Re: phishing attacks -- where to look first?

taglearc wrote:

Hi,
I installed a 5.5-RELEASE onto an old PC for a friend's small business.
That was back in 2006, and I just forgot it. Today, the friend e-mails
me to say that his ISP had identified his host as being a source of
'phishing'. They gave the IP, and the source as being:

http://www.his_domain_name.com/calendar//includes/js/Index.html

I'm going over there tomorrow to have a look, but I confess I have no
idea what I'm looking for. This is the first time I've heard of this
sort of thing.

He tells me that the root password isn't changed, and when I installed
the webcalendar, I choose a very difficult password
(letters/numbers/punctuation etc).

Could someone gimme a heads-up? Can I salvage the machine, or do we
have to re-install ?

Thanks.


Well, aside from all the usual suspects, I would want a very detailed and
explicit explanation from the ISP as to everything they know which caused
them to draw this conclusion. Was it some poorly coded auto-scanning bot
that triggered because his domain is too similar to one on some list
somewhere? If they can tell you why they've pegged that box as 'phishing
involved' it will also give you a handle on the fix, should any fixing
actually be necessary.

Consider that if they cannot fully explain, some form of false positive may
possibly be going on here. If the ISP is the only entity which has drawn
this conclusion and the box isn't showing up on anyone else's black hole
lists it may be the ISP telling you something that isn't really true; on
the other hand if the box has made other listings they've probably got it
right. Hammer the ISP for details.

-Jason

.

Relevant Pages

  • Re: Cost of process creation on Unix
    ... > addresses to any mail server or blocking list operators that ask them. ... > Comcast has an exception for specific rDNS addresses. ... > So being in some lists is almost meaningless. ... it means that your ISP is saying that your I.P. address is subject ...
    (comp.os.vms)
  • Re: not receiving emails
    ... Does your ISP offer user configured ... If you have a Hotmail account (or other free web mail ... check his source IP address against blocking lists; ... but if I do that, I can't send email to AOL users ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • RE: Publishing Nimda Logs
    ... ISP reserves the right to suspend and/or terminate your ... the RBL lists and be able to automate routing blackhole lists, ... Subject: Publishing Nimda Logs ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • Re: blacklisting by SORBS
    ... > ISP has been added to the SORBS blacklist as a source of spam. ... similar) to check to see which of the many lists is blocking that IP ... OB fedora: the postfix in fedora works just find to keep outsiders ...
    (Fedora)
  • Re: Slightly OT: Greylisting success or failure stories?
    ... > various DNSBL databases that have lists of open relays and known spammers, ... or reported by ISP itself). ... I have a RoadRunner Business account, ...
    (Fedora)