• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1161
  • Last Modified:

Phishing problem

Hi guys,

My server has constantly being used as phishing for ebay and paypal. I am using FEdora core 4. How did they do it and what can i do to prevent it?

  • 7
  • 7
  • 5
  • +4
4 Solutions
There are many ways this could have happened and I just do not have enough details to go into specifics.

The best way to secure your server would be to hire experts to do it. PlatinumServerManagement can manage your server for $29 a month. You can hire them for one month just for the server hardening part


You can also use the free Nessus Vulnerability Scanner to do a scan of your system and find security holes.


I hope this helps you.
Check out this awesome software and article

TraceAssure Toolbar


> .. has constantly being used as phishing for ebay ..
could please explain how they did that, and how you identified that it is your server
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

First of all, take your server OFFLINE immediately!  If it's compromised you don't want to leave it exposed to the public internet.  If you have legitimate customers using it you are doing them a disservice by continuing to use it while you know it's been compromised.

Secondly, you need to determine HOW the compromise is happening and FIX IT!  Of course at this point I would strongly recommend that you wipe this system and re-install a fresh copy of the OS and secure it before putting it back online.  But find out WHY first, so that you don't end up in the same place.

If you don't know how to diagnose this situation by examining the log files, the system startup files, etc. get some help.  Running a secure public internet server takes a fair degree of knowledge.  While it's certainly possible to secure a Fedora-based server, just installing and putting it online is probably not adequate.
pajiaoAuthor Commented:
I have been informed that my server has been used for phishing and saw the .cgi-bin folders commonly used. I do not know how did it take place, likely through some web forms as i suspected as i did receive some emails spawn by my web forms without any user inputs.

What logs do i start with? What are the stuff that i should be looking for?
> What logs do i start with?
your application logs, if any
You need to disable *all* and *every* application dealing with input data from the browser (other than the path in the URL itself) until you identified the malicious application.
Rich RumbleSecurity SamuraiCommented:
make sure that your server is also the one inquestion... if you don't see anything out of the ordinary, can't find the html/php code that doesn't belong on your server then perhaps your mis-informed and not compromised.
Professional help is good, but most savvy users can remendy this themsleves. You'll want to start fresh, make back-up's of only what you need, reformat and install the OS from scratch. Enable the IPTables firewall during setup, as well as SELinux security. Read the Apache manual for best practices and security settings, the httpd.conf file is well commmented and gives you some good settings to enable there.  vi /etc/httpd/conf/httpd.conf
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.

There are lot's of well documented settings in the httpd.conf file to use. You should also keep up with patches, like PHP, PHPbb etc... even Wiki's have patches and updates that need to be applied very quickly. FC4 also gives you the ability to use "yum" to help keep your system up2date
yum -y update
That will gather all rpm updates that are available from redhat, and automatically download and apply them (the "-y" means answer yes)

You can also employ an IDS system like Snort to help you detect scan's and attempts on your server.
When PayPal is informed by responsible users and admins that some box on some network is sending phishing scams, PayPal investigates.  If the ISP does nothing, PayPal blocks the ISP until they do something about it.  The next step is for the giant PayPal to file suit to stop the ISP because the ISP has showed negligence and is participatory in the phishing scam.  This brings in the U.S. Treasury Department and the Secret Service.  If the ISP doesn't attend to it at this point, the next step is federal court and the subpoena of the ISP's records.

This mostly happens because most outfits now think that software is enough, that is, until they're called into court and finally recognise that software solutions are not enough and they need to hire some human beings to actually track down the culprits and bring them to justice.

You can get infected by merely clicking on a website.  The problem was large at Google about a year ago because Google was not checking the validity of their search engine's results.  Links would often say one thing and point to some phishing mastermind's box.  Thus, both Yahoo and Google wound up in court with a request for all of thier records and the feds got them, even if only in limited amounts.

Your best defense is to find out why PayPal named you as the source for phishing scams.  And that's intensive.  Looking for files in temp folders, with any execute permissions, .pl .php or otherwise, looking for a.bat, or vudo.c files, checking to see what IRC SpyKidz are all about, and the seemingly innocent links of search engines.  When you find the guilty files, you must then document it and keep it as evidence.

It would also help if you tracked down these events by using the extensive log files of Linux, Apache, and especially coordinating times and occurences by using the log options of Bind.  Every access and query to your machine can be logged by Bind and it will reveal patterns of who is hammering away at your machine.

A few months ago php and forum software were compromised and quite a few sites were forced to shut down because no one was monitoring them using that old reliable, the human being.

Those who were using human beings to monitor caught the guys and were not infected or shut down.

Sometimes software is not the answer, and sometimes you just have to do it by hand.
pajiaoAuthor Commented:
Sigh,,, i updated all the packages and still i got the phishing. I checked apache logs, nothing suspicious, i checked secure logs, found loads of ssh root attempts failed....How can i prevent all these attempted root logins?

What other logs can i check and what to look out for?

How does all these phishing guys hack into Linux? Thru what kinda vulnerabilities?
Rich RumbleSecurity SamuraiCommented:
Could be a rootkit now... did you format, and then reinstall the OS? You may consider paying a hosting service or finding one for free on the net until you can get your server and or source code inspected. *nix can be hacked/root'd just like win32.
How they can get in:  usually Apache 1.3

But don't discount any versions of MySQL, PHP, even javascript, even cookies!  I get a big laugh out of having said that javascript was an infection waiting to happen years ago.  It came to pass within only a few years.

You can visit a site and get infected these days, if your permissions are not locked down correctly.  I've had attempts by numerous sites to do just that.  These fishing guys hack into all systems because places like New York City are handing out lame 4 year sentences for a guy, a kid, who is stealing hundreds of thousands of dollars from hard working people, that's how they hack into systems, because in New York City 4 years jail time, probably serving only one, is worth it to them if they can steal a million dollars to have when they get out.

And the advertisers help them because they want email addresses, even if they get them by some sleazy connection in some sleazy nightclub in Manhattan.

The ssh root attempts sound like your still running Apache 1.3, or, someone knows your box is weak.  Mostly these are still username harvesting, but some may be hacker groups; you should publish the logs, that's the first step in getting them caught.

Normally you configure ssh and other programs to cut off login attempts after maybe three tries.  Apache 2.0 can limit the scripts attempts and the hammering, the sheer brute force of an attempted Denial of Service attack.  SSH should be cofigurable as well for logging and limiting repeated attempts.  I know they're aware of it because I've talked to the developers about this very problem within the last year.

The best log is the Bind log.  I have samples of the Options that go into the named.conf file here: http://www.Musics.com/manhtml/DNS/010.options.named.conf.zoneo

These are included in the named.conf file like this: http://www.Musics.com/manhtml/DNS/011.named.ext.conf.zonec

If you coordinate these logs with the secure logs, the apache logs, and whatever else logs, you can identify "exactly" what IP they came from; they can't spoof the DNS Bind and Named server.  That is hard evidence and it has caught more than one of the SpyKidz.  Those SpyKidz, by the way, are usually headed by an old spy in the 30 to 50 year old range.

These are real criminals wanted by countries around the world; they are not just some high school kid, although most stupid high school kids get caught up in it and take the fall for it, stupid as they are thinking they can outthink the engineers who built the system their just learning.

With iptraf command, you can watch them as they attempt it, while tracing them out, and often reverse the process and log directly into their system.  A sure indication that someone is trying to hack in is continuous blinking of your connection lights for prolonged periods.  Usually the attacks are timed to last one hour.  The first hit will occur, generally, about 20 minutes before the onslaught attack occurs.  They have a pattern, and they leave a big trail back to themselves.  This they cannot avoid; it's how the Internet works.  Even if they infect some box and script from there, they are still traceable back to their source IP because they will have either DNS queried you about 20 minutes prior, or, the box they're remoting is entirely infected.  By contacting the owner of that box, usually by finding out if they have a website and you can get to it, asking them if they have any funny directories all of a sudden on their server, like /0/ and such, you inform them also that they are infected and bring in an ally in tracking down the culprit.

It's a concerted effort type of thing.  Most people who run a website have no idea when they've been hacked until it's too late because they are not monitoring their boxes.  And if it's a webhost, probably no one is monitoring it.  Most takeovers occur when a website first comes up and some admin just turns it on for the person getting the webhosted site.

These guys that hack in do a lot of thinking and because all the security guys either ignore things once they have a database and software to ignore such things don't do anything after the fact, and, because they depend entirely too much on software to do their job for them.

Fortunately, some people don't depend on machines and software, but, uh, they work for the top government agencies in the world and their job is to catch hackers, not to ignore them.
> How can i prevent all these attempted root logins?
you cannot (except disabling ssh)

> Thru what kinda vulnerabilities?
as I already said: most likely using a vulnerability in one of your web applications
Did you check all your applications?
pajiaoAuthor Commented:
>as I already said: most likely using a vulnerability in one of your web applications
Did you check all your applications?

I didnt know what to check for in my applications seriously. Anyway i am using Apache 2
Apache is the web server, applications are your script run by apache. perl, php whatever ...
You need to check all those scripts which accept and process input from the client.
pajiaoAuthor Commented:
Yes i know the scripts and know where are the places where input from clients are located but what is there to check for those? How can they be of risk and how are these web forms exploited by phishers?
> How can they be of risk and how are these web forms exploited by phishers?
in different ways, you still did not explain what exactly you mean by "constantly being used as phishing for ebay and paypal". Please give an example (URL, web page, whatever).
You also said "likely through some web forms as i suspected as i did receive some emails spawn by my web forms without any user inputs". You should see the requests for these forms in your web server logs. Hopefully your CGI performing these forms log some data too. Check it.
If you fell that these forms are guilty, disable the corresponding scripts. Then check how they process input data.
Do they check for malicious characters? do they pass input to a sub system (shell, other script, database)?
Apache 2 should block those login attempts, in fact, I believe this was solved in Apache 1.3.31 or something like that, definitely after any Apache 2.  There was a long string of attempts before Apache was upgraded past the old stable Apache 1.3 version.

The hacker gang then switched to attacking php.  Which they did quite effectively this year, shutting down numerous boards running phpBB2.  And yes, it is through the forms that they break in.  There's a patch for that though, I believe.  I think it was something like guitarworld or one of them that got shutdown, along with quite a few others, a few months back.  The snupigood guy was also involved in, or at least his site was fully infected with, redirected google and yahoo links to porn sites and pedophile sites; you may recall herr deputy director homeland security getting caught?  That was the ring.  And myspace was in the center of it.  Surely you've heard about that exploit?

The phishing scam is sophisticated enough to zombie your box; that's where it starts probing other sites using your server as the authority, this starts with some probes, but winds up sending emails and other stuff that the zombie controller logs into your zombied box with.  He can also cover his tracks, but he cannot cover the Bind and DNS logs tracks and certain secure logs, etc..

Go get rkhunter and run it.  http://www.rootkit.nl/projects/rootkit_hunter.html

I believe that's the correct link.

I believe what I did to stop such attempts was to change the permissions to no execute in the temp folders, all of them.  Like I said, KDE was vulnerable and as far as I know still is.  Which means, one vist to the wrong page and you're hit.  At snupigood, we allowed the dumb site to try it's infection and watched and gatehered all the files it installed.  One site even installed the source code and tried to compile it!  It was that sophisticated.  It then had a section to recompile the kernel itself.  Which would have meant that our box would have belonged to the Night of the Walking Dead as it ate us alive.  Fortunately, we were ahead of the game and kept all the files for evidence.

Interesting bunch of files; hackers are stupid enough and publicity oriented enough to start signing their software.  They were proud of this high level programming, until I guess Interpol and the FBI caught them.  The Secret Service has to be involved here too because phishing comes under their jurisdiction.

You just have to tediously check everything and start a watch, an around the clock monitor of who is attacking your system.  Try to figure out who they are, where they are at, and do what every good agent does, investigate the hell out of them.

Your box should not allow remote root login, there's a setting for that.  Then, it should be set to log and stop any attempted logins over three occurring within some time frame, say 5 within 5 seconds or 5 within a minute.  If you look at your logs and it shows an attempt every second, or more than one per second, figure it out, no one can type or click and point that fast, it's a script.

Good Luck again!
pajiaoAuthor Commented:
The attempted root login is  definitely a script.

How i know phishing was done is when they had a .update, .ebay or .confirm folders in my home www directory and within them has all those php files tat fish user details. I have oredi disabled all my php scripts that does form submission but they are still around.

GinEric wat u did sound deep and i confess i didnt know how to do that!
Did somebody click on one of those phishing scam emails?  That is how they zombie your site, but storing their scripts in folders that shouldn't even be on your server.

The law is this: if someone accesses my site, they have given me full permission to access any information they put on my site, particularly if they start altering the operation of my site.  And if that information leads back to their site and a surreptitious activity there of programming and scripts that automatically invade my sight for the purposes of infringing my copyrights, then I have the absolute legal authority to gather evidence, even if I have to then access their site and inspect, or copy, files, which they are using to harvest my copyrighted materials and orginal creations.

So, if someone breaks in and this results in a detriment to my site, I have the right to go right back and get the proof from their site that they did this.

In any case, I'm not going to roll over and pee for any hacker, I'm going to strike back with legal force and prosecute. bad dog that I am, or, rather, cougar or black panther that I am.

An act of agression is a strike which demands a counterstrike.

These phishers are real criminals.  I personally feel that too many software security outfits have chosen to ignore them for too long using software patches to do so.  The guys in the New York Times, last week, who got only four years did not get enough time for the crime of identity theft, which is grand larceny, stealing from hard working people; New York should have given one unrepentent guy whose excuse is "I can't help it," 20 years, not 4.  He's been in jail before for this, they know him, and yet New York City will probably let him out to do the same thing again in about a year.  It's ridiculous.  As ridiculous as giving an armed robber of a bank one year; it's not going to defer any criminal from going right back out and doing it again.  They figure, one year is worth a million dollars.  20 won't be.

The old Linux server is sitting behind me.  When I fire it back up for copying of files on it, I'll recopy the entire set of evidence that shows just how one of them breaks into and installs even source code and then compiles it on an unsuspecting server.  I won't release any of this code because it is too sensitive.  But I will name the files and explain how anyone can get remoted and zombied by the mere click on a malicious web site.

In the end, you have to have a human being monitoring the network and computer systems; there is no other way.
P.S.:  You can send an email to spoof@eBay.com or spoof@PayPal.com and I believe they will respond.  Perhaps even go to PayPal and find the security guys there and tell them your story.  This may help you to get off all phishing lists and straigten things out for you.
> The law is this:
somewhere, and in other places it's another law.

> So, if someone breaks in and this results in a detriment to my site, I have the right to go right back and get the proof from their site that they did this.

> These phishers are real criminals.
agreed, but those web site owners running their website with tons of vulnerable scripts which allow frauds to users are criminals too. That's al least legal law in some european countries, and that's not that bad 'cause this way you get someone to be responsible for your damage (as user ;-)

GinEric, no offence meant, but you have to look on other countries practice, sometimes, somehow :-)
Sounds like New York City, and just the kind of thinking that protects muggers on the subway, to me.

However, Copyright Law is a Federal Law, National Security applies since phishing is under the jurisdiction of the Secret Service, and Copyright Law is under the Jurisdiction of the Federal Bureau of Investigation, the combination clearly supports protection of property, a Constitutional Right, and self defence, a human right.

No offense taken, but I'm not under any other country's laws than the United States of America, therefore, I don't care much about other world laws, since they've been pretty much self-serving for the elite few for what, 7,000 years now(?)

The irony is this: most of the phishing and other hacking gangs are led by at least one international spy retiree, nearly all from these "other countries," and a lot of these countries protect them, even encourage them, as long as they report back on their progress at breaking into American computers.  Why?  Money.  It's always money that drives the protection of criminal activity.  And it doesn't matter whose defense department it's at, even our own, breaking and entering is still burglary, and Internet cat burglars should not be protected by such foreign laws and agreements.

Let the foreign dignitaries argue with our representatives; no American is going to support subjugation to foreign law on American soil, and rightfully so.

The so-called free world should stop and consider that until we arrived, human beings had no inalienable rights.  Yes, the idea originated at Edinburgh, but we put it into law.  I know of nothing more distasteful to foreign governments than American law and especially our Bill of Rights, and that cantankerous definition that makes We The People the government.   This might give their people the idea that they are somehow free too, and that alone would topple any self-serving government and the criminals that run them.

I've looked on all other country's practices, for all of their histories, and at best I'm disappointed with everyone of them.  The worst I've been accused of is telling the truth and that pretty much day in and day out because they tend to mislead my friends at home about their rights here in favor of those ideas that have spewed from the old world's self serving tyrants for all of those 7,000 years.

They can speak and I can disagree, the first right nearly all other country's government detest, the right of every American to say whatever they want, which may, in some cases, expose the old thinkology that makes their imposition of censorship succeed.  In the end you have to decide for yourself: freedom of thought or mind police.

And when it comes to a foreign national breaking into any American computer, every American has the God given right to fight back without reservation against what amounts to an attack on the U.S.  Here, at least, we hold that an attack against one of us is an attack against all of us.

I think with the Pentagon, Treasury, and Justice behind me, and every American, the only sure National Security is one that regonises each individual has the duty [not just the responsibility] to defend this soil and this people, even if it means the best defense is a good offense.  Simply because even the common thief will flee when his or her victim turns and fights.

The idea is too fundamental to be subjugated to law, which is what makes it inalienable, and phishers from overseas invading American's computers and gathering data, espeicially personal and banking data about any American is a threat to our National Security, therfore, it comes under the National Security laws which are designed to protect only one thing, Americans against foreign invasion.  And since these attacks can be devastating to individuals, and we hold individuals to be of more value than collectives and committees, such an attack on the one is still an attack on all of us.

I don't want to engage the scapegoated websites who were unwittingly used, the battle goes directly to the attacker, I want the hacker and phisher who started the debacle.  I pretty much know that innocent websites can and are used by hackers and phishers as their scapegoat, even if their governments try to protect them; let their officials argue it with our officials, but our officials must stand behind us, not them, in all cases.

Perhaps the worst case scenario is that these foreign governments are aiding and abetting the collection of data on Americans, building databases so that they can use them as a weapon against America.  It's not so far fetched as it seems.  Treasury certaily recognises it, and the Pentagon recognised it long ago when they commissioned the invention of the Internet for the sole purpose of American National Security because they knew the best defenders were the people themselves, each and every American, that does have the right to defend against such invasions.

The strategy of economic attack has always been the purview of illegitimate governments and institutions.  And economic attack at the personal level is where it all starts.  Which makes the counterattack a necessity, the duty, of every American.

Notwithstanding the whinings of foreign governments, our stance, in general, is "live with it!"
> ..  I'm not under any other country's laws than the United States of America, ..
well, that's just one out of roughly 190 others, and still a minority (except in business;-)
so there may roughly 189 which ignore this one ...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 7
  • 7
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now