1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Website Hacked?

Discussion in 'BlackHat Lounge' started by Mimissor, Mar 2, 2015.

  1. Mimissor

    Mimissor Registered Member

    Joined:
    May 5, 2014
    Messages:
    54
    Likes Received:
    28
    Location:
    West Coast, USA
    I wasn't sure if this was the right place to post this or not, but I'm really confused right now.

    I have several different domains all hosted on the same server. One of those domains is used to host my mom's website for her offline business, but all of the contact emails for the domain, webmaster tools, etc. are mine. Google shouldn't have her email address, at least not in connection with that website.

    So today she got an email telling her that a page on her site looks like a phishing attack and has been removed from google. She immediately starts texting/calling me asking wtf?

    Naturally, I checked my email (the one associated with webmaster tools and the domains) and there's no email from google whatsoever. At first I thought it was just a scam of some kind, someone using a fake email, but I logged into webmaster tools and it says two of my sites have phishing warnings. I'm really incredibly confused right about now.

    There were a couple of out-of-date plugins and her theme was out of date (I know, I'm kicking myself), so that's probably how it happened. Right now I'm trying to fix it, but I know jack-shit about this sort of thing. I'm downloading the site folders via filezilla and I guess I'll run them through a virus scanner? Not sure if that's even going to do anything, but it was all I could think of at the moment.

    I still have no idea why google decided to email her instead of me. Equally, I have no idea why I didn't at least get the message about my other site that has compromised.

    So does anyone have any insight to offer in this situation?

    EDIT: Oh and I don't know if this is relevant, but I have both versions of the domain register on Webmaster Tools (www and non-www) and only the non-www versions have the warning. I do have the non-www set as the preferred domain, for both so maybe that has something to do with that. I just thought it was weird.

    Also, my mom forwarded the email to me and my gmail account says that the email itself looks like a phishing email.
     
    • Thanks Thanks x 1
    Last edited: Mar 2, 2015
  2. TeKn1qu3z

    TeKn1qu3z Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 26, 2012
    Messages:
    904
    Likes Received:
    227
    Occupation:
    Amazon FBA Guru
    Location:
    The Office
    It is a phishing email from a spammer as you had linked all domains to your account. Someone took the email from your mom's website and emailed to her as Google mailed.
    Trash it.
     
    • Thanks Thanks x 1
  3. ezines

    ezines Power Member

    Joined:
    Jan 3, 2011
    Messages:
    719
    Likes Received:
    219
    Occupation:
    Online/Offline
    Location:
    Somewhere On Earth
    From whom the email came from? You should check the actual email as the sender might be camouflaging and it's not really from google. It happens a lot to me, but with Paypal.
     
    • Thanks Thanks x 1
  4. Mimissor

    Mimissor Registered Member

    Joined:
    May 5, 2014
    Messages:
    54
    Likes Received:
    28
    Location:
    West Coast, USA
    Wait...I just double checked something...so I have notifications from google on my webmaster tools telling me that my sites may be affected by phishing and they've deindexed the urls, etc. But on the Security issues section of webmaster tools it says that they haven't detected any security issues...So is it all fake?
     
    • Thanks Thanks x 1
  5. tiyowan

    tiyowan Regular Member

    Joined:
    Aug 7, 2013
    Messages:
    250
    Likes Received:
    136
    Please post the warnings that are displayed when you login to Google Webmaster Tools.
     
    • Thanks Thanks x 1
  6. Mimissor

    Mimissor Registered Member

    Joined:
    May 5, 2014
    Messages:
    54
    Likes Received:
    28
    Location:
    West Coast, USA
    Dashboard
    [​IMG]

    Messages
    [​IMG]

    Message itself
    [​IMG]
     
    • Thanks Thanks x 1
  7. TimothyEyton

    TimothyEyton Junior Member

    Joined:
    Dec 30, 2013
    Messages:
    129
    Likes Received:
    62
    I wouldn't worry too much about what different pages say within your Google Webmaster Tools. As long as it says it in there somewheres. Plus, phishing doesn't exactly have to do with security issues.

    Phishing: "the activity of defrauding an online account holder of financial information by posing as a legitimate company."

    As far as they know, the website owner may be the one who is responsible for posting the malicious phishing pages.

    As for the email she received. Is it possible she is the administrative/technical contact on a whois lookup? I've never heard of Google sending those type of messages outside of Webmaster Tools or Gmail. But it would sort of make sense for them to send it to the whois information too. Looking up the informaton on the website seems unlikely though. Maybe you could check the header details of the email to find out if the message is being authenticated, and if so, from what email address. Then you can tell who it really came from.

    I'd say it's really from Google. Unless there's something in that email that could potentially scam you. Why would send a phishing email to you to tell you that your site has been removed by Google (when it actually has) and is not wanting anything :p Just check the links within that email to make sure they are actually arriving at Google's domain/server.
     
    • Thanks Thanks x 1
    Last edited: Mar 2, 2015
  8. tiyowan

    tiyowan Regular Member

    Joined:
    Aug 7, 2013
    Messages:
    250
    Likes Received:
    136
    Thank you, next question: Do you have file upload forms running on those URLs?
     
    • Thanks Thanks x 1
  9. Mimissor

    Mimissor Registered Member

    Joined:
    May 5, 2014
    Messages:
    54
    Likes Received:
    28
    Location:
    West Coast, USA
    It would be nice if they gave me some sort of description about what triggered a phishing alert. Is it my contact forms? I have privacy policies posted on both sites. But I don't collect any information beyond their name and email, certainly nothing financial or sensitive. Other than the obvious analytics and amazon tracking cookies (the other site is an amazon affiliate site) I don't have anything that tracks anything from people who visit my site.

    EDIT: My mother's site is mostly just a blog about her business currently. My site is just an amazon affiliate. Neither of them has anything that allows uploading. Beyond the comment system and contact form there's no way for users to interact with the sites.
     
    • Thanks Thanks x 1
    Last edited: Mar 2, 2015
  10. tiyowan

    tiyowan Regular Member

    Joined:
    Aug 7, 2013
    Messages:
    250
    Likes Received:
    136
    Your site is likely to have been compromised by a backdoor exploit such as a web shell. These can trigger phishing warnings in GTW. Did you use a nulled theme or a legitimate one? If you don't feel uncomfortable about sharing your site's URL, you can PM me and I'll take a look.
     
    • Thanks Thanks x 1
  11. TimothyEyton

    TimothyEyton Junior Member

    Joined:
    Dec 30, 2013
    Messages:
    129
    Likes Received:
    62
    I wouldn't worry about contact forms, unless there is some sort of coding vulnerability within that form. Typically what it is though if you're using Wordpress is that you were compromised by the Wordpress application being outdated itself, or the plugins. Of course there are some other reasons, but there are plenty of things you can do to make Wordpress more secure.

    Mimissor, there is going to be a webpage on your website that you don't know about. It should usually show in the email they sent to you. It's called a phishing page, and it would be a page on your website that is duplicating another site. So it could be like a banking website, etc. Uploaded by someone (probably a bot looking for outdated WP stuff) who compromised your website.

    If you want you can PM me your domain and I can check it out.
     
  12. TimothyEyton

    TimothyEyton Junior Member

    Joined:
    Dec 30, 2013
    Messages:
    129
    Likes Received:
    62
    A backdoor exploit would be a security issue, but has nothing to do with phishing. From my experience it shouldn't trigger a phishing warning either. From my experience, phishing sites are handled like a DMCA report. People can go to "https://www.google.com/safebrowsing/report_phish/" and report phishing webpages, then Google will review and then de-index.
     
  13. tiyowan

    tiyowan Regular Member

    Joined:
    Aug 7, 2013
    Messages:
    250
    Likes Received:
    136
    Thank you for your PM, I checked one of your sites. As I suspected, someone has exploited a security vulnerability and installed a web shell. I sent you a PM with one of the URLs. Please check it and you'll see the problem for yourself.
     
  14. Mimissor

    Mimissor Registered Member

    Joined:
    May 5, 2014
    Messages:
    54
    Likes Received:
    28
    Location:
    West Coast, USA
    Shite. Okay, so how do I get rid of it? I'm assuming I have to use FTP and locate that shiesty thing and dig it out? Is that going to be enough?
     
  15. tiyowan

    tiyowan Regular Member

    Joined:
    Aug 7, 2013
    Messages:
    250
    Likes Received:
    136
    Some of the shittier web shell payloads are so badly written that they do trigger a phishing warning in GWT. The reason is because the form submission code they use for the backdoor is crap, so GWT mistakenly interprets it as a phishing attempt and notifies the webmaster. The better web shells I have removed do not trigger these warnings.
     
  16. tiyowan

    tiyowan Regular Member

    Joined:
    Aug 7, 2013
    Messages:
    250
    Likes Received:
    136
    I suggest you get this done by someone who knows what they're doing, because it's likely that the payload has copied itself elsewhere on your server as well. If you don't mind giving me access, I'd be happy to conduct an audit and remove anything I find.
     
  17. Mimissor

    Mimissor Registered Member

    Joined:
    May 5, 2014
    Messages:
    54
    Likes Received:
    28
    Location:
    West Coast, USA
    Thanks, to both of you. I can now get started on rooting this crap out of my site. Lesson learned, never hesitate to update wordpress/themes/plugins/etc. Is there anything else I can do to prevent this stuff from happening in the future?

    EDIT: I would, but I share the hosting with someone else and don't feel comfortable exposing their sites too without their permission. I think I know what to look for now so I'll give it a whirl and see what's what.
     
  18. tiyowan

    tiyowan Regular Member

    Joined:
    Aug 7, 2013
    Messages:
    250
    Likes Received:
    136
  19. Mimissor

    Mimissor Registered Member

    Joined:
    May 5, 2014
    Messages:
    54
    Likes Received:
    28
    Location:
    West Coast, USA
    Yeah, Right now I'm wishing I had a backup of the sites. So that's another thing that's happening from now on.
     
  20. TimothyEyton

    TimothyEyton Junior Member

    Joined:
    Dec 30, 2013
    Messages:
    129
    Likes Received:
    62
    It could be but I've never heard of that happening before though. I checked out his website too and did infact find a phishing page impersonating a login for some UK company called orange.co.uk.