Find the answer to your Linux question:
Results 1 to 2 of 2
Hello, I have been experiencing phishing attack for few days on my server(Cent0S), the subdomains created by itself and I found "areaservizi.monetaonline.it/servizi" folders in my domain's public_html. Can anyone tell ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 05-01-2011 #1
    smaj84
    smaj84 is offline
    Just Joined!
    Join Date
    Jan 2010
    Posts
    5

    Phishing...help...

    Hello,

    I have been experiencing phishing attack for few days on my server(Cent0S), the subdomains created by itself and I found "areaservizi.monetaonline.it/servizi" folders in my domain's public_html. Can anyone tell me if he/she experienced such things? Can you please let me know the resolution to get rid off these attacks.

    Thank you in advance.

    _______
    Regards,
    Ali
    Reply With Quote Reply With Quote
  2. 05-04-2011 #2
    unspawn
    unspawn is offline
    Just Joined!
    Join Date
    Aug 2009
    Posts
    79
    Quote Originally Posted by smaj84 View Post
    I have been experiencing phishing attack for few days on my server
    Malicious activity these days often is caused by a lack of hardening (root allowed to log in over SSH allowing brute forcing of the account), running unnecessary or ill-configured services (like running VNC or Vino without authentication) but most of all running ill-configured, stale, deprecated and vulnerable versions of software (for instance forum, shopping cart, web log, statistics, webmail or web-based management panels) as part of the web stack.

    How they got in is your second priority. Best first save process information (saving in /dev/shm may be a substitute for "/path/to/"):
    Code:
    ( /bin/ps axfwwwe 2>&1; /usr/sbin/lsof -Pwln 2>&1; /bin/ls -al /var/spool/cron 2>&1; /bin/netstat -anpe 2>&1; /usr/bin/lastlog 2>&1; /usr/bin/last 2>&1; /usr/bin/who -a 2>&1 ) > /path/to/data.txt
    then stop serving any content by shutting down services like web server, database, FTP and cron and denying non-critical regular users and customers access via SSH while you investigate.

    Next investigate all your logs using Logwatch as that's the most efficient way to find anomalies and verify RPM packages:
    Code:
     
( /bin/rpm -Vva 2>&1|/bin/grep -v "\.\{8\}" 2>&1; /usr/share/logwatch/scripts/logwatch.pl --numeric --detail 5 --service all --range All --archives --print 2>&1; ) > /path/to/log.txt
    It *might* help if you post:
    - which services the machine provides (HTTP, SSH, FTP, etc),
    - which exact software versions (especially forum, shopping cart, web log, statistics, web mail or any web-based management panel software versions) and if the software was kept up to date,
    - if there have been earlier breaches or anomalies,
    - which logging, access restrictions is in place and hardening was performed.

    Please reply verbosely and if you are unable to post here at least pastebin all output.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules