Urgent help needed....! Need to remove a phishing site...

I'll see if I can help you, add me on Skype: gladosdan

really? i dont mean to be rude.. but really?

youve been compromised in some way that your hosting phishing websites, and now your just gonna let someone from a forum log into your node?

@Internat:

really? i dont mean to be rude.. but really?

youve been compromised in some way that your hosting phishing websites, and now your just gonna let someone from a forum log into your node?

This guy is criminally negligent. Linode have been very nice to him by just powering down his Linode. As he is clearly not able to manage a virtual machine he should consider something safer like simple web hosting from hostgator.

That seems a bit harsh. To me it sounds like the OP believed he had a technical resource to support him, until the lack of response for this particular issue. Regardless, it's certainly not the only time the forums have been used to find consulting or other assistance, which I'd assume would include some references.

To the OP, it's possible this won't qualify since Linode didn't mention it in their own communication (and they said they wouldn't necessarily take all requests) but you might try opening a ticket to see if they would assist you as part of their trial of managed services (http://forum.linode.com/viewtopic.php?t=8349)

– David

> That seems a bit harsh. To me it sounds like the OP believed he had a technical resource to support him, until the lack of response for this particular issue. Regardless, it's certainly not the only time the forums have been used to find consulting or other assistance, which I'd assume would include some references.

im all for the forums being used for advise, and help, thats what they are for. But he does say ill give you the log in details for it.. Thats what i have an issue with.

@Internat:

im all for the forums being used for advise, and help, thats what they are for. But he does say ill give you the log in details for it.. Thats what i have an issue with.
What issue? It's not like he was posting the information right in the forum. How would you expect a consultant/contractor to work on his node without that information?

– David

@db3l:

That seems a bit harsh.

Yes, indeed. I was absolutely harsh but I was also fair.

If you let organized crime run a gambling club in your living room and the police come around, turn the lights off, then leave, I think you would have got off rather lightly. Not knowing you are breaking the law is never an excuse.

Professionally I'd be rather interested in what the phishers did to his Linode though. I'm guessing they got in with a guessable or reused password but maybe it was an exploit in some CGI script or suchlike.

No I do not believe that some of the reactions to this is too harsh. If the linode has been truly compromised by someone that is able to place their own files on the OS level, the only really correct action is to

1- back up the device (for later analasys or data retrieval)

2- shut it down

3- reinstall the linode from scratch taking into account current security guidelines.

Once a system has been compromised, there is really no way to %100 be sure that there is no other "backdoor" that has been installed that would reopen the system for another breakin once the phishing pages have been removed.

What we do not know here is if the original "consultant" here was running the phishing sites without the linode owner knowing or if the machine was compromised due to weak passwords/ etc.

I too have run into too many "owners" willing to essentially turn over the "keys to the kingdom" with very little background checks on whom they are willing to trust with what is essentially their reputations, and in the long run, linode.com's reputation…

That is ONE of the many reasons we have so many botnets out there….

@TeddyR42:

No I do not believe that some of the reactions to this is too harsh. If the linode has been truly compromised by someone that is able to place their own files on the OS level, the only really correct action is to

1- back up the device (for later analasys or data retrieval)

2- shut it down

3- reinstall the linode from scratch taking into account current security guidelines.
And hopefully most contractors would end up following a similar path.

It just seems unfortunate to me that following what was essentially a plea for help, the trend seemed to be to blame the OP for creating the scenario rather than offering suggestions on what to do.

I suppose this is veering off topic further, but if the OP is not expert enough to do this, how would you suggest a resource be located? It seems to me this forum should be a legitimate means to at least ask for assistance, and if anything might garner folks who are familiar with Linode. As I noted earlier, it's not the first time there have been requests here to help with management tasks. The inital post was pretty up front with the state of affairs, and the lack of an expected resource.

It would be nice if other responses offered other avenues of finding such support if in fact the belief is that doing so here is wrong or exhibits bad judgement. Just declaring the OP to be a bad operator, sans other suggestions, and knowing very few details about the situation, still seems a harsh response, or at least less than helpful.

> Once a system has been compromised, there is really no way to %100 be sure that there is no other "backdoor" that has been installed that would reopen the system for another breakin once the phishing pages have been removed.

What we do not know here is if the original "consultant" here was running the phishing sites without the linode owner knowing or if the machine was compromised due to weak passwords/ etc.
I don't really disagree with this, but again, it seems to me the OP was simply trying to get assistance to, in fact, repair the damage. The damage itself is already done, his Linode is already shut down, so the question at hand is how to proceed, and lacking the necessary expertise himself, how to find it.

> I too have run into too many "owners" willing to essentially turn over the "keys to the kingdom" with very little background checks on whom they are willing to trust with what is essentially their reputations, and in the long run, linode.com's reputation…
The implication being that the OP falls into this category? Any concrete suggestions (to go along with the rant) on how to determine who he should be willing to trust?

– David

PS: I can totally sympathize with the concern over poorly managed machines being potential vectors for spam and other abuse. I just think the goal should be to assist the OP in resolving the issue at hand.

Besides fixing your sites (hopefully you had good backups - like all the other advice - you really need to scrub the old site and start fresh), don't forget to "clear" your reputation.

Netcraft reports "This phishing site has been blocked by the Netcraft Toolbar. " for your site.