Results 1 to 15 of 15
Thread: Phishing Folders
-
02-11-2012, 07:54 AM #1Junior Guru Wannabe
- Join Date
- Jan 2011
- Location
- Plymouth, UK
- Posts
- 98
Phishing Folders
Hi,
Recently we've had a few clients report to us that a few folder have mysteriously been appearing under their public_html directories. These folders contain phishing files.
How could this have happened and how to prevent it in the future. We've secured everything we can yet a couple are still getting through?
Has anybody else had this happen? Is it just weak passwords or something much more serious?
JamesReddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting
-
02-11-2012, 08:19 AM #2Elite Webmaster
- Join Date
- Nov 2008
- Location
- Florida, U.S
- Posts
- 1,738
All it takes is one outdated script to exploit such as WordPress and hackers can gain access to an account and upload files to it. Are your clients using any scripts in these accounts that have been compromised? And if so.. Are these scripts up-to-date?
Do you not have root access to view the server logs and see exactly how they got in?HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
★ Fast ★ Reliable ★ Affordable ★ Secure ★ Friendly & Courteous
★ RISK-FREE Money Back Guarantee ★ U.S.A Based & Operated
★ Read Through Our Most F.A.Q's!
-
02-11-2012, 08:21 AM #3Junior Guru Wannabe
- Join Date
- Jan 2011
- Location
- Plymouth, UK
- Posts
- 98
All clients affected have WordPress accounts yes.
More importantly, in the last few minutes I have been told by the datacentre that the server is lined up for termination because of breech of their contract. Moreover, there is nobody to speak to at the weekend.
I was given absolutely no notice, they have just suspended my server and given me read-only FTP access and then they said that they will terminate the account.
What are the legalities on this? Are they even permitted to suspend a server full of lots of clients without *any* notice?
JamesReddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting
-
02-11-2012, 06:40 PM #4Web Hosting Master
- Join Date
- Nov 2005
- Location
- BC, Canada
- Posts
- 776
Interesting.. I had an AUP case in our datacenter for the same thing. A directory of randomly generated characters was sitting in someone's public_html folder with some JS files. Links to those files were being inserted in spam/phishing mails from various sources. I know it was a cPanel server but I don't know what else the client had installed.
|| Higher Intellect || Half a million documents and climbing.
|| OMGWTFBBQ || Nothing of value here.
-
02-11-2012, 08:10 PM #5Web Hosting Master
- Join Date
- Jan 2010
- Location
- USA
- Posts
- 2,173
It could an outdate web app running in the site with a known vulnerability. Make sure all of the web apps (like WordPress and Joomla) are kept up to date, and don't forget to update the pluggins and themes.
The problem could also be caused by stolen FTP account details. Check your FTP logs around the time the phishing folder appeared to see if the user access their site via FTP. There are client side malware out there that will steal FTP login details from the configuration files on a webmaster's computer and email the login details back to a hacker. Ask the webmasters of the affected sites to run a malware scanner (like MalwareBytes Anti-Malware) on their computers to see if there was a client side malware infection. After that, ask the clients to change their passwords and encourage (or preferably require) them to use very hard to guess passwords.█ No Support Linux Hosting ● Bargain cPanel Hosting ● Experts Only
█ We IGNORE the support questions, and pass the SAVINGS on to YOU!
█ We also ignore questions about VPS Hosting
-
02-12-2012, 02:04 AM #6Cloud & Web Hosting Specialist
- Join Date
- Oct 2007
- Posts
- 4,332
Another possible cause of this is the Symlink exploit on Apache and LiteSpeed which is not patched officially to date. It only takes one hosting account to be hacked to cause all other accounts to be affected.
[ James Lee - Cloud & Web Hosting Specialist • 10+ Years WHT Veteran]
[ Magento Performance Consultation by Magento Master ]
-
02-12-2012, 03:03 AM #7Temporarily Suspended
- Join Date
- Sep 2011
- Location
- USA
- Posts
- 278
Id recommend getting a security company to help you in server management.
-
02-12-2012, 04:06 AM #8NetDynamics LLC - One-stop Solution for Hosting Needs
We love Backups! Backup storage for your server backups
-
02-12-2012, 06:06 AM #9Junior Guru Wannabe
- Join Date
- Jan 2011
- Location
- Plymouth, UK
- Posts
- 98
I already had a dedicated server with OVH and now I'm moving over to Hetzner because of all the trouble. It's completely unreasonable to suspend a whole server because it got hacked and then to say that it won't be back online ever again.
I will take a look at all your suggestions, thanks!
JamesReddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting
-
02-12-2012, 05:15 PM #10Aspiring Evangelist
- Join Date
- Aug 2008
- Posts
- 376
-
02-12-2012, 05:22 PM #11Junior Guru Wannabe
- Join Date
- Jan 2011
- Location
- Plymouth, UK
- Posts
- 98
It's not the fact that we don't take security seriously, it's the fact that you can never 'detect' phishing as such until it has been reported. How can we possibly stop that? Of course, as soon as phishing has been reported to us, we will remove it immediately and take appropriate actions. Other than that, what else do you expect us to do? Are you like OVH? Will you terminate a server for being hacked - something which is most definitely not the server administrators fault?
I also don't appreciate the response you gave. It's not exactly a welcome statement for switching to your company is it?Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting
-
02-12-2012, 06:38 PM #12Aspiring Evangelist
- Join Date
- Aug 2008
- Posts
- 376
That sounds great, and it should work with us. It is the way most of our clients handle these issues pretty well.
Anyway, in general, we are very strict about spam/outgoing attacks. This help us to maintain network quality at a decent level. If it doesn't fit into your requirements, it might be a valuable info for you in this early stage.
-
02-13-2012, 03:38 AM #13Junior Guru Wannabe
- Join Date
- Jan 2011
- Location
- Plymouth, UK
- Posts
- 98
Sounds good, we will stick to those rules. You won't suspend the server the second somebody reports us though for having phishing on our servers will you? We want a chance to actually remove the content! OVH didn't let us do this unfortunately...
I also heard that you sometimes suspend servers on a Friday which means that they can't be unsuspended until the following Monday. What if this happens? How are we supposed to get back online over the weekend if this was a false suspension (i.e. if we had already removed the content for example)?
ThanksLast edited by reddexuk; 02-13-2012 at 03:45 AM.
Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting
-
02-13-2012, 10:08 AM #14Aspiring Evangelist
- Join Date
- Aug 2008
- Posts
- 376
If we receive a complaint about your server, the client normally has 24 hours to respond and solve the issue. If your server is attacking others, it is disconnected immediately. Also, if you host phishing sites from a bank, we are normally enforced by our local authorities to disconnect servers immediately. In some cases, our local authorities do not even allow us to provide the client with any information.
This happens very rarely, but it does happen.
-
02-13-2012, 10:11 AM #15Junior Guru Wannabe
- Join Date
- Jan 2011
- Location
- Plymouth, UK
- Posts
- 98
Sounds fair enough.
Also, if you host phishing sites from a bankReddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting
Similar Threads
-
phishing
By 1809 in forum Hosting Security and TechnologyReplies: 6Last Post: 04-20-2010, 10:30 AM -
How's the phishing?
By bear in forum Web Hosting LoungeReplies: 11Last Post: 06-19-2008, 09:10 AM -
Phishing email: beware of phishing / Fraudulent site http://secure.us-gmail.com/
By unixcares in forum Web Hosting LoungeReplies: 3Last Post: 03-06-2008, 11:35 PM -
Phishing: how'd they get in exactly?
By bear in forum Hosting Security and TechnologyReplies: 14Last Post: 03-31-2007, 02:59 AM -
Phishing
By ankushdawar in forum Dedicated ServerReplies: 2Last Post: 11-23-2005, 02:20 PM