schmero...@gmail.com wrote: >> One of our client's websites gets hacked frequently - 1x per month - >> usually with some kind of phishing scam. >> >> I understand their first line of defense is to make sure security is >> tight and systems are up to date, however, it seems to me that there >> must be some scanning utility that would check their site for >> unauthorized pages via a search for domain names. >> >> So, if our client was google, the utility would search all files on the >> site looking for domains. If it found microsoft.com within one of the >> pages and email would be sent to the administrator who could delete the >> page and look for other evidence of being hacked or add microsoft.com to >> the whitelist. >> >> Any ideas where to look for such a beast &/or a mailing list that deals >> with this type of issue?
Indeed Google "safe browsing" scans pages it indexes looking for IFRAME exploits, Gumblar etc. Phishing pages are harder to recognise than links to malware, meaning Google has to largely rely on us reporting 'web forgeries'. From the evidence that Google doesn't automatically list suspicious pages I assume that no such utility yet exists. (Also note that Gumblar and other malware use pretty tedious JavaScript obfuscation techniques. So you might want to wget the site or access it through a browser, rather than just grep through it for suspicious strings.) I don't know who is working on phishing detection tools: maybe contact APWG (antiphishing.org) or your local OWASP chapter. Phishing scams are in my experience often uploaded through insecure CMSes such as Joomla modules (you can see this when the uri contains things like 'mambots/content' listed in the rules below). Despite that, have you done the obvious and checked FTP logs? In many cases the website owner or designer may have a keylogger or agent stealing FTP credentials which are then circulated to a botnet to deface pages: http://news.zdnet.com/2100-9595_22-306268.html I've had to ask people to run at least two up-to-date spyware scans on the Windows PC they upload content from before the culprit is found. Also make sure your correct abuse address is listed at abuse.net (and on WHOIS if appropriate), so e.g. SpamCop reports about spamvertised sites come to you without delay. Terry Carmen wrote: > If you're getting hacked once a month, I suspect the server contains a > well-known vulnerability that needs to be located and repaired. > > I'd recommend making all content changes on a *really* secure server, then > replicating the entire web-root to the public web server with rsync, with the > --delete option enabled. > > Rsync will overwrite any of the "damaged" content with a fresh copy from the > secure server and remove any "extras", making any unauthorized content changes > vanish. I like that suggestion - provided you're not expecting general visitors to contribute content, you could rsync every 20 mins or so and by the time the uri is spammed out the malicious content is gone. The back-end would be on a firewalled server that is not public-facing. However, it doesn't necessarily help if the FTP/SSH/CMS password is weak or (particularly) has been compromised by malware on a desktop. These strings in URIs/filenames have seemed to me to be associated with phishing: uri PHISH_CGI /(\/cgi(?!\.ebay\.)|Login(?:Member)?\.do|mambo\/+components|mambots\/content\/|\/smilies|\/uploads|\/\?siteid=|\/aspnet_client|\/(?:includes|_mem_bin|components|classes)\/)/ describe PHISH_CGI Common phishing destination score PHISH_CGI 0.05 uri PHISH_CGI2 /\/(?:uploads|files|includes|components|js|mambots|smilies|images)\/.*(?:\.co\.uk|\.com\b|Log[a-z\.0-9-]+\.(?:php|htm))/i describe PHISH_CGI2 Looks like exploit with "Logon" file score PHISH_CGI2 0.2 I hope some of this helps. CK
