Results 1 to 8 of 8
  1. #1
    Join Date
    Sep 2007
    Posts
    195

    PHISHING in my server

    Hello Guys,

    I received alert that one website hosted in my server
    is practicing fishing and I myself see the problem. So i suspended the site and i contact with client that is owner of this site.

    The customer said he was not the author of the fishery. So I had a look in /var/log/messages and I could not found any FTp login of my client that can to be send fhishing files to the server. I only found this log messages:

    ===
    Sep 26 06:26:24 server01 suhosin[29591]: ALERT - Include filename ('http://sky-trading.com/board/data/news/id.txt??') is an URL that is not allowed (attacker '220.125.237.35', file '/home/levarte/public_html/components/com_moofaq/includes/file_includer.php', line 11)
    ===

    Phidhing website is in this directory: "/home/levarte/public_html/components/com_moofaq/" and I have some log message like this above.

    My doubt is: How attacker put the files in server if have not any FTP login??? This can to be made by JOOMLA vulnerability??? What I must to do to avoid this problems???

    Regards

  2. #2
    Join Date
    Dec 2006
    Location
    Tampa, Florida
    Posts
    387
    This might be a good post to put on the Joomla forums as well. I am not sure what version of Joomla you are running, but the older versions could have been exploited. You may also want to check the com_moofaq component, to see if that is where the vulnerability is located.
    - Donovan K
    Want to monitor and manage your customers Windows systems by Client software, web portal, or mobile phone?
    Automated scripts, patching, and remote access too? Ask me how!


  3. #3
    Join Date
    Jul 2009
    Posts
    178
    make sure you give 755 permissions to directories and 644 to files.

    Keep password secure using alphanumeric.

    This can stop phishing attempts.

    Phishing i normally done via compromised network.

  4. #4
    With securing your permissions of file and folders also get a csf/apf firewall install on your server.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  5. #5
    Join Date
    Oct 2009
    Location
    UK - London
    Posts
    73
    This is most likely to have been done through an exploit somewhere on the website. Make sure the Joomla version installed is the latest version of Joomla, and as has also been said, make sure you CHMOD directories under the hosting account to 755 and files to 644. The entire web hosting account should be searched for shells/uploader scripts/bots.

    From knowledge of website virus scanners, if an URL ends in "id.txt??" it often contains coding for some sort of shell/uploader script/bot. It uses this name to try and not be picked up by scanners/searches just by filename.

    Make sure the components directory has 755 permissions, and remove the directory inside it (com_moofaq) and all sub-directories and files. Monitor carefully incase it comes back and check logs if it does.

  6. #6
    Join Date
    Jun 2008
    Location
    India
    Posts
    129
    yes, secure your server with a firewall first then you should check for permissons


    find /home/user/public_html -type d -perm 777
    find /home/user/public_html -type d -perm 755

    In case if you finding more phishing activities on the server then you should do a security audit with it,

    Including clamscan, rkhunter, reset all cpanel passwords to new.

  7. #7
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Quote Originally Posted by Formas View Post
    This can to be made by JOOMLA vulnerability???
    Much more likely a vulnerability in that specific Joomla component, particularly when you see the results of a quick Google search. Components are contributed modules - often not written to the same quality or subject to the same scrutiny as the main Joomla program. I'd start by removing / disabling that particular component. A clean re-install of Joomla and all other components (the latest versions) might also be a good move.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  8. #8
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,930
    Don't focus on the software aspect of this comprimise, focus on what YOU can control which in this case is your server. Secure your server from vulnerable scripts, don't expect 3rd party script developers to keep your server secure. From the sounds of your first post you need to hire somebody to help you out since you're under the impression that users can only upload files via FTP.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

Similar Threads

  1. Replies: 3
    Last Post: 03-06-2008, 11:35 PM
  2. Replies: 6
    Last Post: 02-07-2008, 09:01 AM
  3. My server is used for spam and phishing emails - HELP!
    By jailbird2 in forum Hosting Security and Technology
    Replies: 7
    Last Post: 07-22-2006, 04:56 PM
  4. Paypal Phishing Scam Uploaded to my server. HELP!
    By MotoFX in forum Hosting Security and Technology
    Replies: 6
    Last Post: 01-24-2005, 09:52 PM
  5. Help: Phishing emails beeing sent from my server
    By thomas.smith in forum Hosting Security and Technology
    Replies: 8
    Last Post: 12-23-2004, 01:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •