detect Phising site

[tata13]

Is there any security tools ? that can detect user who host phising site in our server ?

-= thanks =-

 

[thehostinghut]

You could try adding this to your /etc/antivirus.exim file

First do this:

touch /var/log/filter.log
chmod 0644 /var/log/filter.log

######################################################
# START
# Filters all incoming an outgoing mail
logfile /var/log/filter.log 0644
## Common Spam
if
# Header Spam
$header_subject: contains "Pharmaceutical"
or $header_subject: contains "Viagra"
or $header_subject: contains "Cialis"
or $header_subject: is "The Ultimate Online Pharmaceutical"
or $header_subject: contains "***SPAM***"
or $header_subject: contains "[SPAM]"
# Body Spamor
or $message_body: contains "Cialis"
or $message_body: contains "Viagra"
or $message_body: contains "Leavitra"
or $message_body: contains "St0ck"
or $message_body: contains "Viaagrra"
or $message_body: contains "Cia1iis"
or $message_body: contains "URGENT BUSINESS PROPOSAL"
or $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?"
or $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok"
then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
#fail text "Message has been rejected because it hasn
# triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
seen finish
endif
# END
# Filters all incoming an outgoing mail
# START
# All outgoing mail on the server only - what is sent out
#Check forwarders so it doesn't get blocked
#Forwarders still work =)
## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@citibank.com" or
$header_from contains "@bankofamerica.com" or
$header_from contains "@wamu.com" or
$header_from contains "@ebay.com" or
$header_from contains "@chase.com" or
$header_from contains "@paypal.com" or
$header_from contains "@wellsfargo.com" or
$header_from contains "@bankunited.com" or
$header_from contains "@bankerstrust.com" or
$header_from contains "@bankfirst.com" or
$header_from contains "@capitalone.com" or
$header_from contains "@citizensbank.com" or
$header_from contains "@jpmorgan.com" or
$header_from contains "@wachovia.com" or
$header_from contains "@bankone.com" or
$header_from contains "@suntrust.com" or
$header_from contains "@amazon.com" or
$header_from contains "@banksecurity.com" or
$header_from contains "@visa.com" or
$header_from contains "@mastercard.com" or
$header_from contains "@mbna.com"
)
then
logwrite "$tod_log $message_id from $sender_address is fraud"
seen finish
endif
## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@hotmail.com" or
$header_from contains "@yahoo.com" or
$header_from contains "@aol.com"
)
then
logwrite "$tod_log $message_id from $sender_address is forged fake"
seen finish
endif
## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
#Paypal
$message_body: contains "Dear valued PayPal member" or
$message_body: contains "Dear valued PayPal customer" or
$message_body: contains "Dear Paypal" or
$message_body: contains "The PayPal Team" or
$message_body: contains "Dear Paypal Customer" or
$message_body: contains "Paypal Account Review Department" or
#Ebay
$message_body: contains "Dear eBay member" or
$message_body: contains "Dear eBay User" or
$message_body: contains "The eBay team" or
$message_body: contains "Dear eBay Community Member" or
#Banks
$message_body: contains "Dear Charter One Customer" or
$message_body: contains "Dear wamu.com customer" or
$message_body: contains "Dear valued Citizens Bank member" or
$message_body: contains "Dear Visa" or
$message_body: contains "Dear Citibank" or
$message_body: contains "Citibank Email" or
$message_body: contains "Dear customer of Chase Bank" or
$message_body: contains "Dear Bank of America customer" or
#ISPs
$message_body: contains "Dear AOL Member" or
$message_body: contains "Dear AOL Customer"
)
then
logwrite "$tod_log $message_id from $sender_address is phishing"
seen finish
endif
# END
# All outgoing mail on the server only - what is sent out


You may want to enable advanced logging in your exim config file. You can do that via the WHM. Add this to the first box.

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn


This may not work as someone here will most likley tell you. But it may be worth a shot. I think this is from http://www.webhostgear.com (I think) so I take no credit for this.

If you need the urls to these I am sure I can get them or you can go there and look them up.

Well good luck.

Tracy

 

[thehostinghut]

If you can catch it while it is happening you may be able to look at the mail queue and ee if it shows the account that is send them out.

I have caught 2 that way. I may have gotten lucky though.

Tracy

 

[NightStorm]

Another method is to monitor added domains, and check them against the list at www.surbl.org/dns-queries.blocklist.counts.txt
I'm finding that a LOT of domains from spammers that are trying to add themselves to my server (through purchasing a reseller account) are listed on that link.

 

[tata13]

Maybe I dont explain very well

Is Phising site = Phising email ?

or website phising like egold.com

is there any security tools that can detect phising website in our server ?

thanks for the answer

 

[thehostinghut]

I guess you could write a scripts that looks for the most common Phising scams:

I think they are listed in my first post.

I am not a programmer or I would post a script that would help you on that. Maybe I can track something down for you.

Tracy

 

[ramprage]

Yes those rules for antivirus.exim were written by me (the webhostgear.com guy)

As far as detecting phising sites, that is extremely difficult. The only thing you could do is search all the pages on the server with a script, but it would consume a massive amount of resources when its run, since most servers have thousands, hundreds of thousands or more pages.

I am thinking of another way however, which might be something to think about, at least for PHP.

PHP.ini has the ability to include a pre page. You could at least sort of filter the PHP pages for any PHISHY looking content and log,allow,deny access etc.

You could also write a custom Apache module that checks the page contents IE: mod_security

It would be hard, nearly impossible to detect any type of database phishing. You'd need to get it from a phishing sites HTML pages. Written rules of this would be very difficult IMO. You could add some flags to check for things like Paypal.com but keep in mind many businesses put this kind of URL on their pages.. lots of false positives.

 

[ramprage]

PS. I keep a more updated and extensive antivirus.exim and other rulesets available but don't often share them since they get reposted without credit (thank you for remembering me!)

 

[thehostinghut]

You are welcome!!!

I think when I got that from your site I did not get all the header info. That is why it most likley did not have your name in it (As I see that it really does). I had to re-format the whole thing as when I did a copy and paste from your site it did not work out very well.

I think you hit alot of the major problem Phising emails anyhow.

If this user would add this to his server it could be a first step in solving his problem. If he enables extended logging for exim it will at least tell him who is doing it and I think what DIR it is comming from.

Oh well. He will have to figure out how to write a script to do a search for it.

Good work Rampage!!

Tracy

 

[thehostinghut]

I think a good start is to implement this filter. Keep an eye on it. It should tell you who is doing it? Then you can get rid of the offending account. Your main goal would be stop the email from getting out of the server. I think this may be a good way to help it.

Like I always say I could be wrong and I am sure someone will correct me on this.

Maybe rampage will share a more up to date file

Tracy

 

[AndyReed]

Is there any security tools ? that can detect user who host phising site in our server ?

I agree with thehostinghut, WHG, and others in this thread that the best way is to find the culprit and completely remove them from your server. As far as SPAM goes, we have written our own script which detects and pin-points any Php scripts sending out SPAM. Yet, it is time-consuming to detect phising scripts, as ramprage said.

 

[VirtuaLira]

How you catch the php script running?

I do a tail -f /var/log/exim_mainlog but i dont see anything, but Im sure some accounts have a script from a spammer

thanks

 

[sumith]

How you catch the php script running?

I do a tail -f /var/log/exim_mainlog but i dont see anything, but Im sure some accounts have a script from a spammer

check the link http://www.webhostingtalk.com/showthread.php?s=&threadid=258294 that might help you.