Fraudulent Activity-Phishing Sites On My Sites

Discussion in 'Linux VPS/Dedicated - cPanel' started by WRMercier, Apr 28, 2010.

  1. WRMercier

    WRMercier Member

    Panic Time ! ! !
    I have received 3 notices from KnownHost Abuse concerning Fraudulent Activity with 3 of my hosted websites. I have responded to the KH Abuse and suspended each of these sites but since they are for customers, I understandably need to get them back on line asap. In reading the emails I received from KH it appears that somehow these websites have been breached/compromised and Phishing sites set up on them. I am pretty new to this and desperately need some help and/or advice as to how to first, get these sites cleared so I can activate them for my customers again. I also need to know what I need to do to prevent this from happening in the future. I am very happy with the hosting service I receive and don’t want to loose or jeopardize it. I am at a loss as to how these sites were accessed and want to plug any holes to safeguard all of the websites I currently have and host.

    Thanking you in advance for any and all help you might provide.
    Wayne Mercier
     
  2. KH-Paul

    KH-Paul CTO Staff Member

    Hi Wayne,

    Various system logs needs to be checked for entries logged at around the time when possible unauthorized activity happened. We're always ready to help with investigations like this one and I already replied to your abuse ticket couple hours ago. Please feel free to PM me or update the ticket if any assistance is required.
     
  3. WRMercier

    WRMercier Member

    KH-Paul
    Many thanks for your help. Per your response I changed the root password as well as each of the 3 affected websites. I followed the path to where the Phishing files were noted and deleted what was not suppose to be there. I notice in each instance there is a related directory that comes back when deleted. How can I permanently delete this directory from each website and should I shut each site back down until I am able to rid each of this directory? Thanks again for your assistance.
    WR
     
  4. KH-Paul

    KH-Paul CTO Staff Member

    Wayne,

    Please either PM me or update your ticket with the directory name(s) that you're having troubles with so I can take a look at this for you. Unfortunately there isn't much more can be said without looking at the actual situation.
     
  5. Dan

    Dan Moderator

    Damn that sucks! I am sure KH support will help you chase it down and fix it though :)

    Make sure you use good passwords, a random password generator might be the ticket. Then use something like Lastpass (will also generate passwords).
     
  6. WRMercier

    WRMercier Member

    Dan;
    At the risk of blowing a little to much smoke, I want to publically thank KH-Paul for rescuing me on this one. He pointed me in the right direction and I was able to clear everything up in record time with his assistance. I believe the problem was with my less then strong (spelled weak) passwords which were easy for me to recall but possibly easy for a hacker to breach as well. I am now in the process of curbing that slip on my part and will definitely use a generator to create passwords that will afford the maximum protection. I also now know exactly how to find and where to go to clear out any offending files should this bug bite me again. Thanks to Paul, yourself and others in this Forum I am learning and becoming more self sufficient. Mucho Thanks to you all ! ! !
    WR
     

Share This Page