[tngusers2] Phishing with version 6
Darrin Lythgoe
darrin at lythgoes.net
Sun Feb 1 08:28:51 CST 2009
As Henny said, you must first remove any files and folders that you didn't put there. If any files were updated recently
(look for the same modification date as the ones that were added), check to see if any malicious code was added to the
beginning or end, then delete that code if you find it. You'll recognize it because it's usually a big long string of
obfuscated stuff all on one line that doesn't look at all like the rest of the code.
Once you're done with the cleanup, I highly recommend that you upgrade your TNG to the latest version. A few security
vulnerabilities have been found and fixed in the past. One of those could have left the door open for this hack, and if
that's the case, the same people will come right back if the holes aren't patched.
Darrin
> -----Original Message-----
> From: tngusers2-bounces at lythgoes.net [mailto:tngusers2-bounces at lythgoes.net] On Behalf Of Henny Savenije
> Sent: Sunday, February 01, 2009 1:57 AM
> To: tngusers at spampede.com; TNG Users List
> Subject: Re: [tngusers2] Phishing with version 6
>
> Well, I didn't see the image but I guess you should contact them
> immediately, remove the offending validation.php or maybe the whole
> directory chas-s/ since this IS NOT a part of TNG
>
> It just looks as if the site is hacked through a piece of vulnerable
> software you installed but take action ASAP
>
> At 04:48 PM 2/1/2009, you wrote:
> >While I did not have a phish complaint against my IP address, I have
> >had a SPAM complaint.
> >
> >With one reply to the hosting company my account was immediately re activated.
> >
> >As Anton Technical Support staff from WebHostingBuzz.com said in the
> >email to you,
> >Awaiting your response.
> >
> >Have you sent an email to the hosting company, explaining there is
> >no phishing activity.
> >
> >Brett
> >
> >
> >Chasonek wrote:
> >>Hello Tnguser2,
> >>
> >>I just recieved the following saying My TNG site was Phishing?
> >>---------------------------------------------------------------
> >>Dear Reseller,
> >>
> >>Unfortunately we have to block your account 'tng_site' on
> >>rs7.whbdns.com server for fraudulent Web site hosting.
> >>
> >>Please take a look to attached screen shot.
> >>
> >>Also you can read related complaints below.
> >>--------------------------------------------------------
> >>Employee Response - 2009-Jan-26 16:01 (GMT-0600) [Update 1]
> >>SoftLayer Security has received the following PHISHING complaint in
> >>reference to an IP hosted on your server. A copy of the complaint
> >>is listed below or attached to this ticket for your review. Please
> >>remove this PHISHING content immediately as this violates state and
> >>federal law and is in direct violation of your TOS and AUP. Failure
> >>to resolve this issue in an expeditious manner could lead to
> >>service interruption for this server. Please update this ticket
> >>with resolution to this issue. We thank you in advance for your
> >>quick action and cooperation.
> >>
> >>Regards,
> >>SoftLayer Security Team
> >>
> >>
> >>Employee Response - 2009-Jan-26 16:01 (GMT-0600) [Update 2]
> >>To Whom It May Concern:
> >>
> >>It has come to our attention that you are hosting a fraudulent "phish"
> >>website that is attempting to steal account information from
> >>customers of Desjardins. The URL of the fraudulent site is as follows:
> >>
> >>http://genealogystartswithone.name/chas-s/validation.php
> >><http://genealogystartswithone.name/chas-s/validation.php>
> >>
> >>The IP address hosting this phish is 75.xxx.xxx.12.
> >>
> >>Please investigate and shut down this site immediately.
> >>
> >>If possible, please send us a copy of any fraudulent files or
> >>relevant excerpts of log files regarding this case.
> >>
> >>Should you have any questions, please call us at +1-301-515-0820.
> >>Please include the ticket number, MM# 57061, in all communications
> >>on this issue.
> >>
> >>Thank you,
> >>
> >>Azhar Khan
> >>MM Ops Center
> >>--------------------------------------------------------
> >>Awaiting your response.
> >>---
> >>Regards,
> >>Anton M.,
> >>Technical Support staff
> >>WebHostingBuzz.com
> >>Visit our forums at http://www.webhostingbuzz.com/forum/
> >>
> >>
> >>_______________________________________________
> >>tngusers2 mailing list
> >>tngusers2 at lythgoes.net
> >>http://lythgoes.net/mailman/listinfo/tngusers2_lythgoes.net
> >>
> >>
> >
> >_______________________________________________
> >tngusers2 mailing list
> >tngusers2 at lythgoes.net
> >http://lythgoes.net/mailman/listinfo/tngusers2_lythgoes.net
>
> _ _
> (o) (o)
> oOOO----(_)----OOOo---
> Henny (Lee Hae Kang)
> -----------------------------
> http://www.henny-savenije.pe.kr Portal to all my sites
> http://www.hendrick-hamel.henny-savenije.pe.kr (in English) Feel free
> to discover Korea with Hendrick Hamel (1653-1666)
> http://www.hendrick-hamel.henny-savenije.pe.kr/indexk2.htm In Korean
> http://www.hendrick-hamel.henny-savenije.pe.kr/Dutch In Dutch
> http://www.vos.henny-savenije.pe.kr Frits Vos Article about Witsen
> and Eibokken and his first Korean-Dutch dictionary
> http://www.cartography.henny-savenije.pe.kr (in English) Korea
> through Western Cartographic eyes
> http://www.hwasong.henny-savenije.pe.kr Hwasong the fortress in Suwon
> http://www.oldKorea.henny-savenije.pe.kr Old Korea in pictures
> http://www.british.henny-savenije.pe.kr A British encounter in Pusan (1797)
> http://www.genealogy.henny-savenije.pe.kr/ Genealogy
> http://www.henny-savenije.pe.kr/phorum Bulletin board for Korean studies
>
>
>
>
> _______________________________________________
> tngusers2 mailing list
> tngusers2 at lythgoes.net
> http://lythgoes.net/mailman/listinfo/tngusers2_lythgoes.net
More information about the tngusers2
mailing list