Results 1 to 11 of 11
  1. #1

    How to fight Phishing / Fraud sites in Free Hosting Server?

    Hi,

    I run a Free web hosting service on my server with XPanel script installed. It has around 47K accounts in all. Recently i started getting mails from e-bay, banks and many other institutions regarding the Phishing sites operating from my server for cheating their customers / members. Though i removed them but i have to do it manually and after getting mails from them.

    Now that i dont want any more such site to run from my hosting site, What are the options available for me in order to check all accounts automatically and remove any such site on its own? As there are 47K accounts and 100+ new signups each day, it is not possible to check all accounts manually.

    I want any script / addon which can check all possible Phishing / Spamming / Spurious / Fraud sites and intimate me/ delete them upon request. Any person using such services? I need your guidance + support.

    Looking for some fast and effective answers from experts here.

    Thanks

  2. #2
    Join Date
    Mar 2007
    Location
    UK
    Posts
    852
    Its very hard to do such a thing completely automatic. However you could create a file that run through random files hosted by your clients looking for certain words and then flag them up for you to view them.

    Really this is something we can't tell you how to do, this is something you would need to employ a coder to create.

    ,Ashley
    ZXPlay
    Premium Virtual Private Servers | Dedicated Media Streaming Servers
    Dedicated Resources | EU Based
    www.zxplay.co.uk

  3. #3
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    webseoindia,

    From a user level, I don't think much can be done here.
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  4. #4
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,146
    Make sure no directories have 777 permissions.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  5. #5
    Join Date
    Jun 2006
    Location
    United Kingdom
    Posts
    1,776


    47,000 accounts on one server?

    Wow, Whats the server load like?
    -- Adam

  6. #6
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,575
    Well at minimum you'd want mod_security rules to block access to anything with commonly phished sites phrases in, ie paypal, ebay bankofamerica etc.

    If you are allowing php scripts to be run and having accounts auto setup, I can see why your freehost would be very popular (especially with the phishing crowd) .

    I'd imagine it's a bit of a nightmare to manage..

  7. #7
    Quote Originally Posted by Coldmedia - Adam View Post


    47,000 accounts on one server?

    Wow, Whats the server load like?
    Not just the load. One would have to ask;

    Whats the spam count like?
    Whats the size of the HD?
    How many years does it take to do a backup, if any.

    ...but i find it hard to believe that he has 47k on one box and if he does, he should be converting them to paid accounts. Let the pawpers be peddlers.

  8. #8
    single way that we know is to create rules in uploadscript.pl and time by time to run file_killer.pl file that will parse all users files and will remove all unallowed content

  9. #9

    examples of rules in uplodscrip.pl

    my %aLoop;
    $aLoop{'.'} = {
    'http://\d+\.\d+\.\d+\.\d+\:\d*/wwwroot/?' => '_LOG_',
    # 'Credit\s+Card' => '_LOG_',
    # 'America\s+Online' => '_LOG_',
    # 'http://depoch\.net' => '',

    'RapidLeech' => '_LOG_',
    'RapidGet' => '_LOG_',
    'RapidKill' => '_LOG_',
    'Credits to Pramode & Checkmate' => '_LOG_',

    'MSN Money\. All rights reserved' => '_LOG_',
    'Bank Online' => '_LOG_',
    'AOL account check' => '_SUSPEND_',
    'AOL Billing Center' => '_SUSPEND_',
    'Log in to Citizens Bank Online' => '_SUSPEND_',
    'Citizens Financial Group\. All rights reserved'=> '_LOG_',
    'Sign In to Your FirePay Account' => '_SUSPEND_',
    'http://www.firepay.com/_privacy/' => '_SUSPEND_',
    'http://www.firepay.com/_terms/' => '_SUSPEND_',
    'https?://account\.' => '_LOG_',
    'http://www.firepay.com/_help/' => '_LOG_',
    'FireOne Group plc. All Rights Reserved' => '_LOG_',
    # 'Mailing\s+List' => '_LOG_',
    # 'FastMailer' => '_LOG_',
    # 'Bulk Maileren' => '_LOG_',
    # 'PHP-Mailer' => '_LOG_',
    # 'GuerillaMailer' => '_LOG_',
    # 'Grab\s+e?-?mail' => '_LOG_',

    'https?://[\w\-\.]*wellsfargo\.com/util/signon\.jhtml' => '_SUSPEND_',
    'https?://[\w\-\.]*wellsfargo\.com' => '_LOG_',
    'https?://[\w\-\.]*passport\.com' => '_LOG_',
    # 'https?://[\w\-\.]*[^w]\.aol\.com' => '_LOG_',
    'https?://[\w\-\.]*[^w]\.aim\.com' => '_LOG_',

    'https?://[\w\-\.]*bankofamerica\.com' => '_LOG_',
    'https?://[\w\-\.]*olb2\.nationet\.com' => '_LOG_',
    'https?://[\w\-\.]*rbc\.com' => '_LOG_',
    'https?://[\w\-\.]*rbcfunds\.com' => '_LOG_',
    'https?://[\w\-\.]*rbcinsurance\.com' => '_LOG_',
    'https?://[\w\-\.]*rbcroyalbank\.com' => '_LOG_',
    'https?://[\w\-\.]*actiondirect\.com' => '_LOG_',
    'https?://[\w\-\.]*vozipglobal\.com' => '_LOG_', # au inchis serverul, ceva legat de spam
    'https?://[\w\-\.]*vozipglobal\.com/afiliacion\.php' => '_SUSPEND_', # au inchis serverul, ceva legat de spam
    'https?://[\w\/\-\.]*bank[\w\/\-\.]+' => '_LOG_',
    # 'https?://[\w\-\.]*2checkout\.com' => '_LOG_',
    # 'https?://[\w\-\.]*secpay.com' => '_LOG_',
    # 'https?://[\w\-\.]*authorize\.net' => '_LOG_',
    # 'https?://[\w\-\.]*ipayment\.de' => '_LOG_',
    # 'https?://[\w\-\.]*nochex\.com' => '_LOG_',

    'iRcHaTaN Mail Bomber' => '_SUSPEND_', # spam
    'SendTo - by P7rk' => '_SUSPEND_', # spam
    'phpSimpleEMail' => '_SUSPEND_', # spam
    'Email Broadcasting System' => '_SUSPEND_', # spam
    };

  10. #10
    you can consider to setup some outgoing email blocking if the mail server is supported for those common phising keywords but this might filter out some of the positive emails.
    Tweakservers : Authorised Reseller of SmarterMail | SmarterStats | SmarterStats | Mailenable

  11. #11
    Join Date
    Aug 2006
    Location
    Canada
    Posts
    763
    I run a free host too and I do indeed receive these emails quite often. I only host 30k account, but... unlike XPanel, I use LayeredPanel. Tycho made it so that it would find words from your access_log and flag them, you will then have to review it manually.

    Make sure no directories have 777 permissions.
    How would that help? That's to prevent people from hacking your server, not upload phishing to your account.

    To prevent users from sending out spam, I disabled mail() completely except for those who can scan in a photo ID of some sort. This policy was working well until I found out that some legitimate users have exploitable scripts to send out emails with viruses.

    So if you haven't done it already, I suggest:

    1) Doing what XPanel said to do, kind of obvious.
    2) Disable mail() completely, so that phishing sites are rendered useless - can't send information to the person that made the site.
    3) Looking through the access_log and grep all paypal files?

    Hope that helped,
    Otto
    Otto Yiu
    Rsync Palace ● Providing offsite backups since 2007.
    Backomatic ● Hassle-free Automated cPanel/WHM, DirectAdmin, FTP, and MySQL backups.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •