[members at lugog] OT - but need advice - my web site has had phishing pages added

MJ Ray mjr at phonecoop.coop
Wed Aug 18 10:00:11 UTC 2010 

Graham Smith wrote:
> I have been trying that, but (possibly because there is no specific 
> contract other than the price including 24hr support) there doesn't seem 
> to be any mechanism to escalate it. I can't find a telephone number, but 
> have now emailed other purplepaw email addresses.

Hrm.  Their co.uk WHOIS listing doesn't give a phone number (which
might be usual for co.uk if I recall correctly) and their dotCom one
lists a US phone number.  Their co.uk WHOIS gives a PO Box number in
Southampton, while their Companies House registered office is in
London.  Does anyone know who purplepaw really are?

http://www.purplepaw.co.uk/contact/ says: "Please note that we do not
deal with Customer Service, Sales, or Technical Support enquiries by
telephone or fax."  What do people think of that approach?

Searching the web for purplepaw hosting finds negative reviews like
http://www.ukbusinessforums.co.uk/forums/showthread.php?t=11357
easily, although I don't agree with that page about 1&1 ;-)

> > Your aim should be to find out as many of possible of the 6 Ws of the
> > attack: who, when, how, what, where and why.  Then make sure they
> > can't do it again.
> 
> I have no idea how to do this, but assumed purplepaw would have done this

Assumption is the mother of all screwups.  I'd hope they would take
an interest in a phishing break-in, but I have encountered hosting
providers who simply wipe and reload the server and just assume that
it was user error (such as weak passwords or not applying security
updates).

> Should, I be telling "someone" about it, its obviously criminal 
> behaviour defrauding people by pretending to be ebay>

As far as I know, Avon and Somerset Police do not have a high-tech
crimes unit that accepts such reports.  You can tell CPNI and ebay
but they listen more than they talk.  It's a disappointing situation.

I'd report it to http://www.actionfraud.org.uk/ - They're linked from
http://www.getsafeonline.org/ who I generally trust on such things.

> > I think that's good - the referer logs should tell you what other
> > sites might have been attacked.  I'd contact their tech support and
> > let them know.  They might even help you solve your problem.
> 
> The referer field is empty in every entry

Every entry? I'd expect some to contain links from webmail sites,
to suggest it was used in email-based phishing.  Is any LUGger
more familiar with webmail and know if they blank referer on links
somehow?

Or is referer empty for *every* entry, including legitimate ones?
If so, then the hosting provider may be misconfigured. :-/

> >> I have also changed the password to one that was generated by my log-in
> >> page and has a good Strength rating.

Ask yourself: was the old password weak?  For example, can you find it
in a web search?  If so, that might well be how they got in - I'd
check the access logs for logins from networks you don't use.

Elsewhere, it's written that the site was only three pages, so unless
they were badly-written PHP or similar, I'd be surprised if they were
the break-in route.  But I'm often surprised :-)

Hope that helps,
-- 
MJ Ray (slef) Webmaster and developer for hire at | software
www.software.coop http://mjr.towers.org.uk        |  .... co
IMO only: see http://mjr.towers.org.uk/email.html |  .... op

More information about the Glastonbury mailing list