Phishing Attack!

September 4th, 2008

My site went down a couple days ago for several hours. :( After submitting a help ticket to my host, I noticed that right before it kaboom'd I had gotten about a hundred 404 notifications for a specific directory. I quickly deleted the directory, with a feeling it may have something to do with the downtime.

I was right. A few hours later, my host informed me that a phishing site had somehow become hosted on that directory. O_o I had just so happened to check the default "catch all" email on my account (my site's email is actually hosted by Google) and saw that there were thousands of emails that had been sent (some even returned because of the phishing) through my own account!

The directory that had been compromised had housed a script called GreyBox, which is a "light box" script that I used to display the images on myFan's page. Apparently there is a vulnerability in the script that allowed the phishing site to insert itself into the script's directory and begin illegally sending those emails.

Apologies to anyone who received an unauthorized email like that from my domain. Also a word of caution to everyone else who has a site: please make 100% sure you are being secure on every little script and page. You may think you are, but if someone like me (who is overly cautious and paranoid about web security already) can get "hacked" like this, then anyone can.

I want to quickly toss this out there, as a personal suggestion, in response to what I've seen a lot of website owners doing lately: please do not put the login links to your site's administration/control panels actually on your site! You're practically inviting sketchy people to "drop in". :P This includes your email, CMS login area, anything. Bookmark them on your browser instead. Those links aren't really content that any visitors need to see and saying "omgz don't click here!!!" around the links isn't going to keep any hacker out. :P

A support tech from my host, the wonderful Site5, was kind enough to send me a long list of advice (a document that I know is given to many people but is still quite informative) about keeping your website (and online life in general) secure:

Most account compromises are initiated by using a remote command inclusion vulnerability within an existing web application. This issue was likely the result of poor or lack of security on the part of one or more user accounts, including shared or weak passwords, insecure permissions on important configuration files ( allowing full read access globally ), and other factors. Please be sure that the following steps are taken to assist in preventing further intrusions:

  1. Perform a complete audit of your account and applications. Ensure that all content available was made available only by yourself and that any information, including applications login credentials that don't match up are removed.
  2. Any PHP scripts should be chmod 600 at the very least. Any PHP scripts that contain important information, such as MySQL database connection information should be chmod 400. By Default these files are likely permissioned to 644 which will allow global read access to the file by any user on the system.
  3. Any applications that are connecting to MySQL database should be doing so with their own individual MySQL database login credentials. Never should a set of credentials be recycled or used elsewhere. You should also avoid using your system username and password as an authorization point for these applications.
  4. Passwords should be 16+ characters in length and contain a mixed case of letters and numbers and should be modified on a regular basis ( twice monthly at the very least ). A password should never be used for more than one service or provider, ever!
  5. Any 3rd party or custom PHP, Perl and other web applications should be kept up to date at all times. Subscribe to the software vendors security or update notifications mailing list. If an application is no longer required or in use, remove it completely. Disabling the application is not always a sure fire means of disallowing intrusion attempts.

If you have trouble keeping track of your passwords, you may want to look into using a solution such as the following, which I personally find to be quite useful in both generating passwords and securely saving these details: http://keepass.sourceforge.net/

Comments

This is an old post, so both comments and trackbacks are currently closed. If you wish to leave a response, please contact me.

Meggan Sep 04, 2008

Ooo scary! I recently re-discovered a very, very old version of WordPress on my server that I had previously used as a WP test environment. I upgraded ASAP but I couldn’t believe I had entirely forgotten it was up there! I need to clear out a bunch of junk from old versions of my site.

So glad you got it sorted. Site5’s suggestions seem good too; I can’t imagine having and remembering a 16+ character password but I guess it would be more secure.

Kim Sep 04, 2008

Yikes! O_o I’m glad you figured out the problem fairly quickly. Thanks for posting the advice as well.

Melissa Sep 04, 2008

Gawd, I need to clear things out too. X_X

I can’t imagine remembering something like that either, LOL, but I’ve been trying out that KeePass software and it is truly awesome! :D It can generate random passwords for you and you can import/export Firefox saved passwords to it to help keep a database. It also can “auto-type” your login information for you on pages, although I’m having some trouble getting the current stable version to do that in Firefox.

Sarah Sep 04, 2008

Glad you got it sorted out. Hackers FTL.

Noellium Sep 04, 2008

Gah, I’ve been thinking about using random passwords instead of using similar ones for all my logins and pretty much created a random password generator script that resides on my hard-drive. I did try out this software though and it’s niiiice. :D I think I’ll use it from now on.

Anneli Sep 04, 2008

Glad everything ended well. Hackers and such are scary. >.< It’s sometimes disheartening to think about how much work can be lost in the blink of an eye.

Louise Sep 04, 2008

Ack! I don’t understand why people put their log-in links on their pages!? That is flippin’ ridiculous! I mean… a) Can’t people put them in bookmarks/favorites? And b) If not that, then memorise the URL because it’s not that hard to remember “Admin” 8|

Melissa Sep 04, 2008

Exactly. I cringe every time I see those links on a site. I might understand a tiny “login” image or something but not a full on sidebar widget box saying “ADMIN ONLY! GO AWAI” or something like that. Oh please. :P

It’s like saying:

I cordially invite you to every single administrative part of my site.

mendifae Sep 04, 2008

oh wow, that’s scary! I’m glad you caught it quickly! I definitely need to fix some things around my site too!

Lisa Sep 05, 2008

wah… that’s scary! I really think I should be more careful…
I’m glad things worked out for you though!

Caitlin Sep 05, 2008

Wow that sounds scary! It’s a good thing you’re smart enough to realize when something looks wrong in your directories. Many people would just freak out and not know where to start. I’m glad that you were able to catch it quickly and resolve the problem.

By the way, I don’t know if you realized but I changed links. I’ve moved from thatgirlcaitlin.net to caity.nu. Thought I’d told you in case you wanted to update your link. :)

Hev Sep 05, 2008

Oh great, I have login links on everyone of my sites. Boy, Melissa you sure do know how to give me nightmares. :wah: Guess, I will be moving things around, again.

Jess Sep 06, 2008

Those are good suggestions, I’m sure there are a lot of people who own websites who haven’t given this type of security a second though (I know I haven’t until now). Though some are pretty logical - I never understood the point of Admin links in the sidebar. How exactly is that of any use to visitors?
Glad that you’ve fixed it all now, it sounds pretty scary!

Bubs Sep 06, 2008

Wow, scary!! :O

Jessica Sep 07, 2008

that is what happened to me that time Jem & Jordan helped me out. Somehow though on my site that Jordan hosts I get a bunch of the returned emails. I have cleaned out all I can & still get them.

Vera Sep 09, 2008

… that spunds very very dangerous. And here I was wanting to maybe try releasing a script for the public. True, I wouldn’t be using others’ work, but as I’m not very experienced in PHP I’d probably leave one or two holes… LARGE holes =.=

I hope everything is back up, running smoothly again.

Nanda Sep 11, 2008

It really sucks that that happened. I hope everything is fixed now.

I really don’t understand why people put a link to their login pages up on their website. It’s something that I, as a visitor, wouldn’t even *want* to see. I don’t see what’s the point and I agree with you. People should add the links to their bookmarks instead.

Thanks for sharing the document with us! It contains very helpful information. :)

Christina Sep 12, 2008

Scarily, this is not the first time I’ve heard of this. I know a few people whose sites have been hacked due to having that link to the admin section in their footer. I used to have it, and took it out as soon as I had heard that!

I hope you’re able to fix all the problems with this phishing site! Good luck!

Rhiannon Sep 15, 2008

Argh, that’s awful! I’m glad you got everything sorted though. :ohyeah:

Sandra Sep 22, 2008

A friend of mine had that same sort of thing happening to him. He hosted a guy on his server and that guy got hacked and they stored images used for phishing on the server so the provider shut it down. It was al cleared up within 24 hours (my site was affected since I’m hosted there too) so it all worked out in the end.
I don’t know why people can’t just stop with the phishing. I mean, I got email about my Paypal account be suspended and that I needed to log in on this shady website, and I didn’t even have a Paypal account. many times it’s not even well made. Full of spelling mistakes and stuff like that.