Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
  1. #1
    Regular Coder
    Join Date
    Dec 2008
    Location
    Always Roaming Around Burbank Illnois or TO
    Posts
    177
    Thanks
    13
    Thanked 4 Times in 3 Posts

    What Can You Do to Identify or Know if Your Site is Being Used for Phising?

    Hi guys,

    As the title suggest "What Can You Do to Identify or Know if Your Site is Being Used for Phishing?
    I have been three times recently and now my hosting company is advising me that my site is being use for phishing.

    What else can i do. I cannot even see the unwanted content. How can I see that and how can I remove it?

    Thanks
    JulieV

  • #2
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Well you could ask them how they know, their checks/evidence would help guide you to solve the issue.
    OracleGuy

  • #3
    The fat guy next door VIPStephan's Avatar
    Join Date
    Jan 2006
    Location
    Halle (Saale), Germany
    Posts
    8,702
    Thanks
    6
    Thanked 1,011 Times in 984 Posts
    And you could show us your site in question so we may be able to look and see if there’s something obvious in the code.

  • #4
    Regular Coder
    Join Date
    Dec 2008
    Location
    Always Roaming Around Burbank Illnois or TO
    Posts
    177
    Thanks
    13
    Thanked 4 Times in 3 Posts
    Hi,

    since I have been hacked three times, I beginning to get scared especially after I received the email from my host Godaddy.com that my site has been used for Phishing.

    Since i do not know how to look for the bad contents on my website as when I look at it, it seems to be okay. And one senior Coder here was generous enough to tell me that it has something to do with c99madshell. I just got this now.
    My website is Mynoogee.com.

    This is the initial website that was used and then they go to my 3 other sites. 2 of which are not even live or I have not publish the website, it was just part of my hosting account.

    Thanks
    JulieV

  • #5
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    That site is just a parked domain. There is no site there. Did you remove the site?
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #6
    Regular Coder
    Join Date
    Dec 2008
    Location
    Always Roaming Around Burbank Illnois or TO
    Posts
    177
    Thanks
    13
    Thanked 4 Times in 3 Posts
    I just did because I am afraid that my adsense account will be compromise.
    And it has through 4 of my sites, all Godaddy.com account and I have 10 domains hosted in this one account. So far the rest are still going and not compromise yet, but I don't know if they will stick.

    How are you doing Aerospace_Eng?

    JulieV
    Last edited by JulieV; 07-20-2009 at 10:28 PM. Reason: grammar

  • #7
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    I'm doing fine, thanks.

    Its likely a contact form on your site might be used to send out emails that try to collect personal data in which case godaddy might think your site is being used for phishing.

    No one will be able to help you if you don't show anyone your code.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #8
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Quote Originally Posted by _Aerospace_Eng_ View Post
    Its likely a contact form on your site might be used to send out emails that try to collect personal data in which case godaddy might think your site is being used for phishing.
    Good idea, I actually had to fix a site 3 or 4 years ago now that was having that problem. I just added some checks to protect the form fields from an email injection attack. I think someone here on CF posted the necessary regular expressions. I'll see if I can find the thread later.
    OracleGuy

  • #9
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Quote Originally Posted by oracleguy View Post
    Good idea, I actually had to fix a site 3 or 4 years ago now that was having that problem. I just added some checks to protect the form fields from an email injection attack. I think someone here on CF posted the necessary regular expressions. I'll see if I can find the thread later.
    I've always found this article useful in helping prevent email injection.
    http://www.phpbuilder.com/columns/ia...n20060412.php3
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #10
    Regular Coder
    Join Date
    Dec 2008
    Location
    Always Roaming Around Burbank Illnois or TO
    Posts
    177
    Thanks
    13
    Thanked 4 Times in 3 Posts
    The Mynoogee site is only a simple html site the same as the other one and they do not have the email capture or something like that. Just plain static website with a lot of directories amounting to about 1600 hundred pages.

    Before I deleted the website someone here from sent me a private massage and said that it's in one of the pages... that has something to do with this= It's called c99madshell.php
    http://forums.theplanet.com/index.php?showtopic=90109 and if I look at the page where he showed me this, it's exactly what's in my website. Kinda eerie thing that's why I just pull down my sites affected.

    Thanks
    JulieV

  • #11
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    It might not be that exact hack/file but it could be something similar. It does come to it though of a form somewhere on your site.

    Are you able to put a password on your site through godaddy?
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #12
    Regular Coder
    Join Date
    Dec 2008
    Location
    Always Roaming Around Burbank Illnois or TO
    Posts
    177
    Thanks
    13
    Thanked 4 Times in 3 Posts
    Yes. What I son't know if my computer is compromise or something but I do have Norton 360 and ahve already run a Malwarebytes Anti-malware on my computer and didn't have anything except this Files Infected:
    d:\backup\programdata\{0c067481-4ace-4387-bd53-e083082dc882}\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.

    thanks
    JulieV

  • #13
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Download Cure-It and run it.

    http://www.freedrweb.com/

    I don't think its your system that is the issue though. I think its your code somewhere. Do what we've told you to do and contact your host and ask them why they think you are using your site for phishing.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • Users who have thanked _Aerospace_Eng_ for this post:

    JulieV (07-21-2009)

  • #14
    Regular Coder
    Join Date
    Dec 2008
    Location
    Always Roaming Around Burbank Illnois or TO
    Posts
    177
    Thanks
    13
    Thanked 4 Times in 3 Posts
    Hi,
    i downloaded the freedrweb but somehow I cannot find it on my computer so I need to check it later and run as i am going for some medical stuffs.
    I did what you guys have said and I have also contacted Godaddy.com and advise them that I have already deleted them from my hosting account and they did show me a screen shot of the affected sites.
    Here is their letter to me;
    Dear Sir or Madam,

    It has been brought to our attention that your domain name has been implicated in a phishing scheme. This action is a violation of Go Daddy's Universal Terms of Service and Domain Registration Agreement.

    A phishing attack is an attempt to steal Internet users personal identity data and/or financial or ecommerce account information. The term "phishing" arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. Phishing schemes use 'spoofed' e-mail messages to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers.

    In short, your website is being used to commit crimes against innocent people.

    In your particular case, your site is actively being used to obtain login information from ALLIANCE LEICESTER customers; a screenshot of the offending content has been attached. The offending content can be found at the URL provided in this screenshot.

    The content located on your site must be removed immediately.

    It is possible that a third party was able to gain access to your website, without your knowledge, in order to upload these files and initiate this abusive action. This does not change that fact that it is your responsibility to ensure that your website is secure from this type of exploitation. Because of this possibility we are giving you this opportunity to stop this abuse.

    Thanks for all your input in matter.

    JulieV

  • #15
    The fat guy next door VIPStephan's Avatar
    Join Date
    Jan 2006
    Location
    Halle (Saale), Germany
    Posts
    8,702
    Thanks
    6
    Thanked 1,011 Times in 984 Posts
    Which software (e. g. CMS) are you using to manage your site(s) if at all? Perhaps the issue is some vulnerability in the software itself?

    But really, all we can currently do is guess because we were never able to look at the site(s) and/or their code. A site can’t be hacked if there are just static files without the option of third party manipulation from outside. So either somebody has your hosting/FTP account login info or the server where you’re hosting the site is being exploited.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •