Results 1 to 15 of 15
  1. #1
    Join Date
    Jan 2011
    Location
    Plymouth, UK
    Posts
    98

    * Phishing Folders

    Hi,

    Recently we've had a few clients report to us that a few folder have mysteriously been appearing under their public_html directories. These folders contain phishing files.

    How could this have happened and how to prevent it in the future. We've secured everything we can yet a couple are still getting through?

    Has anybody else had this happen? Is it just weak passwords or something much more serious?

    James
    Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
    99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
    CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
    Shared Web Hosting | Reseller Hosting

  2. #2
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,738
    All it takes is one outdated script to exploit such as WordPress and hackers can gain access to an account and upload files to it. Are your clients using any scripts in these accounts that have been compromised? And if so.. Are these scripts up-to-date?

    Do you not have root access to view the server logs and see exactly how they got in?
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee U.S.A Based & Operated
    Read Through Our Most F.A.Q's!

  3. #3
    Join Date
    Jan 2011
    Location
    Plymouth, UK
    Posts
    98
    All clients affected have WordPress accounts yes.

    More importantly, in the last few minutes I have been told by the datacentre that the server is lined up for termination because of breech of their contract. Moreover, there is nobody to speak to at the weekend.

    I was given absolutely no notice, they have just suspended my server and given me read-only FTP access and then they said that they will terminate the account.

    What are the legalities on this? Are they even permitted to suspend a server full of lots of clients without *any* notice?

    James
    Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
    99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
    CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
    Shared Web Hosting | Reseller Hosting

  4. #4
    Join Date
    Nov 2005
    Location
    BC, Canada
    Posts
    776
    Interesting.. I had an AUP case in our datacenter for the same thing. A directory of randomly generated characters was sitting in someone's public_html folder with some JS files. Links to those files were being inserted in spam/phishing mails from various sources. I know it was a cPanel server but I don't know what else the client had installed.
    || Higher Intellect || Half a million documents and climbing.
    || OMGWTFBBQ || Nothing of value here.

  5. #5
    Join Date
    Jan 2010
    Location
    USA
    Posts
    2,173
    It could an outdate web app running in the site with a known vulnerability. Make sure all of the web apps (like WordPress and Joomla) are kept up to date, and don't forget to update the pluggins and themes.

    The problem could also be caused by stolen FTP account details. Check your FTP logs around the time the phishing folder appeared to see if the user access their site via FTP. There are client side malware out there that will steal FTP login details from the configuration files on a webmaster's computer and email the login details back to a hacker. Ask the webmasters of the affected sites to run a malware scanner (like MalwareBytes Anti-Malware) on their computers to see if there was a client side malware infection. After that, ask the clients to change their passwords and encourage (or preferably require) them to use very hard to guess passwords.
    No Support Linux Hosting Bargain cPanel Hosting Experts Only
    We IGNORE the support questions, and pass the SAVINGS on to YOU!
    We also ignore questions about VPS Hosting

  6. #6
    Join Date
    Oct 2007
    Posts
    4,332
    Another possible cause of this is the Symlink exploit on Apache and LiteSpeed which is not patched officially to date. It only takes one hosting account to be hacked to cause all other accounts to be affected.
    [ James Lee - Cloud & Web Hosting Specialist 10+ Years WHT Veteran]

    [ Magento Performance Consultation by Magento Master ]

  7. #7
    Join Date
    Sep 2011
    Location
    USA
    Posts
    278
    Id recommend getting a security company to help you in server management.

  8. #8
    Join Date
    Jul 2002
    Location
    World Wide Web
    Posts
    2,347
    Quote Originally Posted by reddexuk View Post
    I was given absolutely no notice, they have just suspended my server and given me read-only FTP access and then they said that they will terminate the account.
    Maybe it is time to get a fully managed dedicated server from another Host?
    NetDynamics LLC - One-stop Solution for Hosting Needs
    We love Backups! Backup storage for your server backups

  9. #9
    Join Date
    Jan 2011
    Location
    Plymouth, UK
    Posts
    98
    I already had a dedicated server with OVH and now I'm moving over to Hetzner because of all the trouble. It's completely unreasonable to suspend a whole server because it got hacked and then to say that it won't be back online ever again.

    I will take a look at all your suggestions, thanks!

    James
    Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
    99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
    CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
    Shared Web Hosting | Reseller Hosting

  10. #10
    Quote Originally Posted by reddexuk View Post
    I already had a dedicated server with OVH and now I'm moving over to Hetzner because of all the trouble. It's completely unreasonable to suspend a whole server because it got hacked and then to say that it won't be back online ever again.
    please take any security issues serious. Otherwise you will be disappointed with us - sooner or later. Hetzner Online is very strict about outgoing attacks and outgoing spam.

  11. #11
    Join Date
    Jan 2011
    Location
    Plymouth, UK
    Posts
    98
    Quote Originally Posted by Hetzner_Online View Post
    please take any security issues serious. Otherwise you will be disappointed with us - sooner or later. Hetzner Online is very strict about outgoing attacks and outgoing spam.
    It's not the fact that we don't take security seriously, it's the fact that you can never 'detect' phishing as such until it has been reported. How can we possibly stop that? Of course, as soon as phishing has been reported to us, we will remove it immediately and take appropriate actions. Other than that, what else do you expect us to do? Are you like OVH? Will you terminate a server for being hacked - something which is most definitely not the server administrators fault?

    I also don't appreciate the response you gave. It's not exactly a welcome statement for switching to your company is it?
    Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
    99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
    CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
    Shared Web Hosting | Reseller Hosting

  12. #12
    Quote Originally Posted by reddexuk View Post
    Of course, as soon as phishing has been reported to us, we will remove it immediately and take appropriate actions.
    That sounds great, and it should work with us. It is the way most of our clients handle these issues pretty well.

    Anyway, in general, we are very strict about spam/outgoing attacks. This help us to maintain network quality at a decent level. If it doesn't fit into your requirements, it might be a valuable info for you in this early stage.

  13. #13
    Join Date
    Jan 2011
    Location
    Plymouth, UK
    Posts
    98
    Sounds good, we will stick to those rules. You won't suspend the server the second somebody reports us though for having phishing on our servers will you? We want a chance to actually remove the content! OVH didn't let us do this unfortunately...

    I also heard that you sometimes suspend servers on a Friday which means that they can't be unsuspended until the following Monday. What if this happens? How are we supposed to get back online over the weekend if this was a false suspension (i.e. if we had already removed the content for example)?

    Thanks
    Last edited by reddexuk; 02-13-2012 at 03:45 AM.
    Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
    99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
    CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
    Shared Web Hosting | Reseller Hosting

  14. #14
    Quote Originally Posted by reddexuk View Post
    Sounds good, we will stick to those rules. You won't suspend the server the second somebody reports us though for having phishing on our servers will you? We want a chance to actually remove the content!
    If we receive a complaint about your server, the client normally has 24 hours to respond and solve the issue. If your server is attacking others, it is disconnected immediately. Also, if you host phishing sites from a bank, we are normally enforced by our local authorities to disconnect servers immediately. In some cases, our local authorities do not even allow us to provide the client with any information.

    This happens very rarely, but it does happen.

  15. #15
    Join Date
    Jan 2011
    Location
    Plymouth, UK
    Posts
    98
    Sounds fair enough.

    Also, if you host phishing sites from a bank
    This wouldn't be the case as the reason we had the phishing files was because somebody hacked into our server through old WordPress (in-secure) plugins. We have tried to prevent this from occurring again though now.
    Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
    99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
    CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
    Shared Web Hosting | Reseller Hosting

Similar Threads

  1. phishing
    By 1809 in forum Hosting Security and Technology
    Replies: 6
    Last Post: 04-20-2010, 10:30 AM
  2. How's the phishing?
    By bear in forum Web Hosting Lounge
    Replies: 11
    Last Post: 06-19-2008, 09:10 AM
  3. Replies: 3
    Last Post: 03-06-2008, 11:35 PM
  4. Phishing: how'd they get in exactly?
    By bear in forum Hosting Security and Technology
    Replies: 14
    Last Post: 03-31-2007, 02:59 AM
  5. Phishing
    By ankushdawar in forum Dedicated Server
    Replies: 2
    Last Post: 11-23-2005, 02:20 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •