Phishing alert for my site

[Andrea]

Via Google's Webmaster Tools, I got this message:

Dear site owner or webmaster of http://aandbwebdesign.com/,

 

We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have begun showing a warning page to users who visit this site in certain browsers that receive anti-phishing data from Google, as well as users redirected to this site from various Google properties.

 

Below are one or more example URLs on your site which may be part of a phishing attack:

 

http://www.aandbwebdesign.com/~careoneh/zone41/_files/session/sys/sys/online/onlinebanking/onlineid-sessionload/sso.login.controllernoscript=true/signon.do/

http://www.aandbwebdesign.com/~csposior/posts/bankofamerica.com/update/sys/sys/online/onlinebanking/onlineid-sessionload/sso.login.controllernoscript=true/signon.do/

 

Here is a link to a sample warning page: http://www.google.com/interstitial?url=http://www.aandbwebdesign.com/~careoneh/zone41/_files/session/sys/sys/online/onlinebanking/onlineid-sessionload/sso.login.controllernoscript%3Dtrue/signon.do/

 

We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:

 

1) the site was compromised

 

2) the site doesn't monitor for malicious user-contributed content

 

If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.

 

Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting this page, and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.

 

Sincerely,

 

Google Search Quality Team

I have looked through all the folders on my site, and cannot find anything weird. I've also opened the site in a couple browsers, and everything looks fine- no phishing notice. I don't see any folder that ends with 'careoneh'. Does anyone have any tips as to what to do here? And, btw, my password is pretty strong - following ALL the rules.

[Susie]

How weird. I think I would forward this to your host and see if they can investigate.

Edited December 24, 2009 by Susie

[Andrea]

I just did that - and this is the convo

Chat InformationPlease wait for an operator to respond.

 

Chat InformationYou are now connected.

 

LiveHelp: Welcome to 3iX live chat, my name is Vanessa, please hold for a moment, I am reviewing your question.

 

LiveHelp: Hello

 

LiveHelp: Please hold for a moment

 

LiveHelp: I have removed the phishing link from the server

 

LiveHelp: Is there anything else I can help you with?

 

Andrea Barnett: how did it get there?

 

Andrea Barnett: I have a secure password. Has my account been hacked?

 

LiveHelp: There is no problem from your end

 

Andrea Barnett: how did a phishing link get on my site?

 

LiveHelp: Sometimes when the permissions to the folders are 777, then phishing links are possible

 

Andrea Barnett: which folder had the issue?

 

LiveHelp: zone41

 

Andrea Barnett: and what permission do they need to b

 

LiveHelp: 755

 

Andrea Barnett: I don't even have a folder called zone 41

 

LiveHelp: But they were 777

 

Andrea Barnett: ok - but how did this folder get there? I didn't do it

 

LiveHelp: Please change Cpanel password regularyly

 

LiveHelp: and set some hard passwords

 

Andrea Barnett: My password is VERY secure

 

Andrea Barnett: letters, symbols, numbers, no dicitonary word and like 10 characters

 

Andrea Barnett: so how did a folder get on my site that I did not put there?

 

LiveHelp: You can place special characters

 

LiveHelp: also

 

LiveHelp: in the password

 

Andrea Barnett: I have those too - an underline and an asterix

 

LiveHelp: Ok

 

LiveHelp: The phishing link is removed now

 

LiveHelp: You will not face any more issues

 

LiveHelp: Is there anything else I can help you with?

 

Andrea Barnett: so how did someone get a folder on a site that is protected by a password consting of 16 characters with above described assorted characters?

 

Andrea Barnett: I would like to understand how it happened so it does not happen again

 

LiveHelp: The folder was there

 

Andrea Barnett: but I didn't put it there

 

LiveHelp: I have disabled the folder

 

Andrea Barnett: AND I did not see if when I investigated

 

LiveHelp: These links are checked by our data center

 

Andrea Barnett: I am very concerned - this site is my business - I cannot have this kind of trouble]and you have not answered my question

 

Andrea Barnett: how does a folder get to my site which is protected by a VERY secure password?

 

Andrea Barnett: and why did I not see the folder myself?

 

LiveHelp: You will not face any issues as data center will look at the site and phishing links

 

LiveHelp: There were special permissions

 

LiveHelp: which I have disabled now

 

LiveHelp: You will not face any more issues

 

LiveHelp: Is there anything else I can help you with?

 

Andrea Barnett: I still do not understand precisely where the problem was

 

LiveHelp: The phishing link is removed from the server

 

LiveHelp: Is there anything else I can help you with?

 

LiveHelp: Thank you for using our 24x7 Live Chat Service, if you would like a copy of this chat, please click the 'Close' button and enter your email address.

 

LiveHelp: You will also be able to rate our service and make any comments you think would help us to improve, your opinion is important to us.

 

LiveHelp: Thank you for chatting. Good-bye.

 

Chat InformationChat session has been terminated by the site operator.

And you can bet, I will be making some comments..... Which one of my questions re 'how is this possible' did she not understand???

 

On the other hand - does anyone here have any insights as to what may have happened?

[Susie]

I have no idea about how it happened, and I would be mad, too! Which hosting company do you use? I DESPISE those canned answers that don't answer the question!!

[PicnicTutorials]

Bummer, black listed by google - ouch! I've been hacked before. Sounds like you should just overwrite all your server files, change your password, and report the error has been fixed to google via that link they gave you (the one you removed from post).

[virtual]

I ran a check to see who hosts your site through who-hosts dot com and their answer was host-care dot com, I then tried to go to the hosting site but it wouldn't show up. Then I ran it through whoishostingthis dot com and their answer was hostdime dot com.

 

I don't know much about problems like this but maybe the discrepancy has something to do with your problems.

[Andrea]

My host is 3ix - and I've been happy with them so far. They are cheap, offer a bunch of stuff, and customer service -until this morning- has been great.

 

What ticks me off is that I went through that site -online- file by file before I contacted them, and never saw that elusive 'zone41' folder anywhere. And even now, after they claim it's fixed, the page that google reports as the problem still shows.

 

I have followed the google link (wasn't me who removed that ) and reported the site fixed, but now after seeing the page is still there, I'm having my doubts.

[Susie]

The fact that you list 3ix as your host but the whois info is showing hostcare and/or hostdime is a red flag to me. Is 3ix a reseller? Personally, I would consider switching hosts - especially since the page that google linked is still there after claims of it being fixed. Hmmmm....

[virtual]

Google sometimes take time to remove the warning. One of my clients who is on his own server was hacked, he has no idea how, and it took Google over a week to remove the warning.

[Andrea]

I contacted them again over an hour ago, and this time, I was told the problem would be fixed in 30 mins - they were up about an hour ago, and the page is still there. And again nobody could explain to me how this happened. If my password is not secure, then I don't know what is - it consists of 15 characters, of which 4 are numbers, 2 symbols, and the letters do NOT form any word found in ANY dictionary.

 

I have one hosting account for 2 domain names - my personal blog, and the webdesign site is a subfolder - or at least that's how it appears in the filemanager structure. The 3ix people kept talking about permissions - the only permissions I've messed with are in some of the wordpress sub-folders (the personal part of the site) - but none under aandb...

 

And I cannot see those funky phishing folders anywhere. Not with Dreamweaver, FireFTP, nor directly through the 3ix file manager.

 

And I also have no clue why they show up as host-care - 3ix is not a reseller.

 

I'm definitely considering another host, but now quite yet. Until now, they have worked just fine. but I'll see how this turns out.

[newseed]

I smell a rat. I would not be surprised if the host is riding on some domains to draw traffic to their own site. I mean, if the tech support cannot explain what happened then you got to wonder if something mischievous is going on.