The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Phishing#3143

Discussion in 'Security' started by ltchat, Oct 16, 2013.

  1. ltchat

    ltchat Member

    Joined:
    Jun 18, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello,


    Im the owner of whm and cPanel, where is my website locates. Few days ago, my website have been hacked. I turned on all safety modules, safe modes, but today i got message from my administrator where i rent my server from, that my server have been disabled because of PHISHING#3143. I contacted him and he told me, that there is file in my website witch redirects to the -Removed- and its scamming or spam all emails or something like that. That the reason i have been closed down for few hours. Now i deleted that file from my website, but i want to know, how can i stop this from happening in the future?

    more info from the server:

    Code:
    ** This is an automated e-mail to inform you of an abuse complaint **
    
    ABUSE TYPE: PHISHING
    MAXIMUM RESPONSE TIME: 1 hours
    IP: 192.96.xxx.xx
    
    
    Dear customer,
    
    This message is to inform you we received a complaint regarding
    an IP assigned to you. Please see the complaint at the bottom
    of this e-mail. We urge you to take appropriate action to prevent
    future complaints.
    
    Please note: the complaint has been processed by an automated system.
    If you feel the complaint is invalid, please contact the complainant.
    
    PLEASE NOTIFY US WITHIN THE MENTIONED RESPONSE TIME WITH TAKEN ACTIONS.
    FAILURE TO DO SO WILL RESULT IN AN IP BLOCK OF THE MENTIONED IP.
    
    Kind regards,
    
    LeaseWeb USA, Inc. - Abuse Desk
    
    
    ***** ADDITIONAL INFORMATION BY SIRT *****
    ******************************************
    ORIGINAL COMPLAINT BELOW
    ******************************************
    
    Hello,
    
    We have just identified a phishing website under your administration.
    
    As a result, we ask you to proceed with its takedown as soon as possible.
    
    
    The phishing website is located at the following domain: ltchat.com
    
    and at the following URL: -Removed-
    
    This URL leads to a fraudulent page containing a counterfeiting site of BANQUE POSTALE. So far, we have detected several phishing mail scams referring to this URL.
    
    The site responds to the following IP address(es): 192.96.xxx.xx
    
    
    We have verified that none of these IP addresses belong to BANQUE POSTALE -Removed-
    
    Please consider reporting any data in your possession which may be related to the reported incident (such as connection logs, suspicious accounts in relation to this fraud...)
    
    Thank you to confirm the reception of our request by responding to this email.
    
    Thanks for your cooperation.
    
    
    CERT-LEXSI - Cybercrime department
    
    
    
    CERT-LEXSI is a CSIRT team recognized by Enisa that conducts cybercrime monitoring and investigation and works with other CSIRTs and law enforcement agencies.
    Our mission is to correlate information on phishers and cybercrime gangs to assist legal procedures and lead to arrests.
    You may be in possession of critical information for investigations:
    - server files you can send us (we research to find out identities and fraud evidence;
    - IP addresses used for server administration;
    - information related to billing (rejected credit card, card owner name, full or partial cc number).

    Any suggestion how can i stop third parties to connect to my files and do what they wants?

    I have changed password since last time i have been hacked, and im changed it to realy hard one and its long (35 characters) with different symbols numbers lower and capital letters.


    Thanks
    Regards
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you're unsure of the way forward, you should hire someone to assist you. There are listings for this sort of thing on the cPanel AppCat located here:
    cPanel App Catalog
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    One of the best ways to avoid this type of exploitation of your scripts is to ensure they always use the most up-to-date versions and permissions are not configured to insecure values.

    Thank you.
     
  4. ltchat

    ltchat Member

    Joined:
    Jun 18, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi,

    I have received some help from other forums and i found out that my Apache and PHP versions have been way out of date, so i did studied and found out how to update my server trough whm. Now my system running on newest Apache and PHP versions. I hope now it will be harder for hackers to access my files.
     

Share This Page