1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Phishing scams and server security

Discussion in 'Security' started by esiason14, Dec 28, 2005.

  1. #1
    Well, I woke up this morning and found this email waiting for me in my inbox (forwarded from my host):
    ---------------------------------------------------------------
    [XXXX] AOL Reporting Abuse - Password Solicitation
    Date: Tue Dec 27 23:15:41 2005
    From: AOL OpsSec Countermeasures <antiphishing@aol.net>
    To: , ,

    Hello,

    The URL stated in this report has been investigated and found to
    contain a Phishing site. Please inspect this url and take the
    required action to disable this site at your earliest convenience.
    SEMrush
    http://XXXX.com/files/aolcard/?JbQq...TDrferHCURstHbsYaNyApAisNRFD&login_access=109

    Thank you for giving this matter your attention.
    AOL Operations Security
    Investigations & Countermeasures
    Ticket: [XXXXXX]
    ________________________________________________________________

    It turns out someone had created a mock AOL page on my site asking for credit card info, passwords, etc. Anyway, we got the files deleted and hopefully straightened out.

    I have shared hosting will a big hosting company. My question is....should I be worried about this. Now that these people know that they can access the server..will they be back?

    Has anyone else had this happen to them? How do you go about ensuring that this doesnt happen again...or at least lessen the chance?
     
    esiason14, Dec 28, 2005 IP
    SEMrush
  2. Corey Bryant

    Corey Bryant Texan at Heart

    Messages:
    1,127
    Likes Received:
    51
    Best Answers:
    0
    Trophy Points:
    0
    #2
    You need to change your password immediately. And contact your hosting company to find out what IP accessed your site. They might not be able to give it out but at least they can confirm it is not your IP.

    If it keeps happening, get another hosting company. I actually ran into a guy here in Denver, the same thing was happening to him. His website had been hacked at least twenty times
     
    Corey Bryant, Dec 30, 2005 IP
  3. esiason14

    esiason14 Peon

    Messages:
    272
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I changed all of my passwords to my control panel, db's, ftp, etc...and these guys were still getting in. It happened at least 15 times. I would delete the files and an hour later they would pop back up, all of them set with root permissions. So, I contacted my host and they absolutely refused to help me...other than to delete the files. So...I spent literally 24 hrs straight monitoring my logs and I finally figured out how these guys were getting in.

    On all my sites, I noticed these files were being called:
    /drupal/xmlrpc.php
    /phpgroupware/xmlrpc.php
    /wordpress/xmlrpc.php
    /blogs/xmlsrv/xmlrpc.php
    /blog/xmlsrv/xmlrpc.php
    /blog/xmlrpc.php
    /xmlrpc/xmlrpc.php
    /xmlrpc.php

    Well, on 9 of my 10 sites, these files were never present. Anyway, they were using this as a way to gain access. Theres more to it, but I dont want to post it here. ;)
    So I just took my one site down that had this vulnerable file until I could update...and changed all folders that were chmod 777. These urls are still being called almost hourly, but they havent been able to get back in.

    http://vil.nai.com/vil/content/v_136821.htm#MethodOfInfection
     
    esiason14, Dec 31, 2005 IP