True story: a good webmaster from Vietnam


Hello there,

I would like to share with you this amazing story that happend to one of our resellers this week. The reseller account was terminated by us, he lost his customers and he may faces criminal charges.

The guy lives in Switzerland, but he is from Vietnam. He signed up for 3Gb/50Gb reseller account with us. He placed few customers on the account, then he decided to upgrade his website to a new and better version.

He hired a webmaster from Vietnam. Not any webmaster, but a guy who works for an internet firm there.

Two days ago, we received this email from the company that owns the data center where our servers are located:


Subject: [eBay:******] Security Incident - Ebay
Dear ****,

We have just learned that your service is being used to display false or "spoofed": eBay.com pages, apparently in an effort to steal personal and financial information from consumers, and defraud eBay users. Specifically, it appears that a **** user is sending unsolicited messages which misrepresent the sender as eBay, and making false statements that encourage the recipient to go to a page hosted by you at

http://1.2.3.4/vbb/images/editor/.ebay/

is asked to enter personal information. The purloined information is then sent to an email account and, based on our investigation of similar schemes, used to steal accounts and commit other fraudulent acts including international credit card and wire fraud.

This matter is urgent - we believe that consumers have been falsely directed to this page and may be fooled into divulging personal information to a criminal if the page is not immediately disabled. We ask that you immediately disable the site at http://1.2.3.4/vbb/images/editor/.ebay/ as well as any associated email addresses, so that this fraudulent scheme can be stopped. We further request that you provide us with all contact information that you have for this user so that we may provide this information to the proper law enforcement authorities.

While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of eBay's trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from eBay, the owner of the copyrighted materials. Accordingly, the information below serves as eBay's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A):

I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the agent authorized to act on behalf of the owner of certain intellectual property rights, said owner being named eBay Inc. I have a good faith belief that the website located at URL http://1.2.3.4/vbb/images/editor/.ebay/ as its copyright in each page of its website and associated source code. Please act expeditiously to remove or disable access to the material or items claimed to be infringing.

We sincerely appreciate your immediate attention to this important matter. We would also appreciate if you would take steps to confirm the accuracy of any contact information that your user may have provided to you in establishing the account. Should you have any accurate information that could assist eBay and law enforcement in tracking this individual, we greatly appreciate your assistance, as we know that you do not condone the use of your services for such criminal purposes.

Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. Section 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.

eBay Inc.
Audit and Investigations





I gave the customer address to the data center manager. i don't know how bad this story is...

we do intend to fully cooperate with their investigation, and encourage you to do so as well. With the amount of spoofs that I get personally everyday from paypal and ebay phishing, I think this has to be common these days. Not much you can do about stopping this as long as the client gets past your signup criteria, you just never know what people will try.:)

I hope this works out for you. Just be cooperative as possible. The FBI will go to any length to prevent internet fraud and scams, which includes shutting down your business. Post back.

The client looks as a respectable one. I sent them all the information I have about him including his street address and email address. Also, minutes after I received this email, just the time to read it, I terminate the account and maked a copy of any files in it. I make these files available to the authorities.

Good. Remember, don't be a lazy host (not that I"m calling you out, just for everyone to know in the future ;)). Check the websites that you're hosting, check the content. You can have 20,000 customers, but unless you have a general idea of what your servers have on them, you don't know if everything you have is up to par. In fact, in the next week I'm going to look into the same thing. This thread is an eye-opener for me too. Before this incident, it was merely a rumor to me that the FBI may one day be puting its foot on your door.

Happened to me like 5 to 10 times so far... The best you can do is to delete everything immediately. What I don`t understand is why the DC (that is what I am understanding) reports something like that to the FBI. It is useless to even investigate against such people.
I already had the police knock on my door once and I had to call the German equivalent to the FBI. They were asking me for an IP address. I told them that I don`t have an IP address... Never heard from them again.

Btw... If you have a lot of customers and own the DC don`t even waste your time with monitoring your servers because it is not your problem unless you know... However, if you hire your servers in a DC and are a small company you absolutely need to monitor your servers because it will get you into trouble with the DC if you have crap on the servers.

By the way:
http://1.2.3.4/vbb/images/editor/.ebay/

That sounds like not the account owner was hosting that stuff but someone used a security hole to hack into the account and placed these pages on it. It has happened to me with long term reliable customers... Suddenly they have that crap on their sites and sometime they even contact you before you realize it. Then it turns out that the hacker had acccess to their email account or managed to sniff their account password.

Thank you for your kind words. eBay sent this email to the data center and they forwarded it to me. I don't know if eBay actualy repported this issue to FBI or if they want to do it.

The customer contacted me but he did not accepted to give me the webmaster name or address. May this webmaster is friend of him, may be he doesn't exist...

The customer asked me for a dedicated IP for an SSL certificate. So, we was granted a dedicated IP and then the was able to have an IP based website.

Any folder under his public_html was accessible via http://IP/foldername

But they maanged to install a spam software on our /tmp directory. For some reason, this directory was unprotected. He sends many emails to ask people to visit his spoof page.

Ah...ok. What I recommend to do is to limit the amount of outgoing mails to 500 or even 200 per hour and user. Then if someone sends such emails everything will end on the queue and your server will get slow. Then you will realize that something is wrong and will look after it and you will see the illegal mass mailings. This just happened to me and I could stop the guy after he had sent just 500 emails or something. 500 emails aren`t much of a problem for you... But 20.000 emails can get you on the spam lists and get you into trouble with your DC and the FBI... Also install the X-PHP header package from http://choon.net/php-mail-header.php This will help you to indentify the script that send the emails and you will be able to shut the guy down without much damage caused.

That sounds good. Tomorrow, first thing în the morning I'll ask my techncian to limit the emails and install this script. Thank you for the hint :-)

Originally posted by thomas.smith
Happened to me like 5 to 10 times so far... The best you can do is to delete everything immediately. What I don`t understand is why the DC (that is what I am understanding) reports something like that to the FBI. It is useless to even investigate against such people.
I already had the police knock on my door once and I had to call the German equivalent to the FBI. They were asking me for an IP address. I told them that I don`t have an IP address... Never heard from them again.

Btw... If you have a lot of customers and own the DC don`t even waste your time with monitoring your servers because it is not your problem unless you know... However, if you hire your servers in a DC and are a small company you absolutely need to monitor your servers because it will get you into trouble with the DC if you have crap on the servers.

Easily the worst piece of advice I've ever seen on here. If the FBI contacts you about something like this, the worst thing you can do is start getting rid of stuff. The door swings both way. The evidence that can get this person caught is the same evidence that will pull you off the hook (provided you're not involved). The worst thing you can assume is that the law will absolutely recognize your innocence in every case possible. Guess what...your server, your responsobility. Your post leads me to beleive that you've never had that happen to you, because after a few incidents like this any police organization would pull the plug on you, at best. Please don't give crap advice.

No, I meant delete it if you find it... Not delete it if the FBI is asking for it. I was talking about the case where you find something before anyone reports it to you.

The first thing I thought of when I saw the letter you posted was, what if the letter you sent was a spoof to get the guy offline?

Obviously, I would start making phone calls and checking things before I take anybody's account down. This probably coudl be done real qucikly.

Man, the internet is becoming like a cesspool. The good far outweighs the bad, but the crooks, cons, criminals, spammers, hackers, and other scumbags are really trashing it big time.

Originally posted by thomas.smith
No, I meant delete it if you find it... Not delete it if the FBI is asking for it. I was talking about the case where you find something before anyone reports it to you.

So how do you expect to find users like this if you think it's a waste of time monitoring the accounts?

Ok, again...

If you have a lot of customers and own the DC don`t even waste your time with monitoring your servers because it is not your problem unless you know... However, if you hire your servers in a DC and are a small company you absolutely need to monitor your servers because it will get you into trouble with the DC if you have crap on the servers.

Yeah, but there is not excuse not to monitor your customers whether you own a datecenter or you rent fomr one. That's what I'm getting at. Just because you're innocent you're still tied to it.

If you own the DC then what is the point of monitoring someone's server ?? You are not legally required to do it and it only causes you trouble because you will have to decide whether it is legal or not.

I host more than 1000 websites. I can't monitor them all. Add to this, the questionnable material is not allways on the start page.

In this case, the main web page looks fine. The eBay spoofed page was hidden on sub sub sub folder. There is millions folders on our machines. If we hire someone to look into them all, he will need all his life to complete the job. For such things, even if we monitor what we can, we rely on complaints.

Do you know, all, every file on your servers?

Originally posted by edelweisshosting
I host more than 1000 websites. I can't monitor them all. Add to this, the questionnable material is not allways on the start page.

In this case, the main web page looks fine. The eBay spoofed page was hidden on sub sub sub folder. There is millions folders on our machines. If we hire someone to look into them all, he will need all his life to complete the job. For such things, even if we monitor what we can, we rely on complaints.

Do you know, all, every file on your servers?

No, but at least I have a general idea what I'm hosting. I never said check every file. Yes these things are often hidden, but a little vigilance is still needed. And thomas, you still can't seem to grasp that what is hosted on your servers is your responsibility.

>And thomas, you still can't seem to grasp that what is hosted
>on your servers is your responsibility.

The thing is I am paying my DC a lot of money so I expect them to contact me and allow me to remove the content. This causes work to them - but that is what I am paying them for: Service and a server. So I do not expect to have my server shut down completely after the find MP3s two times. It costs them nothing but work and I am paying them for their work.

Yeah but if the law finds your mp3's before they do, they may have no choice but to shut you down. And what good does that do? Your company is down, and so are your customers.

Yes, you can't blame it just on the DCs... It is the stupidity of the whole human mankind. They would rather like to see one guilty person burn with 599 innocent people burning, too then saving the innocent people and letting get the guilty person away with it.

If you look for some of these filenames you may find the site before it can go live

agreement.htm
Complete.htm
loginloading.htm
loginsubmit.php
paypal.gif
pp.htm
processing.htm
processing.php

These are the filenames used in one of the latest script kiddie packages.

Originally posted by page-zone
If you look for some of these filenames you may find the site before it can go live

agreement.htm
Complete.htm
loginloading.htm
loginsubmit.php
paypal.gif
pp.htm
processing.htm
processing.php

These are the filenames used in one of the latest script kiddie packages.

See now I think you are on to something....

Rather than attempt to put up a list of fraudulent users or sites, I think a list should be compiled of offending files used in these scripts.... I wish I were technical enough to build an anti-fraud script program that uses code signatures loaded in by the community and works like Anti-Virus. Can you imagine the power of an app like that where you can set it up to scan your server for code like that and alert you?

Why isn't phishing/scams/etc treated like viruses and trojans? I should be working for Norton....LOL!

Just my $0.025

That would work.

/me runs to the patent office... :)

I wonder if that could be written in PHP.....

;)

You could very easily set up a PHP script to search for those filenames, using locate. Maybe have a cron run daily and email you any findings.

Alright, I hope some find this useful. This will run daily and email you all potential files.



Login as root to the shell
mkdir phishing
cd phishing
pico phishingfiles
Now paste the files mentioned above into the file, press Ctrl+X and save the file
pico phishingfind
Now put the following code into this file, editing the appropriate variables:

#!/usr/bin/php
<?php

// Edit these variables to configure the script
$recip = 'root@mercury.zapx.net';
$subject = 'Potential phishing files';
$headers = "From: root@mercury.zapx.net\n";
$msg = <<<MSG
========================================
Potential phishing files
========================================
MSG;

$files = file('phishingfiles');

$found = '';
foreach ($files as $file) {
$found .= `locate $file`;
}

$found = trim($found);
$count = count(explode("\n",$found));
$msg .= "\n\n$count files found\n\n";

mail($recip, $subject, $msg.$found, $headers);

?>

Save the file and exit pico

chmod 700 phishingfind
ln -s /etc/cron.daily/ phishingfind


To test, just type:
./phishingfind

It worked great for me. :)

I hope that is helpful.

That's a nice script. Is there a quick way to have it reference a file list on another server.

Hi,

Whew, I wasn't able to access wht for a few minutes because of some javascript error that keeps crashing my browser.

Anyway, yes. You can simply replace the filename passed to the file() function to the full URL.

Brandon

Sounds great! Thank you. I am installing it on all my servers, but there is something wrong:

[root@178630 phishing]# ./phishingfind
-bash: ./phishingfind: /usr/bin/php: bad interpreter: No such file or directory

Please type:

whereis php

to find the PHP interpreter. it is generally in /usr/bin, but you may also try /usr/local/bin.

Cool I haven't tried it with putting the full url of the file list but this is a great tool for at least calling your attention to such things. It produces a lot of false positives, for intsance locating pp.htm finds:

/var/www/manual/mod/mod_python/dir-other-pp.html

but that's not a big deal.

When I ran it, there were about 16 false positives, mostly in fantastico and in my own user directory.

I'd almost rather have them.

uhm, make sure your greping for public_html... that way you knock out any not in web directories...

Yeah that could be done, just change the line that executes the command in php to this:
$found .= `locate $file |grep public_html`;

By the way I think I got the syntax of ln wrongly. it should be, i believe:
ln -s phishingfind /etc/cron.daily/

Brandon

Nice scripting. 10000x than what i could have done!

might also want to add a / in front of the file names to kill off partial matches if your sure that those will be the only files :)

You might find this useful too. Someone suggested this to me on another forum. Using this command:
find /home -exec grep -il "ebay\|paypal" {} \;
will search for all files which mention paypal or ebay. But the only thing is that these are much more popular, since if someone uses paypal on their site to have people pay for an item, they most likely mention paypal. But it may be of interest.

Edit: I should note that this uses considerably more system resources and is considerably slower than the other method. :)

instead of home, try /home/*/public_html as there's no point tracking anything not web accessable really

I wasn't aware that wildcards worked in find. That's a good idea though.

it's not that it works in find, it's that the bash shell resolves globs (wild cards and such) before it's sent to the program.

If you have something like ./mycmd * with the files 'hello' and 'hello2' in the directory...

it will be like running ./mycmd hello hello2

neat, huh? :)

Oh ok, I didn't know that. Thanks :)