Results 1 to 12 of 12
  1. #1
    Join Date
    Apr 2013
    Posts
    74

    Google Safe Browsing identifying my new website as phishing site

    I have spent the last 2 months setting up 2 VPSs (second server for secondary nameserver and backup storage). I intend to use the setup to run 3 websites (forums). I use vultr.com and they do not disclose hardware specs or RAID specs (I think they don't use any mirroring). I used minimal install Centos 6.5 64 bit and I have only installed appropriate dependencies for the software programmes I use. I use Virtualmin/Webmin as well as SSH.

    Security wise I have -

    1. Installed CFS
    2. Changed webmin and SSH ports. Using key authentication with no password login allowed. I am the only user.
    3. I have secured and mounted /tmp with no nosuid,noexec,nodev and also applied these options to tmpfs
    4. I have deleted /var/tmp and /home/tmp and created symbolic links
    5. Installed Clam AV
    6. Installed Malware Detect
    7. Installed RK Hunter and Chkrootkit.
    8. Installed Suhosin.
    9. SE Linux running in enforced mode.
    10. Open TCP Ports: 25,53,80,143,443,587,993,5813 as well as new ssh, webmin and usermin ports
    11. Open UDP Ports: 53,123 and new webmin port
    12. Countries allowed through firewall while developing and testing: GB,US,NL (1st server in GB, 2nd server in NL)
    13. I use usermin for emails so gave disabled IMAP and POP3 ports (mail server Postfix).




    I have been working on my first website for the last 2 weeks which I access via it's dedicated IP and a self-signed certificate. I updated the DNS with my domain provider yesterday and created glue records. I also installed a SSL certificate (Bitdefender). When I attempted to access my site using domain rather than IP I was confronted with a Google red phishing warning page.

    Domian: manchester-gay.uk Dedicated IP: 108.61.196.39


    All logs are showing normal activity. I checked the SSH access log and they are all my IPs (I check my IP address before accessing SSH or Webmin. Webmin password is 30 random characters using upper/lowercase letter, numbers and symbols.

    This morning I mannually ran -

    freshclam
    clamscan -ri --exclude-dir=^/sys\|^/proc\|^/dev /


    No infected files were found.

    I also ran the following commands

    maldet --scan-all /
    Result 'NOTE: quarantine is disabled!1 hit {HEX}gzbase64.inject.unclassed.15 : /root/maldetect-1.4.2/files/clean/gzbase64.$'

    gzbase64 was updated through Webmin 2 days ago.


    Daily cron rkhuner and chkrootkit show no infections and I ran them manually this morning as well.

    I have checked to see if the IP address is on a spam blacklist (it is not). Can anyone suggest other things I need to check or a remedy?


    Thanks Earthblaze

  2. #2
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Checking google safebrowsing directly does not show any issues.

    *edit* Check out the Suruci scanner it has some potential issues: http://sitecheck.sucuri.net/
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  3. #3
    Join Date
    Jul 2014
    Location
    Florida
    Posts
    75
    Hello,

    As John mentioned above, the Google safe browsing service is not showing an infection on your site. It is showing infections from other sites on the same network though. I"m not familiar enough with Google to know if that matters or not.

    Nobody else appears to have listed your site. It's possible the safebrowsing data feed is simply out of date. If you have Google Webmaster Tools, I would ask for a review of your site.

  4. #4
    Join Date
    Apr 2013
    Posts
    74
    Thanks for this. I used the scanner and the network has malicious sites. I have raised the issue with Vultr support. I will add the domain to my Google Webmaster Tools (not done this yet as site still under construction).

    Thanks for your help,

    Earthblaze

  5. #5
    This could be false-positive or you got bad IP/Network. Adding website to Google Webmaster tools is a good idea to find the root cause.
    || Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
    || Web Hosting Discussion - A Web Hosting community

  6. #6
    Join Date
    Apr 2013
    Posts
    74
    Thanks Kailash12. Vultr support are adamant that malicious sites on my network will not affect my IP. They have checked 12 lists and my IP is clean. Have been unable to verify site on Google Webmaster tools as it says they cannot connect to the server. The site is there beyond the phishing alert and running correctly.

    Really frustrating and not sure what to do next.

    Regards,

    Philip

  7. #7
    Join Date
    Jul 2014
    Location
    Florida
    Posts
    75
    I would find out why Google Webmaster tools can not connect to the server. That is really unusual. Do you or your host have a firewall blocking connections from Google IP's?

  8. #8
    Join Date
    Apr 2013
    Posts
    74
    Hi, My VPS provider Vultr are now saying the problem lies on my laptop. I am not blocking any IP addresses. Vultr do not block IP addresses.

    I tried the domain host option for Google verification. Logged into domainmonster ok but could not verify. I have identity protect so going to turn it off and try again.

  9. #9
    Join Date
    Jul 2014
    Location
    Florida
    Posts
    75
    I am not able to resolve 'manchester-gay.uk'. It's not coming up at http://www.intodns.com/manchester-gay.uk either. I can reach the site by IP (108.61.196.39).

  10. #10
    Join Date
    Apr 2013
    Posts
    74
    Hi, thanks for trying. Intodns is located in Romania and it is blocked in my firewall (I only have GB,US,NL and ES open).

    I have setup second server in NL as a secondary nameserver and storage. When I type the command (on the second server)
    dig @ 108.61.166.90 manchester-gay.uk
    I get
    ; <1 server found>
    ;; global options +cmd
    ;; connection timed out ;no servers could be reached

    The first server when backing up to the second server states connection timed out, server unreachable.

    Would this link in with the problem? I am going to stop bind and use the DNS records at domainmonster to see if this resolves things. Other than that I will have to delete the virtual server in Virtualmin and start again but will do dns first.

    Thanks,

    Earthblaze

  11. #11
    Join Date
    Jul 2014
    Location
    Florida
    Posts
    75
    That sounds like the source of the problem. Properly working DNS is pretty much a requirement to everything else.

    It explains why Google Webmaster was not able to find your site.

  12. #12
    Quote Originally Posted by Earthblaze View Post
    Hi, thanks for trying. Intodns is located in Romania and it is blocked in my firewall (I only have GB,US,NL and ES open).
    This explained why you were unable to verify your domain in Google Webmasters Tools.
    || Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
    || Web Hosting Discussion - A Web Hosting community

Similar Threads

  1. Phishing notice from google
    By ApophisDaGod in forum Web Hosting
    Replies: 4
    Last Post: 01-26-2013, 10:53 PM
  2. Seeking examples of Google Safe Browsing API using Perl
    By pmabraham in forum Programming Discussion
    Replies: 4
    Last Post: 12-07-2009, 10:09 AM
  3. Google Safe Browsing - Find blocked site with IP
    By realvaluehosting in forum Hosting Security and Technology
    Replies: 0
    Last Post: 12-01-2009, 02:38 AM
  4. Replies: 3
    Last Post: 03-06-2008, 11:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •