The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

detect Phising site

Discussion in 'Database Discussions' started by tata13, Jun 5, 2006.

  1. tata13

    tata13 Active Member

    Joined:
    Feb 8, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Jakarta
    Is there any security tools ? that can detect user who host phising site in our server ?

    -= thanks =-
     
  2. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    You could try adding this to your /etc/antivirus.exim file

    First do this:

    touch /var/log/filter.log
    chmod 0644 /var/log/filter.log

    ######################################################
    # START
    # Filters all incoming an outgoing mail
    logfile /var/log/filter.log 0644
    ## Common Spam
    if
    # Header Spam
    $header_subject: contains "Pharmaceutical"
    or $header_subject: contains "Viagra"
    or $header_subject: contains "Cialis"
    or $header_subject: is "The Ultimate Online Pharmaceutical"
    or $header_subject: contains "***SPAM***"
    or $header_subject: contains "[SPAM]"
    # Body Spamor
    or $message_body: contains "Cialis"
    or $message_body: contains "Viagra"
    or $message_body: contains "Leavitra"
    or $message_body: contains "St0ck"
    or $message_body: contains "Viaagrra"
    or $message_body: contains "Cia1iis"
    or $message_body: contains "URGENT BUSINESS PROPOSAL"
    or $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?"
    or $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok"
    then
    # Log Message - SENDS RESPONSE BACK TO SENDER
    # SUGGESTED TO LEAVE OFF to prevent fail loops
    # and more work for the mail system
    #fail text "Message has been rejected because it hasn
    # triggered our central filter."
    logwrite "$tod_log $message_id from $sender_address contained spam keywords"
    seen finish
    endif
    # END
    # Filters all incoming an outgoing mail
    # START
    # All outgoing mail on the server only - what is sent out
    #Check forwarders so it doesn't get blocked
    #Forwarders still work =)
    ## FINANCIAL FAKE SENDERS
    ## Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if (
    $received_protocol is "local" or
    $received_protocol is "esmtpa"
    ) and (
    $header_from contains "@citibank.com" or
    $header_from contains "@bankofamerica.com" or
    $header_from contains "@wamu.com" or
    $header_from contains "@ebay.com" or
    $header_from contains "@chase.com" or
    $header_from contains "@paypal.com" or
    $header_from contains "@wellsfargo.com" or
    $header_from contains "@bankunited.com" or
    $header_from contains "@bankerstrust.com" or
    $header_from contains "@bankfirst.com" or
    $header_from contains "@capitalone.com" or
    $header_from contains "@citizensbank.com" or
    $header_from contains "@jpmorgan.com" or
    $header_from contains "@wachovia.com" or
    $header_from contains "@bankone.com" or
    $header_from contains "@suntrust.com" or
    $header_from contains "@amazon.com" or
    $header_from contains "@banksecurity.com" or
    $header_from contains "@visa.com" or
    $header_from contains "@mastercard.com" or
    $header_from contains "@mbna.com"
    )
    then
    logwrite "$tod_log $message_id from $sender_address is fraud"
    seen finish
    endif
    ## OTHER FAKE SENDERS SPAM
    ## Enable this to prevent users using @domain from addresses
    ## Not recommended since users do use from addresses not on the server
    ## Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if (
    $received_protocol is "local" or
    $received_protocol is "esmtpa"
    ) and (
    $header_from contains "@hotmail.com" or
    $header_from contains "@yahoo.com" or
    $header_from contains "@aol.com"
    )
    then
    logwrite "$tod_log $message_id from $sender_address is forged fake"
    seen finish
    endif
    ## KNOWN FAKE PHISHING
    ### Log all outgoing mail from server that matches rules
    logfile /var/log/filter.log 0644
    if (
    $received_protocol is "local" or
    $received_protocol is "esmtpa"
    ) and (
    #Paypal
    $message_body: contains "Dear valued PayPal member" or
    $message_body: contains "Dear valued PayPal customer" or
    $message_body: contains "Dear Paypal" or
    $message_body: contains "The PayPal Team" or
    $message_body: contains "Dear Paypal Customer" or
    $message_body: contains "Paypal Account Review Department" or
    #Ebay
    $message_body: contains "Dear eBay member" or
    $message_body: contains "Dear eBay User" or
    $message_body: contains "The eBay team" or
    $message_body: contains "Dear eBay Community Member" or
    #Banks
    $message_body: contains "Dear Charter One Customer" or
    $message_body: contains "Dear wamu.com customer" or
    $message_body: contains "Dear valued Citizens Bank member" or
    $message_body: contains "Dear Visa" or
    $message_body: contains "Dear Citibank" or
    $message_body: contains "Citibank Email" or
    $message_body: contains "Dear customer of Chase Bank" or
    $message_body: contains "Dear Bank of America customer" or
    #ISPs
    $message_body: contains "Dear AOL Member" or
    $message_body: contains "Dear AOL Customer"
    )
    then
    logwrite "$tod_log $message_id from $sender_address is phishing"
    seen finish
    endif
    # END
    # All outgoing mail on the server only - what is sent out


    You may want to enable advanced logging in your exim config file. You can do that via the WHM. Add this to the first box.

    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn


    This may not work as someone here will most likley tell you. But it may be worth a shot. I think this is from http://www.webhostgear.com (I think) so I take no credit for this.

    If you need the urls to these I am sure I can get them or you can go there and look them up.

    Well good luck.

    Tracy
     
  3. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    If you can catch it while it is happening you may be able to look at the mail queue and ee if it shows the account that is send them out.

    I have caught 2 that way. I may have gotten lucky though.

    Tracy
     
  4. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Another method is to monitor added domains, and check them against the list at www.surbl.org/dns-queries.blocklist.counts.txt
    I'm finding that a LOT of domains from spammers that are trying to add themselves to my server (through purchasing a reseller account) are listed on that link.
     
  5. tata13

    tata13 Active Member

    Joined:
    Feb 8, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Jakarta
    Maybe I dont explain very well

    Is Phising site = Phising email ?

    or website phising like egold.com

    is there any security tools that can detect phising website in our server ?

    thanks for the answer
     
  6. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    I guess you could write a scripts that looks for the most common Phising scams:

    I think they are listed in my first post.

    I am not a programmer or I would post a script that would help you on that. Maybe I can track something down for you.

    Tracy
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Yes those rules for antivirus.exim were written by me (the webhostgear.com guy) ;)

    As far as detecting phising sites, that is extremely difficult. The only thing you could do is search all the pages on the server with a script, but it would consume a massive amount of resources when its run, since most servers have thousands, hundreds of thousands or more pages.

    I am thinking of another way however, which might be something to think about, at least for PHP.

    PHP.ini has the ability to include a pre page. You could at least sort of filter the PHP pages for any PHISHY looking content and log,allow,deny access etc.

    You could also write a custom Apache module that checks the page contents IE: mod_security

    It would be hard, nearly impossible to detect any type of database phishing. You'd need to get it from a phishing sites HTML pages. Written rules of this would be very difficult IMO. You could add some flags to check for things like Paypal.com but keep in mind many businesses put this kind of URL on their pages.. lots of false positives.
     
  8. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    PS. I keep a more updated and extensive antivirus.exim and other rulesets available but don't often share them since they get reposted without credit (thank you for remembering me!)
     
  9. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    You are welcome!!!

    I think when I got that from your site I did not get all the header info. That is why it most likley did not have your name in it (As I see that it really does). I had to re-format the whole thing as when I did a copy and paste from your site it did not work out very well.

    I think you hit alot of the major problem Phising emails anyhow.

    If this user would add this to his server it could be a first step in solving his problem. If he enables extended logging for exim it will at least tell him who is doing it and I think what DIR it is comming from.

    Oh well. He will have to figure out how to write a script to do a search for it.

    Good work Rampage!!

    Tracy
     
  10. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    I think a good start is to implement this filter. Keep an eye on it. It should tell you who is doing it? Then you can get rid of the offending account. Your main goal would be stop the email from getting out of the server. I think this may be a good way to help it.

    Like I always say I could be wrong and I am sure someone will correct me on this.

    Maybe rampage will share a more up to date file :)

    Tracy
     
  11. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    I agree with thehostinghut, WHG, and others in this thread that the best way is to find the culprit and completely remove them from your server. As far as SPAM goes, we have written our own script which detects and pin-points any Php scripts sending out SPAM. Yet, it is time-consuming to detect phising scripts, as ramprage said.
     
  12. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    How you catch the php script running?

    I do a tail -f /var/log/exim_mainlog but i dont see anything, but Im sure some accounts have a script from a spammer

    thanks
     
  13. sumith

    sumith Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    96
    Likes Received:
    2
    Trophy Points:
    8
Loading...
Similar Threads - detect Phising site
  1. ottdev
    Replies:
    1
    Views:
    172

Share This Page