Results 1 to 12 of 12
-
09-25-2014, 08:09 AM #1Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 74
Google Safe Browsing identifying my new website as phishing site
I have spent the last 2 months setting up 2 VPSs (second server for secondary nameserver and backup storage). I intend to use the setup to run 3 websites (forums). I use vultr.com and they do not disclose hardware specs or RAID specs (I think they don't use any mirroring). I used minimal install Centos 6.5 64 bit and I have only installed appropriate dependencies for the software programmes I use. I use Virtualmin/Webmin as well as SSH.
Security wise I have -
- Installed CFS
- Changed webmin and SSH ports. Using key authentication with no password login allowed. I am the only user.
- I have secured and mounted /tmp with no nosuid,noexec,nodev and also applied these options to tmpfs
- I have deleted /var/tmp and /home/tmp and created symbolic links
- Installed Clam AV
- Installed Malware Detect
- Installed RK Hunter and Chkrootkit.
- Installed Suhosin.
- SE Linux running in enforced mode.
- Open TCP Ports: 25,53,80,143,443,587,993,5813 as well as new ssh, webmin and usermin ports
- Open UDP Ports: 53,123 and new webmin port
- Countries allowed through firewall while developing and testing: GB,US,NL (1st server in GB, 2nd server in NL)
- I use usermin for emails so gave disabled IMAP and POP3 ports (mail server Postfix).
I have been working on my first website for the last 2 weeks which I access via it's dedicated IP and a self-signed certificate. I updated the DNS with my domain provider yesterday and created glue records. I also installed a SSL certificate (Bitdefender). When I attempted to access my site using domain rather than IP I was confronted with a Google red phishing warning page.
Domian: manchester-gay.uk Dedicated IP: 108.61.196.39
All logs are showing normal activity. I checked the SSH access log and they are all my IPs (I check my IP address before accessing SSH or Webmin. Webmin password is 30 random characters using upper/lowercase letter, numbers and symbols.
This morning I mannually ran -
freshclam
clamscan -ri --exclude-dir=^/sys\|^/proc\|^/dev /
No infected files were found.
I also ran the following commands
maldet --scan-all /
Result 'NOTE: quarantine is disabled!1 hit {HEX}gzbase64.inject.unclassed.15 : /root/maldetect-1.4.2/files/clean/gzbase64.$'
gzbase64 was updated through Webmin 2 days ago.
Daily cron rkhuner and chkrootkit show no infections and I ran them manually this morning as well.
I have checked to see if the IP address is on a spam blacklist (it is not). Can anyone suggest other things I need to check or a remedy?
Thanks Earthblaze
-
09-25-2014, 09:24 AM #2Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Checking google safebrowsing directly does not show any issues.
*edit* Check out the Suruci scanner it has some potential issues: http://sitecheck.sucuri.net/John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
09-25-2014, 09:53 AM #3Junior Guru Wannabe
- Join Date
- Jul 2014
- Location
- Florida
- Posts
- 75
Hello,
As John mentioned above, the Google safe browsing service is not showing an infection on your site. It is showing infections from other sites on the same network though. I"m not familiar enough with Google to know if that matters or not.
Nobody else appears to have listed your site. It's possible the safebrowsing data feed is simply out of date. If you have Google Webmaster Tools, I would ask for a review of your site.
-
09-25-2014, 02:27 PM #4Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 74
Thanks for this. I used the scanner and the network has malicious sites. I have raised the issue with Vultr support. I will add the domain to my Google Webmaster Tools (not done this yet as site still under construction).
Thanks for your help,
Earthblaze
-
09-26-2014, 03:15 AM #5Web Hosting Master
- Join Date
- Jan 2008
- Posts
- 1,204
This could be false-positive or you got bad IP/Network. Adding website to Google Webmaster tools is a good idea to find the root cause.
|| Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
|| Web Hosting Discussion - A Web Hosting community
-
09-26-2014, 09:50 AM #6Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 74
Thanks Kailash12. Vultr support are adamant that malicious sites on my network will not affect my IP. They have checked 12 lists and my IP is clean. Have been unable to verify site on Google Webmaster tools as it says they cannot connect to the server. The site is there beyond the phishing alert and running correctly.
Really frustrating and not sure what to do next.
Regards,
Philip
-
09-26-2014, 10:58 AM #7Junior Guru Wannabe
- Join Date
- Jul 2014
- Location
- Florida
- Posts
- 75
I would find out why Google Webmaster tools can not connect to the server. That is really unusual. Do you or your host have a firewall blocking connections from Google IP's?
-
09-26-2014, 12:49 PM #8Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 74
Hi, My VPS provider Vultr are now saying the problem lies on my laptop. I am not blocking any IP addresses. Vultr do not block IP addresses.
I tried the domain host option for Google verification. Logged into domainmonster ok but could not verify. I have identity protect so going to turn it off and try again.
-
09-26-2014, 01:38 PM #9Junior Guru Wannabe
- Join Date
- Jul 2014
- Location
- Florida
- Posts
- 75
I am not able to resolve 'manchester-gay.uk'. It's not coming up at http://www.intodns.com/manchester-gay.uk either. I can reach the site by IP (108.61.196.39).
-
09-26-2014, 03:03 PM #10Junior Guru Wannabe
- Join Date
- Apr 2013
- Posts
- 74
Hi, thanks for trying. Intodns is located in Romania and it is blocked in my firewall (I only have GB,US,NL and ES open).
I have setup second server in NL as a secondary nameserver and storage. When I type the command (on the second server)
dig @ 108.61.166.90 manchester-gay.uk
I get
; <1 server found>
;; global options +cmd
;; connection timed out ;no servers could be reached
The first server when backing up to the second server states connection timed out, server unreachable.
Would this link in with the problem? I am going to stop bind and use the DNS records at domainmonster to see if this resolves things. Other than that I will have to delete the virtual server in Virtualmin and start again but will do dns first.
Thanks,
Earthblaze
-
09-26-2014, 03:09 PM #11Junior Guru Wannabe
- Join Date
- Jul 2014
- Location
- Florida
- Posts
- 75
That sounds like the source of the problem. Properly working DNS is pretty much a requirement to everything else.
It explains why Google Webmaster was not able to find your site.
-
09-29-2014, 03:03 AM #12Web Hosting Master
- Join Date
- Jan 2008
- Posts
- 1,204
|| Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
|| Web Hosting Discussion - A Web Hosting community
Similar Threads
-
Phishing notice from google
By ApophisDaGod in forum Web HostingReplies: 4Last Post: 01-26-2013, 10:53 PM -
Seeking examples of Google Safe Browsing API using Perl
By pmabraham in forum Programming DiscussionReplies: 4Last Post: 12-07-2009, 10:09 AM -
Google Safe Browsing - Find blocked site with IP
By realvaluehosting in forum Hosting Security and TechnologyReplies: 0Last Post: 12-01-2009, 02:38 AM -
Phishing email: beware of phishing / Fraudulent site http://secure.us-gmail.com/
By unixcares in forum Web Hosting LoungeReplies: 3Last Post: 03-06-2008, 11:35 PM