We have received the complain from paypal that one of the domains were phishing. How to track it down? How to find out the method that how they uploaded? I checked /tmp file and couldn't find anything. I check access_log file for wget and couldnt find anyting.
View 2 RepliesSomeones managed to upload a phishing site to my VPS.
How do they normally achieve this, there has been no unauthorised root access as I get e-mail each time someone log in as root.
Is it likely they've just managed to guess my ftp password, or is it going to have something to do with a script running elsewhere?
I've got solarvps looking at it now.
I have Awstats on my server enabled for:
Nokia Browser (PDA/Phone Browser)
UP.Browser (PDA/Phone Browser)
Motorola Browser (PDA/Phone Browser)
My question is, are the visitors a day accurate - which I take to be uniques. It seems these must be pretty far off.
Presently they show an extremely high multiple of that for pages/s (approx 30 -50 times the visitors). I've never heard of visitors clicking this many pages.
I've not come across these kind of number with other non-mobile sites and it makes wonder if its right.
A) is tracking handled in the same way on mobile devices as on desktops (cookies or sessions?) And is this reliable for mobile/handheld/cell-phone devices?
B) There really isn't much of a chance of these page views being a result of bookmarks - the page views don't seem to add up to this.
The 'Browser Top 10' hits coming from 'unknown' are > 50% of the total amount.
Are there any quirks with awstats or other tracking software when it comes to mobile devices, even though the activity is taking place on the server? I take it Urchin may be more accurate?
My company is just getting into web hosting. We currently have 10-15 sites that we are hosting. What do you guys use to keep track of all the details for the site (location, company info, etc). We're using a homegrown filemaker database atm, but we don't want to continue using this when we get 50+ sites. It doesn't matter if its web-based or a standalone program.
View 6 Replies View Relatedwith my server i ran in to big issue with phishing sites. i have secured my server with firewall, and many other security things. but still i can see some times some one place phishing site. serverbeach suspend my server few times. i know this is not doing by users by there selfs. but however its coming in to the server. in secure side now i have to only go thorugh sites and check all writable directories.
is there any way to monitor the phishing activities? may be its some kind of scripts some one running inside the server?
I currently run a dedicated server and for the past 2 month or so have been attacked by some hackers or so. Meaning that on my sites every other day there is a folder of a phishing site. It is either paypal, ebay, exc phishing site and I know that I did not upload it there. I have tried almost anything to stop that, but it just keeps happening, my server company suggested to do os reload, but I am not sure as that will cost me $100. Was anyone faced with a problem like this that can give few suggestions? I use cpanel server.
View 8 Replies View RelatedI'm not that techy I'd like to ask why this person downloaded the file below before uploading some phishing webpages on my account ? I've changed my password numerious times from different computers and even from mobile phone just to check if the person can still get in. But again it is no use the person were able to upload phishing pages.
logs:
May 25 21:50:42 server100 pure-ftpd: (weblogin100@62.56.133.36) [NOTICE] /home/weblogin100//.htpasswds/update/Login.php downloaded (21251 bytes, 755.78KB/sec)
Right now I deleted all other scripts on the account and remain some htmls. Folder were also set to 644 no 777, while waiting if the person can still upload his phishing pages please help me why he downloaded the file above. I've check the file on my account and I cannot see Login.php. By the way I have a root login and only two accounts were a constant phishing victims.
I spotted a user on my site with the hostname: gator832.hostgator.com
This particular visitor identified themselves as a "visitor", with the user agent: Mozilla/4.8 [en] (Windows NT 6.0; U)
Upon typing the user's IP into google, a boatload of "phishing" / "bad bots" logs come up.
My question: Can I identify visitors like this via automation?
i.e.: fake users. People who masquerade themselves as a human, while they're really a bot.
(I only noticed this potentially 'bad' user because I was viewing my visitor log in real-time. -I was on at the very moment they were-)
In previous experience, not every user with the "host" phrase in their hostname are bad users, so sniffing those bits wouldn't do anything useful.
Gmail has a feature to detect email phishing and it marks them with a red header alert saying "Warning" This message may not be from whom......", I believe this red alert has nothing to do with spf record of that email, so how does it detect it as phishing email?
We have spf record and I sent an email from another server, when I received that emai the spf record was "softfail" but it does not have that red alert.
I am running a hosting service. Recently a user put a phishing site on the server, pretending to be an eBay signup page and soliciting passwords. I had all kind of truble with this, because eBay complained to my server company.
I would like to ask if you know any solution what would block such sites automatically?
It could search for some predefined texts on the page (such as "sign in to eBay") and block the page if they are found. I wasn't able to find anything in Apache documentation.
I've lots of:
[warn] RewriteCond: NoCase option for non-regex pattern '-f' is not supported and will be ignored.
[warn] RewriteCond: NoCase option for non-regex pattern '-d' is not supported and will be ignored.
Any ideas how to track them?
How can track and follow a process id.
For example i need to know what is following process:
14764 root 39 15 11712 9.8m 1668 R 20 0.1 0:14.22 perl
I need to know wich/where file used perl with process id 14764
I have a CentOS box here that is causing some strange load. Brand new X3230 (4*2.66Ghz), 2GB ram and 2*500GB SATA2 in raid-1 on a LSI MegaIDE controller.
Basically the server is continuesly at a load of 1. However I dont see why. No CPU load, and no IO as far as I can see. Does anybody have a tip where to look for the problem?
Quote:
top - 05:01:56 up 1:53, 2 users, load average: 1.00, 1.02, 1.20
Tasks: 81 total, 1 running, 80 sleeping, 0 stopped, 0 zombie
Cpu0 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu1 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu2 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu3 : 0.3%us, 0.0%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2072132k total, 591072k used, 1481060k free, 65652k buffers
Swap: 2048276k total, 0k used, 2048276k free, 461532k cached
Quote:
# iostat
Linux 2.6.18-53.el5 (xxxx.xandrios.net) 05/14/2008
avg-cpu: %user %nice %system %iowait %steal %idle
2.65 0.56 5.56 0.97 0.00 90.26
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
sda 6.44 99.67 255.89 686581 1762792
Quote:
# hdparm -tT /dev/sda
/dev/sda:
Timing cached reads: 16092 MB in 2.00 seconds = 8057.39 MB/sec
Timing buffered disk reads: 88 MB in 3.04 seconds = 28.92 MB/sec
With the WHT benchmark test the machine scores about 520 points, seems not bad either.
Only thing I could think of is that it has something to do with the raidcard. The data transfer rate is quite low. Could it be that the card is rebuilding the array? Can I check that without rebooting?
A user is running something that eats up all the server memory very quickly. Looking at the access logs this is all I get:
XX.XX.XX.XX - - [22/Mar/2007:12:58:06 -0400] "GET /index2.php?option=com_rss&feed=RSS1.0&no_html=1 HTTP/1.1" 403 -
XX.XX.XX.XX- - [22/Mar/2007:12:58:47 -0400] "GET /index2.php?option=com_rss&feed=RSS1.0&no_html=1 HTTP/1.1" 403 -
XX.XX.XX.XX - - [22/Mar/2007:12:58:58 -0400] "GET /index2.php?option=com_rss&feed=RSS1.0&no_html=1 HTTP/1.1" 403 -
Now there are quite a few index2.php's located on my server so I can not figure out who is running this. When I run ps ax -o pid,user,rss,command|grep httpd
I get about 20-30 of these:
13808 nobody 17360 /usr/local/apache/bin/httpd -DSSL
how I can figure out where this script is being run from?
I want post here about RapidVPS hosting,
they host all scam and phishy sites like Hyip.
What is Hyip? Here-> [url]
My proof:
ablehyip. com/hyip/ (IP:208.84.144.131)
globalmarketsol. org (IP:66.35.79.68)
forexco. us/index.php?a=home (IP:66.35.79.37)
xlinvestment. us (IP:66.35.79.29)
topprofitworld. net (IP:66.35.79.94)
real-onlineforex. com (IP:66.35.79.118)
fx-88. com (IP:208.84.150.149)
marvelpartners. us (IP:66.35.79.68)
and so on too many hyip scams, very big list.
All provided IP addresses are rigistered with
OrgName: Infinitum Technologies Inc. (RapidVPS)
OrgID: INFIN-27
Address: 873 Grand Regency Pte.
Address: Suite 201
City: Altamonte Springs
StateProv: FL
PostalCode: 32714
Country: US
All IP addresses are provided for
network: Organization-Org-Name:NVHSERVER Inc
network: Organization-Name:Ha Nguyen
network: Description-Usage:Internet Service Provider
I have contacted with RapidVPS admin and this guy (name is Rick) never answer my reports,
just ignore me, ban me, I'm sure he is owner of all this scam.
I have created account on the RapidVPS forum,
and Rick ban me for my first post about hyip scam on their servers,
here is proof: [url]
If you wanna ask about this issue, contact Rick directly: rickb@rapidvps.c0m
Guys what you think about this issue or maybe it's normal for all US hosters?
Please your comments.
Thanks for this post reading and your time.
Here is more info about hyip scam:
fbi.gov/majcases/fraud/fraudschemes.htm#ponzi
sec.gov/answers/ponzi.htm
I don't know about security on servers much, and we're setting up our new server. I have the techs doing the install stuff, but I would love to know what to install security wise. My current list:
Firewall - good free one?
Antivirus - good free one?
rootkit, some way of stopping it (anti-rootkit?)
Also, is there some sort of script which searches all cPanel accounts/files for phishing sites or spam sites etc? I swear I've seen one before, in firewall form?
Oh the server setup is going to be:
php5-CGI, fCGI, mySQL 5, apache 2.2.x, centOS, ruby on rails, django, ioncube, other php libraries, mod_rewrite, I think thats everything. (cPanel).
Does anyone knows if ubercart has embended affiliate tracking capabilities? Do you know if any other open source e-shop has this feature? Could you suggest something you know from experience or heard of?
View 0 Replies View Relatedsoftware for tracking the bandwidth usage on servers? It would be nice if there is one that has a web interface and the ability to add multiple different servers for tracking. Looking for something that runs on Linux (CentOS in particular).
View 6 Replies View RelatedI have a few questions about emails. I have root access to the server in question.
1.) I have a spammer on my server and i'm having trouble tracking him down. Anyone have any suggestions?
2.) I'm using cPanel and WHM is there any way to track by account how many emails there sending?
I just finished an information website and my corporation is now asking if there's a way to track the most popular pages on the site. Is there a way to do this with a pre-built function in MySQL or will we need to build a module? I have no experience working with MySQL or ASP.NET; as a purely client-side designer I want to be able to help but I'm at my limit.
View 1 Replies View RelatedI know Brent from HostGator reads here so thought I share this, If you are an Australian you are more than likely getting phishing emails supposedly from Commonwealth Bank (Australia's largest bank). I get about 20 a day to all my email addresses, here's one I got today:
We recorded a payment request from "HostGator -www.hostgator.com- Reseller Web Hosting"
to enable the charge of $74.95 on your account.
Because the order was made from an African internet address, we put an Exception Payment on
transaction id #POS PAYM7284 motivated by our Geographical Tracking System.
THE PAYMENT IS PENDING FOR THE MOMENT.
If you made this transaction or if you just authorize this payment, please ignore or remove this email
message. The transaction will be shown on your monthly statement as "HostGator - Reseller Web Hosting".
If you didn't make this payment and would like to decline the $74.95 billing to your card, please follow
the link below to cancel the payment :
Cancel this payment (transaction id #POS PAYM7284)
NOTE: Because email is not a secure form of communication, please do not reply to this email.
© Commonwealth Bank of Australia 2009 ABN 48 123 123 124
Of course I'm not a customer of this bank nor am I with HostGator, but these emails are getting more sophisticated by the day.. please also see [url]
Recently, there are a lot of "apache" processes hogging my Cpanel server with the default owner "nobody". How could I track the apache process back to which user is using it?
View 8 Replies View RelatedI am using Yahoo Webservice API.
[url]
Recently I found out that I often hit the 5000 search per day limit.
I think I found a way to track usage of my Application ID with it. I want to know which IP has been using my APPID, for example.
However, I forget how.
Is this possible?
Is there a good service for tracking server uptime (and therefore, downtime)?
View 4 Replies View RelatedOne day, you noticed that someone remotely connectted your computer and an application sends spam/phishing emails bu using your IP. What do you do?
Of course, I stopped the program and blocked remote connection for a while and changed my password... I any way, i have to connect my computer remotely... What do you advice?
By the way, i have more than 1000 email accounts on my computer. Hacker left me a gift, but I don't need them))
I run a Free web hosting service on my server with XPanel script installed. It has around 47K accounts in all. Recently i started getting mails from e-bay, banks and many other institutions regarding the Phishing sites operating from my server for cheating their customers / members. Though i removed them but i have to do it manually and after getting mails from them.
Now that i dont want any more such site to run from my hosting site, What are the options available for me in order to check all accounts automatically and remove any such site on its own? As there are 47K accounts and 100+ new signups each day, it is not possible to check all accounts manually.
I want any script / addon which can check all possible Phishing / Spamming / Spurious / Fraud sites and intimate me/ delete them upon request. Any person using such services? I need your guidance + support.
Looking for some fast and effective answers from experts here.
I are running an Plesk 11.5 on a Ubuntu 12.04 machine. Since days i have problems where i see scripts of phishing sites and mailer scripts installed in the httpdocs directory of various domain.
How I can prevent that people outsiders install this scripts on the server? Where is the bug that allows this?
We need to add visitor tracking code to the Control panel so we know who's using it and we can prompt inline chat etc. for support, but where to start.
The code is a mixture of Div tags and Java script.
How we can add this as there is no common footer file to drop the code in to.
Attached is a (badly) drawn diagram of two sites, connected by a vpn.
The site to the left, is network 10.0.0.0/24 which runs a linux server as the router for the network.
The site to the right, is network 10.1.0.0/24 which runs a windows 2003 server as the router for the network.
Now, my problem is, the clients behind the windows 2003 server can ping any machine on the first network because i setup a static route to route all traffic to 10.0.0.0/24 over the vpn interface.
now, my problem is, only the linux server can ping any machine on the windows 2003 network, any client behind the linux server cant seem to route over the interface.
I have the following route on the linux server: .....
Starting point: a working site using a shared IPv4, dedicated IPv6, and SSL. HTTP and HTTPS work, the latter only using SNI of course.
The good news: If I simply allocate an IP resource of 1 to a subscription it is pulled from the pool, assigned to the service node, assigned to the web site, DNS is updated, and the site is automatically changed to using a Dedicated IPv4 and Dedicated IPv6.
The bad news: visitors land on the default web site of the service node, with the default SSL certificate.
Other info: I can't ping the new IP, even though it shows in "ip a l" and /etc/sysconfig/network-scripts/ifcfg-eth0:0. [edited]
After the IP assignment, it is still installed, and /etc/httpd/conf/plesk.conf.d/ip_default/domainname.conf shows the new certificate is being used.
However, a second set of VirtualHost entries is created in server.conf for this IP for ports 80 and 443, with NameVirtualHost enabled on the new IP. The port 443 entry uses the default certificate. Apache's setup this default VirtualHost entry will override the web site configuration because Apache is listening on port 443 with the wrong cert.
If I go to "Change webspace settings" and toggle to Shared IPv4, Dedicated IPv6 the site works again via HTTPS, and Dedicated IPv4 and Dedicated IPv6 breaks it again. Setting the SSL cert to None and back again does not work.
Setting the SSL cert to None, changing to a dedicated IP, and enabling SSL results in the server being inexplicably inaccessible...browsers no longer connect to either the default site or the correct site, and I don't see any entries in the vhosts's logs.