Jump to content

Phishing alert for my site


Recommended Posts

Via Google's Webmaster Tools, I got this message:

Dear site owner or webmaster of http://aandbwebdesign.com/,


We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have begun showing a warning page to users who visit this site in certain browsers that receive anti-phishing data from Google, as well as users redirected to this site from various Google properties.


Below are one or more example URLs on your site which may be part of a phishing attack:





Here is a link to a sample warning page: http://www.google.com/interstitial?url=http://www.aandbwebdesign.com/~careoneh/zone41/_files/session/sys/sys/online/onlinebanking/onlineid-sessionload/sso.login.controllernoscript%3Dtrue/signon.do/


We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:


1) the site was compromised


2) the site doesn't monitor for malicious user-contributed content


If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.


Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting this page, and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.




Google Search Quality Team

I have looked through all the folders on my site, and cannot find anything weird. I've also opened the site in a couple browsers, and everything looks fine- no phishing notice. I don't see any folder that ends with 'careoneh'. Does anyone have any tips as to what to do here? And, btw, my password is pretty strong - following ALL the rules.
Link to comment
Share on other sites

I just did that - and this is the convo

Chat InformationPlease wait for an operator to respond.


Chat InformationYou are now connected.


LiveHelp: Welcome to 3iX live chat, my name is Vanessa, please hold for a moment, I am reviewing your question.


LiveHelp: Hello


LiveHelp: Please hold for a moment


LiveHelp: I have removed the phishing link from the server


LiveHelp: Is there anything else I can help you with?


Andrea Barnett: how did it get there?


Andrea Barnett: I have a secure password. Has my account been hacked?


LiveHelp: There is no problem from your end


Andrea Barnett: how did a phishing link get on my site?


LiveHelp: Sometimes when the permissions to the folders are 777, then phishing links are possible


Andrea Barnett: which folder had the issue?


LiveHelp: zone41


Andrea Barnett: and what permission do they need to b


LiveHelp: 755


Andrea Barnett: I don't even have a folder called zone 41


LiveHelp: But they were 777


Andrea Barnett: ok - but how did this folder get there? I didn't do it


LiveHelp: Please change Cpanel password regularyly


LiveHelp: and set some hard passwords


Andrea Barnett: My password is VERY secure


Andrea Barnett: letters, symbols, numbers, no dicitonary word and like 10 characters


Andrea Barnett: so how did a folder get on my site that I did not put there?


LiveHelp: You can place special characters


LiveHelp: also


LiveHelp: in the password


Andrea Barnett: I have those too - an underline and an asterix


LiveHelp: Ok


LiveHelp: The phishing link is removed now


LiveHelp: You will not face any more issues


LiveHelp: Is there anything else I can help you with?


Andrea Barnett: so how did someone get a folder on a site that is protected by a password consting of 16 characters with above described assorted characters?


Andrea Barnett: I would like to understand how it happened so it does not happen again


LiveHelp: The folder was there


Andrea Barnett: but I didn't put it there


LiveHelp: I have disabled the folder


Andrea Barnett: AND I did not see if when I investigated


LiveHelp: These links are checked by our data center


Andrea Barnett: I am very concerned - this site is my business - I cannot have this kind of trouble]and you have not answered my question


Andrea Barnett: how does a folder get to my site which is protected by a VERY secure password?


Andrea Barnett: and why did I not see the folder myself?


LiveHelp: You will not face any issues as data center will look at the site and phishing links


LiveHelp: There were special permissions


LiveHelp: which I have disabled now


LiveHelp: You will not face any more issues


LiveHelp: Is there anything else I can help you with?


Andrea Barnett: I still do not understand precisely where the problem was


LiveHelp: The phishing link is removed from the server


LiveHelp: Is there anything else I can help you with?


LiveHelp: Thank you for using our 24x7 Live Chat Service, if you would like a copy of this chat, please click the 'Close' button and enter your email address.


LiveHelp: You will also be able to rate our service and make any comments you think would help us to improve, your opinion is important to us.


LiveHelp: Thank you for chatting. Good-bye.


Chat InformationChat session has been terminated by the site operator.

And you can bet, I will be making some comments..... Which one of my questions re 'how is this possible' did she not understand???


On the other hand - does anyone here have any insights as to what may have happened?

Link to comment
Share on other sites

I ran a check to see who hosts your site through who-hosts dot com and their answer was host-care dot com, I then tried to go to the hosting site but it wouldn't show up. Then I ran it through whoishostingthis dot com and their answer was hostdime dot com.


I don't know much about problems like this but maybe the discrepancy has something to do with your problems.

Link to comment
Share on other sites

My host is 3ix - and I've been happy with them so far. They are cheap, offer a bunch of stuff, and customer service -until this morning- has been great.


What ticks me off is that I went through that site -online- file by file before I contacted them, and never saw that elusive 'zone41' folder anywhere. And even now, after they claim it's fixed, the page that google reports as the problem still shows.


I have followed the google link (wasn't me who removed that ) and reported the site fixed, but now after seeing the page is still there, I'm having my doubts.

Link to comment
Share on other sites

The fact that you list 3ix as your host but the whois info is showing hostcare and/or hostdime is a red flag to me. Is 3ix a reseller? Personally, I would consider switching hosts - especially since the page that google linked is still there after claims of it being fixed. Hmmmm....

Link to comment
Share on other sites

I contacted them again over an hour ago, and this time, I was told the problem would be fixed in 30 mins - they were up about an hour ago, and the page is still there. And again nobody could explain to me how this happened. If my password is not secure, then I don't know what is - it consists of 15 characters, of which 4 are numbers, 2 symbols, and the letters do NOT form any word found in ANY dictionary.


I have one hosting account for 2 domain names - my personal blog, and the webdesign site is a subfolder - or at least that's how it appears in the filemanager structure. The 3ix people kept talking about permissions - the only permissions I've messed with are in some of the wordpress sub-folders (the personal part of the site) - but none under aandb...


And I cannot see those funky phishing folders anywhere. Not with Dreamweaver, FireFTP, nor directly through the 3ix file manager.


And I also have no clue why they show up as host-care - 3ix is not a reseller.


I'm definitely considering another host, but now quite yet. Until now, they have worked just fine. but I'll see how this turns out.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...