file and css file), but strangely after uploaded it to server all file that I uploaded size 0 KB. I uploaded it using WS FTP.
Is there something wrong the way I uploaded it.
One day, you noticed that someone remotely connectted your computer and an application sends spam/phishing emails bu using your IP. What do you do?
Of course, I stopped the program and blocked remote connection for a while and changed my password... I any way, i have to connect my computer remotely... What do you advice?
By the way, i have more than 1000 email accounts on my computer. Hacker left me a gift, but I don't need them))
I run a Free web hosting service on my server with XPanel script installed. It has around 47K accounts in all. Recently i started getting mails from e-bay, banks and many other institutions regarding the Phishing sites operating from my server for cheating their customers / members. Though i removed them but i have to do it manually and after getting mails from them.
Now that i dont want any more such site to run from my hosting site, What are the options available for me in order to check all accounts automatically and remove any such site on its own? As there are 47K accounts and 100+ new signups each day, it is not possible to check all accounts manually.
I want any script / addon which can check all possible Phishing / Spamming / Spurious / Fraud sites and intimate me/ delete them upon request. Any person using such services? I need your guidance + support.
Looking for some fast and effective answers from experts here.
I are running an Plesk 11.5 on a Ubuntu 12.04 machine. Since days i have problems where i see scripts of phishing sites and mailer scripts installed in the httpdocs directory of various domain.
How I can prevent that people outsiders install this scripts on the server? Where is the bug that allows this?
I used to have my apache 1.3.37 with PHP compiled as a CGI. Whenever i have a php script (say vbulletin forum software) that allow file uploads, files will be uploaded with the correct userid and groupid on the server. However, once i compiled PHP as ISAPI module, the files will be uploaded but will be owned by 'nobody'. Of course i can log in as root and chown it back to the right user, but it's a hassle if there are multiple user accounts on the server and they're using php software on their end. If someone is using an ftp program and tries to overwrite that uploaded file that's owned by nobody, it will not let them do so. Is there a way to fix this, or change the config files that would fix it?
View 3 Replies View RelatedI have a dedicated server, the server itself is secure (as far as I know) and I run lots of my sites from it. I offered a friend hosting for his flash based chat application he built.
Today I was contacted by someone; "Are you the owner of xxxx.net?" so I informed that yes, it was my server and they then showed me an email they'd received from my server. I did a search and apparently someone uploaded mail.php and a couple of files it was using to send out spam based upon a variety of conditions that the other files met. The files contained forenames and surnames, it'd use a forename and a surname then send it to popular free mail services. The email contained ramblings about new world order and promoted a website.
How can I find out how they got the files uploaded to the account and what action can I take? I checked the whois for the domain and have their contact information, however it's a large site so I'm doubtful that the owner did it. I don't want my servers IPs being blacklisted for spam :|
I am wanting to know if there is a way to stop files being uploaded to my vps, via ftp cpanel etc that are malicious..
I have been told there is a way to do this but i havent been told how..
Basicaly i want to know if there is something where i can add a list of keywords that are in the malicious files and what ever it is will stop them from being uploaded or if they manage to get uploaded onto my vps will it make them not work?
I am looking into this as i had an issue before where someone uploaded a shell onto my server :@ luckily it didnt cause no damage or he didnt get anywhere but i still want to be safe.
How many websites can be uploaded to one single webspace account
View 9 Replies View RelatedI have a RHEL 4 plain server, and im using vsftpd server, i can not find an option to specify the max size for uploading files... does anybody know something about this?
View 1 Replies View RelatedI've recently started experiencing some issues where files uploaded through Joomla or some other scripts (mostly PHP) inherit a permission of 600. Prior to updates being done on the server I'm hosted on, uploaded files received 644 permissions and all things worked great.
I've checked the umask that assigned to the shell (022) and have ruled out that as a problem.
I am using a upload script for my files. After upload i cant see them on ftp but can see on panel file manager.
View 9 Replies View RelatedWhenever someone uploads or re-uploads to my server a file relating to a CGI script that sends mail, I get an email with something like:
Quote:
Note: If this is the first time you received this mail, it contains the history for the entire month so far.
Below are the recently upload scripts that contain code to send email. You may wish to inspect them to ensure they are not sending out SPAM.
/home/xxxxxxx/public_html/followup/send2.php:106: if($sc == "buchanan") {
/home/xxxxxxx/public_html/followup/send2.php:107: mail($email, $subject, $creative, $headers);
/home/xxxxxxx/public_html/followup/send2.php:108: }
---
/home/xxxxxxx/public_html/followup/send.php:100: if($sc == "buchanan") {
/home/xxxxxxx/public_html/followup/send.php:101: mail($email, $subject, $creative, $headers);
/home/xxxxxxx/public_html/followup/send.php:102: }
---
What steps can I take to actually inspect them to ensure they are not sending out SPAM?
I created a FTP account with vsftp and files uploaded are not readable via www-data
View 1 Replies View Related