Site hacked with phishing sites

I got an email from someone called the RSA Anti-Fraud Command Center
saying I was hosting a phishing site on my domain and to get it off. When I looked at my FTP there were 3 subdomains with folders and files that shouldn't be there.

How does this happen, and what can I do to prevent it happening again.

How can someone create sub domains and then populate them with files and folders? If they had my login details wouldn't they have changed them so I couldn't get in?

I use a hosting plan, so does that the mean the host server is not secure?

I have had lots of different hosts over the years and never had this happen before.

I'd appreciate any help.

Thanks.

 

It could be various things; most commonly it would be a remote explloit on your site somewhere. If someone can run a php shell script from your site via a cross site scripting (XSS) problem then they can get access to anything on your site. They can then create anything they want on your site.

Another attack could be the entire server. Since you are running a shared server (I believe that is what you meant) then I would think the entire server would be compromised. If I was attacking a server I would create my own account on the server and you would not see anything.

If you have a good host I would contact them and let them know whats going on. They can then look at the logs and see whats going on. If your host is not great they might not do anything.

 

there was probably some writable folders on the server somewhere. Did you have a blog or something that you had installed some plugins or other themes? Like there are vulnerabilites if there are some writable folders someone can exploit via an xss to upload a malicious script that gives them access to basically everything on the server

 

My guess is that somebody found an easy exploit somewhere and decided to take advantage of it while it lasted.
The only solution is to just be careful with what scripts you run on your site(s).

 

Just make sure you always check for latest upgrades of the software, and also checking exploits sites once a day make sure none of your scripts are on there, even though there are 0 days, but they won't be used on you USUALLY unless you are a big company/site.

 

It simply means, your account or possibly the server is compromised.

Ask your host to check the logs and they may be able to help.

 

probably that dude has access to your cpanel account i.e. your username and password is easy to guess.

It happended to me once.

 

OK, I have been fighting the phishers for a while.

Look over all of your folders and change the setting from 777 to 755.

My server was also running an old version of php. My web host upgraded to a newer version. I lost my chatroom in the process, but at least my sites are still up.

Look for tar files that you don't recognize. I don't know what they are, but somehow the phishers upload them and they unzip into directories that contain the phishing pages.

Good luck!

O crap, I just saw that this thread is 3 weeks old. Maybe this advice will help someone else.