[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: paypal scam - tracing link

From: "Harold Hallikainen" <harold hallikainen com>
To: bret_stern machinemanagement com, "Getting started with Red Hat Linux" <redhat-install-list redhat com>
Cc:
Subject: RE: paypal scam - tracing link
Date: Thu, 26 Oct 2006 12:58:55 -0700 (PDT)

>> -----Original Message-----
>> From: redhat-install-list-bounces redhat com
>> [mailto:redhat-install-list-bounces redhat com] On Behalf Of
>> Bob McClure Jr
>> Sent: Thursday, October 26, 2006 12:36 PM
>> To: redhat-install-list redhat com
>> Subject: Re: paypal scam - tracing link
>>
>> On Thu, Oct 26, 2006 at 12:20:35PM -0700, Bret Stern wrote:
>> > Afternoon,
>> >
>> > Can anyone suggest how to find and delete these files which show up
>> > during a locate command.
>> >
>> > I've looked in the folders below (where the locate command found
>> > them), but cannot find the files.
>> >
>> > Any help would be appreciated.
>> >
>> > Bret Stern
>> >
>> > /usr/local/apache/htdocs/www.paypal.com
>> > /usr/local/apache/htdocs/www.paypal.com/cgi-bin
>> > /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_login-run
>> >
>> /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
>> > -paypal
>> >
>> /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
>> > -paypal/addr.gif
>> >
>> > <long list trimmed>
>> >
>> >
>> /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
>> > -paypal/update.php
>> >
>> /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
>> > -paypal/_login-submit.htm
>> >
>> /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
>> > -paypal/login.html
>> >
>> /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
>> > -paypal/cc.db
>>
>> The database that "locate" works from is built a little after 4am
>> every day.  So it looks like the files were there then, but not now.
>> As root, run "updatedb" to rebuild the database, and see if the
>> problem still exists.
>>
>> The next question, of course, is, has your machine been cracked by a
>> phisher?
>
> It was not my machine, but it is true. This was a re-creation of
> paypal.com created on a customers host.
>
> so the next question.. how was this accomplished.
> Did someone actually guess the password, or are there other
> ways..including insided folks, or other??
>

Well, years ago, someone broke into my RH9 machine through a hole in SSL.
A patch was available, but I had not installed it. Luckily all they did
was install a program that went looking for other vulnerable machines. It
also looks like password guessing is a big business. Since I'm running
sshblack, I only see four login attempts from maybe 10 different IP
addresses each day. Before I installed sshblack, there were thousands of
login attempts every day. I can't imagine a system that does not lock out
attempts from a particular IP after some number of failures.

Harold


-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

Follow-Ups:
- RE: paypal scam - tracing link
  - From: mylar

References:
- RE: paypal scam - tracing link
  - From: Bret Stern

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]