[Solved] Suspended: Pelder

[Pelder]

a. Pelder

b. Stevie

c. pelder.heliohost.org

[Byron]

Your account was suspended because of phishing.

[Pelder]

Because of phishing? How on earth could that happen?

[Byron]

This support request is being escalated to our root admin.

[Pelder]

Alright, thanks. I really have no idea how it could have happened and it's quite bad as it was my portfolio website.

[Byron]

On 7/22/2012 9:19 PM, nabCERT Security Operations Centre wrote:

 

---=== This email has been sent by an automated monitoring system on behalf of nabcert.soc@nab.com.au ===---

 

THIS IS AN URGENT MATTER

 

Hello,

We work for and represent National Australia Bank Limited.

 

Please be advised that we have received reports of a phishing website at the following URL being used to illegally obtain the login details of National Australia Bank Internet Banking customers:

 

http://www.pelder.he...bisco/index.htm

 

As at 23-Jul-2012 02:17:35PM EST these URLs resolved to the IP address of:

 

216.218.192.170

 

for which you are listed as an abuse/support contact. We would greatly appreciate your prompt assistance in:

 

1. Zipping any relevant files from the folders below and forwarding these to

nabcert.soc@nab.com.au for investigation

 

http://www.pelder.heliohost.org/wp-includes/js/jquery/nabisco/index.htm

 

2. Immediately shutting these sites down or removing the phishing related material

 

3. Checking for other compromised web accounts on your servers which may also contain the same files

 

4. Checking for and fixing any security vulnerabilities which may have contributed to the creation of these phishing pages

 

We believe the purpose of this website and associated pages is solely to commit fraud against Internet Banking customers and in the absence of any response we reserve the right to take this matter further.

In case of the need for further investigation the Australian Federal Police have also been notified.

 

Please contact us as soon as possible via the email address nabcert.soc@nab.com.au to let us know when this site has been disabled.

 

If you are not the correct person(s) to deal with this incident, please forward this request to the appropriate person(s).

 

Regards,

nabCERT Security Operations Centre

 

We also have evidence of a file on your site used to phish usernames and passwords and email them to your gmail and hotmail accounts.

[Pelder]

Could you tell me what file it was? I never uploaded a file to the server that had 'bisco' in it's name. I basically just uploaded a Wordpress installation file and a theme to the FTP and that was all I did. Also, could you possibly mail me the hotmail and gmail accounts where the info would have been mailed to?

[Byron]

This was the file name:

 

http://www.pelder.heliohost.org//wp-includes/js/jquery/nabisco/index.htm

 

Email addresses:

 

arablogs100th@hotmail.com

 

arablogs.100th@gmail.com

[Pelder]

Checked my files on my harddisk and I can safely say I haven't uploaded that "nabisco" directory and those e-mail adresses aren't mine either. Sounds like either my account has been hacked or the server has safety issues. Is it possible to get my account back with the directories that caused the phishing deleted? Surely you can check IP addresses who uploaded what, I'm 100% sure they won't match my address.

 

EDIT:

 

Issue solved and phishing account permanently deleted.