[members at lugog] OT - but need advice - my web site has had phishing pages added

MJ Ray mjr at phonecoop.coop
Tue Aug 17 19:57:11 UTC 2010 

Graham Smith wrote:
> Sorry about this off topic question, but I am not at all sure where to 
> get help.

Your IT support service.  This is an example of a situation when
a support contract is useful.

> However, not really knowing what to do I passed the google warnings to 
> my ISP tech support several days ago and the email from 
> downie at spamtrackers.eu at 6am this morning, as soon as I picked it up.
> 
> However, I have had no response from tech support (about the google 
> warning or todays email) and I'm not sure what I should do.

I'd escalate that tech support request fairly quickly.  The co-op
tells our customers:

1. initially, send it by email to the relevant worker or your contact;

If the communication needs to be escalated, resend it:

   2. by XMPP or other synchronous method to the relevant worker;

   3. by email to info@ (sent to all workers);

   4. by telephone (if no answer, voicemails are sent to all workers);

   5. for customers with support options only: by paging the
   on-call worker's mobile.

If your suppliers don't let you do something to that, I'd move.  Our
software.coop hosting charge is similar to purplepaw's Power Hosting
and we offer support contracts too, which I didn't see on purplepaw.

Your aim should be to find out as many of possible of the 6 Ws of the
attack: who, when, how, what, where and why.  Then make sure they
can't do it again.

> I'm afraid my small web site was created with "idiot user" software 
> which also uploaded it for me, so I have little idea what is happening 
> at the server end.

Actually, last month I saw some "idiot user" software that added spam
links to every file it uploaded.  It had been used on the website of a
major hotel chain!

> What I have done, is this time I went into cpanel and managed to find 
> the phishing pages. I haven't deleted them but renamed them, as the 
> email asked that I forward the pages to them for inspection (but then 
> I'm not sure of the validity of the email)

Yes, I'd be wary of sending them to anyone you don't have a prior
agreement with, unless it's www.CPNI.gov.uk or law enforcement.

> Checking the logs for today since about 6am when I renamed the pages all 
> the attempts at accessing the phishing pages are now getting a code 404 
> response, where before they were getting a code 200 response.

I think that's good - the referer logs should tell you what other
sites might have been attacked.  I'd contact their tech support and
let them know.  They might even help you solve your problem.

> I have also changed the password to one that was generated by my log-in 
> page and has a good Strength rating.

Always a good move, but can you trust your log-in page?  I use pwgen
on my workstation.  It's packaged for debian and probably others.

> I would appreciate any advice, as to what my next step should be. Other 
> than continuing to chase purplepaw tech support.

Why not continue to chase purplepaw tech support?  It sounds like
they're dropping the ball and it's your online reputation at risk.

Other than that, I'd fix the hole and make sure it can't repeat.

Hope that helps,
-- 
MJ Ray (slef) Webmaster and developer for hire at | software
www.software.coop http://mjr.towers.org.uk        |  .... co
IMO only: see http://mjr.towers.org.uk/email.html |  .... op

More information about the Glastonbury mailing list