Phishing notification in Google Webmaster Central

[Samker]

Hi All,

before few hours I get this message in Google Webmaster Central:

Dear site owner or webmaster of XXX
We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.

Below are one or more example URLs on your site which may be part of a phishing attack:

http://XXX/~darkhant/westpac.com.au/

...

I checked files on server and everything seems fine, I suspect that SQLbase is hacked through injection or something like that... but I don't know, how to perform that check?

There is some chance that this is a false positive detection by Google... but I want to be sure about that.

Thanks in advance!

S.

[Kindred]

try a search in phpmyadmin

search the smf_messages table, in the body field for LIKE %darkhant%

or check all your files - since the links may have been added to the php files instead of just a link in a message

[Samker]

Hi Kindred and thanks for quick reply.

I tried to look for words "darkhant" & "westpac.com.au" in phpMyAdmin but everything is clear. 

Do you have any more suggestions where to check for possible "hacking-hole"?

Regards,

S.

[Samker]

One more thing, I just found a lot of error logs related to database (two types):

Database Error: Got error 28 from storage engine


SELECT DISTINCT value1, value2, value3, subtype2
FROM smf_tp_variables
WHERE type = 'globaltag_item' AND (subtype = '')
ORDER BY value1 ASCApply Filter: Only show the errors from this file File: /home1/scforum/public_html/Sources/TPSubs.php
Line: 1104

&

2: mysql_num_rows(): supplied argument is not a valid MySQL result resourceApply Filter: Only show the errors from this file File: /home1/scforum/public_html/Sources/TPSubs.php
Line: 1106

Maybe it's related to this problem?

[Kindred]

no... those are just a badly installed mod
Looks like a tinyPortal issue


as for your other issue
well, specifically what pages were flagged by google?

[Samker]

...

as for your other issue
well, specifically what pages were flagged by google?

Ok, only this one:

Code Select Expand



http://www.scforum.info/~darkhant/westpac.com.au/



Thanks!

[Kindred]

is that YOUR forum URL?

[Illori]

well given that the op has that domain in their sig... it does look like someone has uploaded files to your server trying to look like a bank website.

you need to contact your host and ask them to look into it. i would also recommend uploading clean files for your forum and changing all your passwords including the admin, ftp and the database.

[Samker]

is that YOUR forum URL?

Yes, it is and that is only infected "page".

well given that the op has that domain in their sig... it does look like someone has uploaded files to your server trying to look like a bank website.

you need to contact your host and ask them to look into it. i would also recommend uploading clean files for your forum and changing all your passwords including the admin, ftp and the database.

Hi I. and also thanks for reply/help.

You're partially right... before few hours I received email from Westpac Bank with explanation that problem is related to server (not only to my site), so I've "collateral damage".

Hello,

I work for the Westpac Bank in Australia.

We noticed your post -> hXXp://www.simplemachines.org/community/index.php?topic=537658.0

The issue isn't with your website specifically but with your Hosting Provider "Hostgator".
It seems their shared hosting platform which your website "scforum.info" uses got hacked.

(We have already raised the issue with Hostgator directly).

ie. This is a bigger issue than just your website "scforum.info"
- it affects every other website resolving to the same IP 198.57.247.217

See
- hXXps://whois.domaintools.com/198.57.247.217
- hXXp://198.57.247.217/~darkhant/westpac.com.au/

As the owner of scforum.info you may want to ring Hostgator in order get this issue escalated if you are worried about your Google Search Ranking being affected.

You can reach us directly via XXX @ cdar.westpac.com.au if necessary

Regards

XXX

I have already contacted HG... I hope they will resolve this problem, ASAP.

I do not know is there anything I can do more to protect my site?

Best Regards,

S.

[Kindred]

if the server got hacked and they have not notified their users?  The best thing you can do is find another host ASAP.

[☠ DeadMan ☠]

if the server got hacked and they have not notified their users?  The best thing you can do is find another host ASAP.

Not only that, but a good host, would have had it fixed, as soon as they heard about it.

[Samker]

if the server got hacked and they have not notified their users?  The best thing you can do is find another host ASAP.

Not only that, but a good host, would have had it fixed, as soon as they heard about it.

Believe it or not, after 24h... problem is still here and, till now, no replies from HostGator's support.

[Samker]

I finally got an response from my Hosting:

"It appears that this is a false-positive warning for your domain, and the security issue is actually on another account for another customer. You were sent this email because of your domain name, but in this instance it's acting as a "redirect" to the actual malicious content. This is a feature of your account known as "mod userdir" and allows you to view your website without needing a domain name "~username". Since it appears you already have a domain name that is active, we can disable this feature on your account for you to prevent false-positives in the future. Please let us know how you would like to proceed."

??

[a10]

 http://www.scforum.info/~darkhant/ ...

[Illori]

even if your host fixes this issue, i would still jump ship and find a hew host. you dont know what may happen next time they get hacked.

[Samker]

http://www.scforum.info/~darkhant/ ...

You got a right about this, the problem is still present.

even if your host fixes this issue, i would still jump ship and find a hew host. you dont know what may happen next time they get hacked.

That's also the true... however, as you see above, problem isn't solved.


---

By the way, what is "mod userdir"... is that something important for my site?

"This is a feature of your account known as "mod userdir" and allows you to view your website without needing a domain name "~username"."

Thanks guys!

[Illori]

it is not important for your site unless your host has your site setup based on that mod. IMO they should not ask you if you need it they should know and enable/disable it based on their setup.

[Samker]

it is not important for your site unless your host has your site setup based on that mod. IMO they should not ask you if you need it they should know and enable/disable it based on their setup.

Thanks for explanation.

---

Now, problem seems resolved (with Hosting)... However, still no reply from Google.