hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Running a Web Hosting Business : Phishing Folders
Reply

Forum Jump

Phishing Folders

Reply Post New Thread In Running a Web Hosting Business Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 02-11-2012, 07:54 AM
reddexuk reddexuk is offline
Junior Guru Wannabe
 
Join Date: Jan 2011
Location: Plymouth, UK
Posts: 98
*

Phishing Folders


Hi,

Recently we've had a few clients report to us that a few folder have mysteriously been appearing under their public_html directories. These folders contain phishing files.

How could this have happened and how to prevent it in the future. We've secured everything we can yet a couple are still getting through?

Has anybody else had this happen? Is it just weak passwords or something much more serious?

James

__________________
Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting



Sponsored Links
  #2  
Old 02-11-2012, 08:19 AM
HostLeet HostLeet is offline
Elite Webmaster
 
Join Date: Nov 2008
Location: Florida, U.S
Posts: 1,657
All it takes is one outdated script to exploit such as WordPress and hackers can gain access to an account and upload files to it. Are your clients using any scripts in these accounts that have been compromised? And if so.. Are these scripts up-to-date?

Do you not have root access to view the server logs and see exactly how they got in?

__________________
HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
Fast Reliable Affordable Secure Friendly & Courteous
RISK-FREE Money Back Guarantee PCI-Compliant Checkout
U.S.A Based & Operated Read Through Our Most F.A.Q's!


  #3  
Old 02-11-2012, 08:21 AM
reddexuk reddexuk is offline
Junior Guru Wannabe
 
Join Date: Jan 2011
Location: Plymouth, UK
Posts: 98
All clients affected have WordPress accounts yes.

More importantly, in the last few minutes I have been told by the datacentre that the server is lined up for termination because of breech of their contract. Moreover, there is nobody to speak to at the weekend.

I was given absolutely no notice, they have just suspended my server and given me read-only FTP access and then they said that they will terminate the account.

What are the legalities on this? Are they even permitted to suspend a server full of lots of clients without *any* notice?

James

__________________
Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting

Sponsored Links
  #4  
Old 02-11-2012, 06:40 PM
netfreak netfreak is offline
Web Hosting Master
 
Join Date: Nov 2005
Location: BC, Canada
Posts: 757
Interesting.. I had an AUP case in our datacenter for the same thing. A directory of randomly generated characters was sitting in someone's public_html folder with some JS files. Links to those files were being inserted in spam/phishing mails from various sources. I know it was a cPanel server but I don't know what else the client had installed.

__________________
|| Higher Intellect || Half a million documents and climbing.

  #5  
Old 02-11-2012, 08:10 PM
NoSupportLinuxHostin NoSupportLinuxHostin is offline
Web Hosting Master
 
Join Date: Jan 2010
Location: USA
Posts: 2,109
It could an outdate web app running in the site with a known vulnerability. Make sure all of the web apps (like WordPress and Joomla) are kept up to date, and don't forget to update the pluggins and themes.

The problem could also be caused by stolen FTP account details. Check your FTP logs around the time the phishing folder appeared to see if the user access their site via FTP. There are client side malware out there that will steal FTP login details from the configuration files on a webmaster's computer and email the login details back to a hacker. Ask the webmasters of the affected sites to run a malware scanner (like MalwareBytes Anti-Malware) on their computers to see if there was a client side malware infection. After that, ask the clients to change their passwords and encourage (or preferably require) them to use very hard to guess passwords.

__________________
No Support Linux Hosting Bargain cPanel Hosting Experts Only
We IGNORE the support questions, and pass the SAVINGS on to YOU!
We also ignore questions about VPS Hosting

  #6  
Old 02-12-2012, 02:04 AM
JLHC JLHC is offline
James Lee
 
Join Date: Oct 2007
Posts: 3,881
Another possible cause of this is the Symlink exploit on Apache and LiteSpeed which is not patched officially to date. It only takes one hosting account to be hacked to cause all other accounts to be affected.

__________________
Aspiration Hosting Inc | Magento Hosting + Next Generation Global CDN
High CPU Limit SSD LiteSpeed Percona MySQL APC Memcached LiteSpeed Cache

NoFrillsReseller | Reseller Hosting + 24x7 Live Chat Support

  #7  
Old 02-12-2012, 03:03 AM
RaidLogic RaidLogic is offline
Web Hosting Guru
 
Join Date: Sep 2011
Location: USA
Posts: 277
Id recommend getting a security company to help you in server management.

  #8  
Old 02-12-2012, 04:06 AM
Dr_Michael Dr_Michael is offline
cPanel is your friend
 
Join Date: Jul 2002
Location: World Wide Web
Posts: 1,549
Quote:
Originally Posted by reddexuk View Post
I was given absolutely no notice, they have just suspended my server and given me read-only FTP access and then they said that they will terminate the account.
Maybe it is time to get a fully managed dedicated server from another Host?

__________________
Michael Vlastos
HostWired.com - Innovative Hosting Solutions since 2005 | cPanel, Softaculous
Personalized support | No site suspensions | No overloaded servers | Green Hosting
Multiple Backups | Average Response Time: 20 min | Toll Free: 1-855-ECO-HOST

  #9  
Old 02-12-2012, 06:06 AM
reddexuk reddexuk is offline
Junior Guru Wannabe
 
Join Date: Jan 2011
Location: Plymouth, UK
Posts: 98
I already had a dedicated server with OVH and now I'm moving over to Hetzner because of all the trouble. It's completely unreasonable to suspend a whole server because it got hacked and then to say that it won't be back online ever again.

I will take a look at all your suggestions, thanks!

James

__________________
Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting

  #10  
Old 02-12-2012, 05:15 PM
Hetzner_Online Hetzner_Online is offline
Aspiring Evangelist
 
Join Date: Aug 2008
Posts: 373
Quote:
Originally Posted by reddexuk View Post
I already had a dedicated server with OVH and now I'm moving over to Hetzner because of all the trouble. It's completely unreasonable to suspend a whole server because it got hacked and then to say that it won't be back online ever again.
please take any security issues serious. Otherwise you will be disappointed with us - sooner or later. Hetzner Online is very strict about outgoing attacks and outgoing spam.

  #11  
Old 02-12-2012, 05:22 PM
reddexuk reddexuk is offline
Junior Guru Wannabe
 
Join Date: Jan 2011
Location: Plymouth, UK
Posts: 98
Quote:
Originally Posted by Hetzner_Online View Post
please take any security issues serious. Otherwise you will be disappointed with us - sooner or later. Hetzner Online is very strict about outgoing attacks and outgoing spam.
It's not the fact that we don't take security seriously, it's the fact that you can never 'detect' phishing as such until it has been reported. How can we possibly stop that? Of course, as soon as phishing has been reported to us, we will remove it immediately and take appropriate actions. Other than that, what else do you expect us to do? Are you like OVH? Will you terminate a server for being hacked - something which is most definitely not the server administrators fault?

I also don't appreciate the response you gave. It's not exactly a welcome statement for switching to your company is it?

__________________
Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting

  #12  
Old 02-12-2012, 06:38 PM
Hetzner_Online Hetzner_Online is offline
Aspiring Evangelist
 
Join Date: Aug 2008
Posts: 373
Quote:
Originally Posted by reddexuk View Post
Of course, as soon as phishing has been reported to us, we will remove it immediately and take appropriate actions.
That sounds great, and it should work with us. It is the way most of our clients handle these issues pretty well.

Anyway, in general, we are very strict about spam/outgoing attacks. This help us to maintain network quality at a decent level. If it doesn't fit into your requirements, it might be a valuable info for you in this early stage.

  #13  
Old 02-13-2012, 03:38 AM
reddexuk reddexuk is offline
Junior Guru Wannabe
 
Join Date: Jan 2011
Location: Plymouth, UK
Posts: 98
Sounds good, we will stick to those rules. You won't suspend the server the second somebody reports us though for having phishing on our servers will you? We want a chance to actually remove the content! OVH didn't let us do this unfortunately...

I also heard that you sometimes suspend servers on a Friday which means that they can't be unsuspended until the following Monday. What if this happens? How are we supposed to get back online over the weekend if this was a false suspension (i.e. if we had already removed the content for example)?

Thanks

__________________
Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting


Last edited by reddexuk; 02-13-2012 at 03:45 AM.
  #14  
Old 02-13-2012, 10:08 AM
Hetzner_Online Hetzner_Online is offline
Aspiring Evangelist
 
Join Date: Aug 2008
Posts: 373
Quote:
Originally Posted by reddexuk View Post
Sounds good, we will stick to those rules. You won't suspend the server the second somebody reports us though for having phishing on our servers will you? We want a chance to actually remove the content!
If we receive a complaint about your server, the client normally has 24 hours to respond and solve the issue. If your server is attacking others, it is disconnected immediately. Also, if you host phishing sites from a bank, we are normally enforced by our local authorities to disconnect servers immediately. In some cases, our local authorities do not even allow us to provide the client with any information.

This happens very rarely, but it does happen.

  #15  
Old 02-13-2012, 10:11 AM
reddexuk reddexuk is offline
Junior Guru Wannabe
 
Join Date: Jan 2011
Location: Plymouth, UK
Posts: 98
Sounds fair enough.

Quote:
Also, if you host phishing sites from a bank
This wouldn't be the case as the reason we had the phishing files was because somebody hacked into our server through old WordPress (in-secure) plugins. We have tried to prevent this from occurring again though now.

__________________
Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
phishing 1809 Hosting Security and Technology 6 04-20-2010 10:30 AM
How's the phishing? bear Web Hosting Lounge 11 06-19-2008 09:10 AM
Phishing email: beware of phishing / Fraudulent site http://secure.us-gmail.com/ unixcares Web Hosting Lounge 3 03-06-2008 11:35 PM
Phishing: how'd they get in exactly? bear Hosting Security and Technology 14 03-31-2007 02:59 AM
Phishing ankushdawar Dedicated Server 2 11-23-2005 02:20 PM

Related posts from TheWhir.com
Title Type Date Posted
Majority of Phishers Targeting Chinese; Phishing Up 60 Percent: Report Web Hosting News 2014-05-01 08:33:51
Phishing Attack Hosted on Malaysian Police Site with SSL Certificate Web Hosting News 2013-06-06 15:54:43
APWG Study Finds Phishers Increasingly Target Shared Virtual Servers Web Hosting News 2013-04-29 12:21:11
Phishing Attack Trends by Country Represented in Netcraft Map Web Hosting News 2012-12-13 15:13:37
Netcraft and GlobalSign Partner to Help Web Hosts Identify Phishing URLs Web Hosting News 2012-09-19 10:58:41


Tags
content, cpanel, linux, phishing, public_html, server, website

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?