Phishing warning
Permalink
Hi all,
I recently launched a new site based on Concrete5.4.0 and within a week or so of it being live, the owner received a phishing warning apparently from Google.
I've checked the root directory and can find no evidence of any unusual files. The links that Google supplied in the email don't seem to shed any light.
Anyone have any idea what's going on here? Google mail below.
TIA.
Subject: Phishing notification regarding amazing-it.com <http://amazing-it.com> <http://amazing-it.com>
Dear site owner or webmaster of amazing-it.com <http://amazing-it.com> ,
We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com <http://Google.com> search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.
Below are one or more example URLs on your site which may be part of a phishing attack:
http://www.amazing-it .com/~l1amedos/picts/gray/feeder_folder/ICICI-personal/BANKAWAY.htm
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.amazing-it.com/... <http://www.google.com/interstitial?url=http%3A//www.amazing-it.com/~l1amedos/picts/gray/feeder_folder/ICICI-personal/BANKAWAY.htm>
We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.
Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer... <http://www.google.com/safebrowsing/report_error/?tpl=emailer>
and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.
Sincerely,
Google Search Quality Team
I recently launched a new site based on Concrete5.4.0 and within a week or so of it being live, the owner received a phishing warning apparently from Google.
I've checked the root directory and can find no evidence of any unusual files. The links that Google supplied in the email don't seem to shed any light.
Anyone have any idea what's going on here? Google mail below.
TIA.
Subject: Phishing notification regarding amazing-it.com <http://amazing-it.com> <http://amazing-it.com>
Dear site owner or webmaster of amazing-it.com <http://amazing-it.com> ,
We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com <http://Google.com> search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.
Below are one or more example URLs on your site which may be part of a phishing attack:
http://www.amazing-it .com/~l1amedos/picts/gray/feeder_folder/ICICI-personal/BANKAWAY.htm
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.amazing-it.com/... <http://www.google.com/interstitial?url=http%3A//www.amazing-it.com/~l1amedos/picts/gray/feeder_folder/ICICI-personal/BANKAWAY.htm>
We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.
Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer... <http://www.google.com/safebrowsing/report_error/?tpl=emailer>
and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.
Sincerely,
Google Search Quality Team
Thanks Phil.
I've had this happen before but not with concrete5. It looks like you're been hacked and a new directory created that is loaded with phishing stuff. Try to delete the offending directory via ftp.
For many years I have worked in security specifically doing phishing investigations and notifying providers of box compromise. I took a quick look around on the box, and I do mean look around. I should not be able to browse around the file structure of the box. I should not be able to pull up other websites. I was able to do both of them. That can be easily fixed through a simple permission adjustment, but that will not fix the problem.
My suggestion is to look at what is installed on your server, there are 319 domains hosted on that box. Quite often webhosts will have a one click solution, or will have a plethora of apps available (and installed somewhere on the box), when a vulnerability is found it spreads like wildfire. If the only thing on that server is a single phishing incident I will be extremely surprised, in over 8 years I've never seen a single incident. More then likely there are several backdoors, various kinds of malware, mailers, shells and a number of other things including more phishing sites. The majority of the time (unless you have an a very good host) the hosts will go in, possibly shut your site off (possibly delete all your files if they are a very bad host), delete the offending files and/or directory(s) and do nothing about the actual problem. Since nothing is done about the problem, you then become a target again, I've seen sites be hacked 10-12 times in a week and the vulnerability had nothing to do with what their site and everything to do with the unpatched apps on the server and the fact that the host didn't check for shells elsewhere. It is unfortunate I didn't see the actual phishing files because I could have given you (and your host) a list of what I found. If they can compromise the box, they post about it in the underground miscreant forums so others can come and do the same thing (unless they plan to use it as a command and control) that is why crime is so prolific on the internet. The point is if you want to have your server secure, you need to make sure the apps are being patched, which means you need to check for vulnerabilities. Bugtraq and full disclosure are good places to start. If you find something let your host know. Obviously if you were on a dedicated box then you can go ahead and apply the patch yourself. Until the other shells and/backdoors have been removed and the patches are applied the box is not secure. I'm not trying to scare you or anything like that, I think you need to know what you are really up against. If you host doesn't want to patch the apps then it is time to find a new host.
If it happens again and you want some help, find the offending directory do not delete it, change the perms to 000 and send me a message and we'll go from there.
My suggestion is to look at what is installed on your server, there are 319 domains hosted on that box. Quite often webhosts will have a one click solution, or will have a plethora of apps available (and installed somewhere on the box), when a vulnerability is found it spreads like wildfire. If the only thing on that server is a single phishing incident I will be extremely surprised, in over 8 years I've never seen a single incident. More then likely there are several backdoors, various kinds of malware, mailers, shells and a number of other things including more phishing sites. The majority of the time (unless you have an a very good host) the hosts will go in, possibly shut your site off (possibly delete all your files if they are a very bad host), delete the offending files and/or directory(s) and do nothing about the actual problem. Since nothing is done about the problem, you then become a target again, I've seen sites be hacked 10-12 times in a week and the vulnerability had nothing to do with what their site and everything to do with the unpatched apps on the server and the fact that the host didn't check for shells elsewhere. It is unfortunate I didn't see the actual phishing files because I could have given you (and your host) a list of what I found. If they can compromise the box, they post about it in the underground miscreant forums so others can come and do the same thing (unless they plan to use it as a command and control) that is why crime is so prolific on the internet. The point is if you want to have your server secure, you need to make sure the apps are being patched, which means you need to check for vulnerabilities. Bugtraq and full disclosure are good places to start. If you find something let your host know. Obviously if you were on a dedicated box then you can go ahead and apply the patch yourself. Until the other shells and/backdoors have been removed and the patches are applied the box is not secure. I'm not trying to scare you or anything like that, I think you need to know what you are really up against. If you host doesn't want to patch the apps then it is time to find a new host.
If it happens again and you want some help, find the offending directory do not delete it, change the perms to 000 and send me a message and we'll go from there.
I'd also recommend if you have ssh access to the site to take a look at the files though there, to make sure nothing is out of the ordinary.
And of course - change all of your passwords, make sure the computer you are using is free from malware etc that could log passwords (which would make changing the password useless)
Good luck!
-Phil