Hi Guys, I just received the following email from google. saying that my site is hosting phishing files. i checked the url provided by them and visited my site, then it redirected me to a fake banking site. However i tried to locate the file/folder from root dir, but seems its not available Any help will be highly appreciated Email from google: (Domain name changed) ----------------------------------------------------------- Dear site owner or webmaster of http://mywebsite.com/, We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google. Below are one or more example URLs on your site which may be part of a phishing attack: http://www.mywebsite.com/~legend/webscr/ Here is a link to a sample warning page: http://www.google.com/interstitial?url=http://www.mywebsite.com/~legend/webscr/ We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because: 1) the site was compromised 2) the site doesn't monitor for malicious user-contributed content If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed. Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting this page, and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions. Sincerely, Google Search Quality Team ------------------------------------
Is your webhosting account username legend? If not, then this is referring to someone else's website on that server. They are just routing their request through your website. You need to contact your webhost about this. If it is a cPanel webhost, then they need to disable the mod_userdir module in the Security Center of root's WHM. If it is not a cPanel host, then this option is likely called something slightly different but amounts to the same thing, but I don't know how to tell you how to disable it. You should contact your webhost at any rate, even if legend is your webhosting account username, your webhost should be able to help you with this. But if legend is not your webhosting account username, then there is nothing you can do (I suppose you could switch webhosts, about the only thing you can do if your webhost isn't going to help) as the phishing site is not being hosted on your account.
Did you check your .htaccess file in the root of the website? They put redirects in there. If you find it in there, your FTP account is most likely hacked (or an PHP app on your site is vulnerable). Most often in our experience it is caused by a Worm/Trojan on the client computer that reads out the FTP username/password and sends it to the master. If that is the case, I would suggest to change control panel/email/FTP passwords.