...

View Full Version : What Can You Do to Identify or Know if Your Site is Being Used for Phising?



JulieV
07-20-2009, 09:42 PM
Hi guys,

As the title suggest "What Can You Do to Identify or Know if Your Site is Being Used for Phishing?
I have been three times recently and now my hosting company is advising me that my site is being use for phishing.

What else can i do. I cannot even see the unwanted content. How can I see that and how can I remove it?

Thanks
JulieV

oracleguy
07-20-2009, 09:58 PM
Well you could ask them how they know, their checks/evidence would help guide you to solve the issue.

VIPStephan
07-20-2009, 09:59 PM
And you could show us your site in question so we may be able to look and see if there’s something obvious in the code.

JulieV
07-20-2009, 10:44 PM
Hi,

since I have been hacked three times, I beginning to get scared especially after I received the email from my host Godaddy.com that my site has been used for Phishing.

Since i do not know how to look for the bad contents on my website as when I look at it, it seems to be okay. And one senior Coder here was generous enough to tell me that it has something to do with c99madshell. I just got this now.
My website is Mynoogee.com.

This is the initial website that was used and then they go to my 3 other sites. 2 of which are not even live or I have not publish the website, it was just part of my hosting account.

Thanks
JulieV

_Aerospace_Eng_
07-20-2009, 11:04 PM
That site is just a parked domain. There is no site there. Did you remove the site?

JulieV
07-20-2009, 11:28 PM
I just did because I am afraid that my adsense account will be compromise.
And it has through 4 of my sites, all Godaddy.com account and I have 10 domains hosted in this one account. So far the rest are still going and not compromise yet, but I don't know if they will stick.

How are you doing Aerospace_Eng?

JulieV

_Aerospace_Eng_
07-20-2009, 11:30 PM
I'm doing fine, thanks.

Its likely a contact form on your site might be used to send out emails that try to collect personal data in which case godaddy might think your site is being used for phishing.

No one will be able to help you if you don't show anyone your code.

oracleguy
07-20-2009, 11:32 PM
Its likely a contact form on your site might be used to send out emails that try to collect personal data in which case godaddy might think your site is being used for phishing.

Good idea, I actually had to fix a site 3 or 4 years ago now that was having that problem. I just added some checks to protect the form fields from an email injection attack. I think someone here on CF posted the necessary regular expressions. I'll see if I can find the thread later.

_Aerospace_Eng_
07-20-2009, 11:38 PM
Good idea, I actually had to fix a site 3 or 4 years ago now that was having that problem. I just added some checks to protect the form fields from an email injection attack. I think someone here on CF posted the necessary regular expressions. I'll see if I can find the thread later.

I've always found this article useful in helping prevent email injection.
http://www.phpbuilder.com/columns/ian_gilfillan20060412.php3

JulieV
07-20-2009, 11:50 PM
The Mynoogee site is only a simple html site the same as the other one and they do not have the email capture or something like that. Just plain static website with a lot of directories amounting to about 1600 hundred pages.

Before I deleted the website someone here from sent me a private massage and said that it's in one of the pages... that has something to do with this= It's called c99madshell.php
http://forums.theplanet.com/index.php?showtopic=90109 and if I look at the page where he showed me this, it's exactly what's in my website. Kinda eerie thing that's why I just pull down my sites affected.

Thanks
JulieV

_Aerospace_Eng_
07-20-2009, 11:55 PM
It might not be that exact hack/file but it could be something similar. It does come to it though of a form somewhere on your site.

Are you able to put a password on your site through godaddy?

JulieV
07-21-2009, 01:24 AM
Yes. What I son't know if my computer is compromise or something but I do have Norton 360 and ahve already run a Malwarebytes Anti-malware on my computer and didn't have anything except this Files Infected:
d:\backup\programdata\{0c067481-4ace-4387-bd53-e083082dc882}\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.

thanks
JulieV

_Aerospace_Eng_
07-21-2009, 07:01 AM
Download Cure-It and run it.

http://www.freedrweb.com/

I don't think its your system that is the issue though. I think its your code somewhere. Do what we've told you to do and contact your host and ask them why they think you are using your site for phishing.

JulieV
07-21-2009, 04:31 PM
Hi,
i downloaded the freedrweb but somehow I cannot find it on my computer so I need to check it later and run as i am going for some medical stuffs.
I did what you guys have said and I have also contacted Godaddy.com and advise them that I have already deleted them from my hosting account and they did show me a screen shot of the affected sites.
Here is their letter to me;
Dear Sir or Madam,

It has been brought to our attention that your domain name has been implicated in a phishing scheme. This action is a violation of Go Daddy's Universal Terms of Service and Domain Registration Agreement.

A phishing attack is an attempt to steal Internet users personal identity data and/or financial or ecommerce account information. The term "phishing" arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. Phishing schemes use 'spoofed' e-mail messages to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers.

In short, your website is being used to commit crimes against innocent people.

In your particular case, your site is actively being used to obtain login information from ALLIANCE LEICESTER customers; a screenshot of the offending content has been attached. The offending content can be found at the URL provided in this screenshot.

The content located on your site must be removed immediately.

It is possible that a third party was able to gain access to your website, without your knowledge, in order to upload these files and initiate this abusive action. This does not change that fact that it is your responsibility to ensure that your website is secure from this type of exploitation. Because of this possibility we are giving you this opportunity to stop this abuse.

Thanks for all your input in matter.

JulieV

VIPStephan
07-21-2009, 05:23 PM
Which software (e. g. CMS) are you using to manage your site(s) if at all? Perhaps the issue is some vulnerability in the software itself?

But really, all we can currently do is guess because we were never able to look at the site(s) and/or their code. A site can’t be hacked if there are just static files without the option of third party manipulation from outside. So either somebody has your hosting/FTP account login info or the server where you’re hosting the site is being exploited.

oracleguy
07-21-2009, 07:29 PM
So either somebody has your hosting/FTP account login info or the server where you’re hosting the site is being exploited.

Which are also both two real possibilities. FTP is not a secure protocol, your username and password go over the wire in clear text. If GoDaddy supports SFTP, you really should use it.

JulieV
07-21-2009, 11:42 PM
I wish I could have shown you guys so that you can have a look but I am scared to re-publish it and then the bad codes will then work again and use my site for phishing.
This was the previous page http://www.mynoogee.com/blogging/ where one of the guys from this forum found the bad codes/contents. I don't know if you can get or retrieve a screen shot of the page while it was still live.
What I am afraid about is if it is in my XsitePro web builder but I have use three different anti malware cleaner to sanitized my computer and found nothing... that is including Cure-It from freedr.com.

Thanks
JulieV

RabidMango
07-21-2009, 11:42 PM
Just plain static website with a lot of directories amounting to about 1600 hundred pages.



Make sure you check all the directories' contents with the highest administrative access you can (eg if you were on the commandline on a linux server, you would use ls -a to see the invisible files in a particular directory (as well as all the others).

Phishing hackers were to blame for my learning Linux admin in the first place (many years ago), if you take my meaning (I had server hosting, but someone else had set it up for me - after a fake ebay site was run through my server to collect credit cards etc, my ISP got me to take the server down and reinstall it). The first thing I ever had to do with a linux system was rebuild the kernel. I had to rebuild the kernel when up to then the only two commands I knew were netstat and top. Although by then I knew a fair bit of perl, but nothing about servers, not a thing.

What I found was that they hid invisible folders (filenames beginning with a . are invisible other than if you have admin priveleges higher up than usual basic hosting and ftp priveleges I believe) in the html side of my server so they could send people to them through spam, and capture their data like that.

I never got off the commandline after that. Always hunting for invisible files. One part of the new anti-hacker system I'm building for myself is called "Invisible Man Finder", for looking for any invisible files/folders which have been added without my express knowledge (and confirmation, by hand) and indeed monitoring the alteration and addition of any other files - a log of changes, amongst other things.


postscript - i cannot resist throwing in some invisible man finding perl code:


#!/usr/bin/perl

$_[0]=".htaccess";
$_[1]=".moo";
$_[2]="baa";
$_[3]="oink.woof";

foreach $_(@_){
push @out, $_ if /^\W/;
}

print @out;

(is a good start, although perhaps one can be more explicit... still, I don't see why you'd need to - what other files begin with nonword characters?)

JulieV
07-21-2009, 11:49 PM
When this particular site es hacked, I have to changed the hosting passwords three times then it stopped. But then a week later this is when I got this email form my hosting Godaddy that my site has been used for phishing. That is why i am afraid to touch my XsitePro Web Builder, because I am thinking it might be there. Is that a possilbility even after a thorough check and cleaning of my computer.

Thanks,
JulieV

RabidMango
07-22-2009, 12:16 AM
They don't necessarily have to have used your "cms" login or any ftp password to have put a file in your account. All they need to do is find a php script with potential for injecting. Depending on file and directory permissions, as well as what certain fields might do in a php script, people can create a file on someone else's machine without even gaining access in any way. Are any of your pages dynamic? i.e. php or anything similar. Anything interactive at all?

_Aerospace_Eng_
07-22-2009, 04:41 AM
Post the screenshot godaddy gave you. We can't help you without seeing your code, plain and simple.

JulieV
07-22-2009, 06:57 PM
Sorry guys I don't know how to attach the screen shot from the email that was sent to me. I try downloading into my computer and try to attach it but it doesn't work. I can forward the email if it's possible and you see the screen shot but the screen shot doesn't show thee actual codes that was in the webpage. To see the exact configuration and how it looks like is to go here; http://www.derekfountain.org/security_c99madshell.php the first picture is exactly what shows on my Mynoogee.com/blog/ webpage

I hope this would help,

Thanks
JulieV

RabidMango
07-22-2009, 10:13 PM
To see the exact configuration and how it looks like is to go here; http://www.derekfountain.org/security_c99madshell.php the first picture is exactly what shows on my Mynoogee.com/blog/ webpage

So you deleted the page which was showing that, yes?

Now your problem is knowing how it got in...

So, questions which may help me or someone else help you solve it:

1. Do you have any .php scripts in your account?
2. Have you recently had a spyware infection on your home computer?

If the answer to (1) is yes, then I suggest you post some of the code here, so someone can tell you if there are any vulnerabilities in it - you can look up the name of any script or software you are concerned with along with the keyword vulnerabilities (etc) and if it is a known "exploit" you should be able to find that out.

If the answer to (2) is yes...

3. You seem to say you changed the password 3 times and then the attacker was locked out finally - did you also only clean up the possible spyware problem on your machine during the 3rd lockout? If yes, you are probably already safe.
---------------------


4. do you have any user logs with your account? if so, download a copy asap and have a look at the ip address of whoever used those pages - strictly speaking your host is a bunch of gimps because they could easily have checked that themselves and known fully that you are innocent and they could no doubt have helped you solve this and saved you sleepless nights.

VIPStephan
07-22-2009, 11:18 PM
Would it be possible to upload a ZIP file with the contents of your site as it was stored on the server before and give us the link? OK, I understand that there may be privacy or copyright issues. But maybe someone with the appropriate knowledge is willing to run the site on a local testing server to find the vulnerability? I wouldn’t volunteer due to lack of progamming skills but that just popped into my mind.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum