Fraudulent site


Status
Not open for further replies.

boedakpinank

Beginner 1.0
hai bro en sis, mohon bantuannya nih..saya dapat email dari RSA yang isinya serem banget yaitu :

Dear Sir or Madam: RSA, an anti-fraud and security company, is under contract to assist Citibank and its related entities in preventing or terminating online activity that targets Citibank’s clients as potential fraud victims. RSA has been made aware that you appear to be providing Internet Services to a fraudulent Web site being used as part of a “phishing scam”. This activity may violate the criminal laws of the United States and other nations. E-mail messages have been broadly distributed to individuals by a person or entity pretending to be Citibank. These e-mails did not originate from Citibank and this site is not an authorized Citibank site. The e-mails request recipients to verify and submit sensitive details related to their Citibank accounts. Within the fraudulent e-mail message, there is a link that leads the recipients to a fraudulent website which is being hosted by your company. The fraudulent website is designed to improperly obtain personal information of Citibank customers in order to fraudulently access their bank accounts. Contained in the email is an embedded URL: URL: www.xxxx.xxx/includes/login.aspx.php IP Address: xxx.xx.xxx.xxx We understand that you may not be aware of this improper use of your services and we appreciate your cooperation. We specifically would ask that you also take the following actions directly to Citibank: Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website. In the event that you do not comply with the above, Citibank and its related entities reserve all rights to take any action now or at any point in the future. PLEASE PROVIDE CITIBANK WITH THE FOLLOWING INFORMATION/DATA IF AVAILABLE: - Content of the Phishing site and any available Logs (Access, FTP, Mail, and Web) - Any customer data that has been captured and/or stored on your systems or equipment - Any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn about the identity and location of the customer for whom the website has been operated. Please send the above information to the following Citibank contacts: Vishant Patel - Vishant.B.Patel@Citi.com (212) 657-2416 David Sun - David.C.Sun@citi.com (212) 657-3736 Thank you for your cooperation to prevent and terminate this fraudulent activity. Sincerely, RSA Anti Fraud Command Center Tel: +44(0)800-032-7751 (UK) Tel: +1-866-408-7525 (US) Fax: +972-9-9566658 (EU) Fax: +1-212-208-4644 (US) E-mail: afcc@rsasecurity.com www.rsa.com For more information about RSA's AFCC www.rsa.com/node.aspx?id=3348 Citi Security and Investigative Service Name: John Pignataro Address: 111 Wall St, 19th Floor/Zone 7, New York, 10005 Tel: 212-657-0721 E-mail: john.pignataro@citi.com
kira2 apa ya yang terjadi?saya menengarai bahwa web saya atau alamat email dari web ini (saya buat email@domainsaya.com) yg digunakan utk phishing..namun ternyata setelah saya cek daleman server saya ada beberapa file aneh pada root hosting, diantaranya bash.php, joomla.php, mambo.php, phpinfo.ini, dll....dimana file2 ini sempat saya simpan utk kepentingan investigasi bagi kawan2 yang mau bantu..

en ada sebuah file gambar pada root hosting dengan format .JPG dimana kalo saya coba akses langsung , maka pada Avira AV akan keluar pesan bahwa PHP/C99SHELL.CK.92 menginjeksi

sekarang web ini sudah saya hapus kabeh isinya...en anehnya doi kaya berhasil masuk ke panel saya, soalnya saya liat ns didalem DNS confignya juga diganti dia..nah kira2 dari kejadian ini masih amankah website2 saya yg lain yg berada pada server yg sama?dan bagaimana solusinya buat ini tidak terjadi lagi dikemudian hari..soal permission file udah bener semua, mohon bantuannya ya bro en sis..makasi banyak semuanya
 

idstudio

Apprentice 1.0
Nampak nya web anda disusupi orang melalui script yang anda pasang, atau password anda gampang ditebak.

Langkah awal :
1. Tukar password cpanel anda
2. Update script anda (versi terakhir)
3. Check permission anda, usahakan tidak chmod 777
4. Tukar password mysql anda
5. Tukar password login script admin anda

Semoga membantu
 

bedebah

Apprentice 2.0
atau software yang anda gunaken disipin exploit. saya pernah ngalaminnya, kejadiannya persis. Ada file2 asing yg masuk padahal permissionnya readonly.
 

tajidyakub

Apprentice 1.0
Kondisi yang paling umum, scriptnya masuk via Remote File Inclusion di aplikasi web anda, yang paling banyak saya temui (bukan berarti selalu) ada component di joomla yang memungkinkan hal ini dilakukan.

Setelah account anda dibersihkan (cek ada file2 lain yang serupa atau tidak), jangan lupa dibersihkan juga aplikasi webnya :)
 
Status
Not open for further replies.

Top