Author Topic: chemicalservers ~ (Read 1588 times)

paulspage · « **on:** December 13, 2010, 12:53:41 PM »

i was notified this morning by Piotr that there is some serverside code that is used for phishing. my site is running fine and no pages on my site have been modified.

here is what it looks like:
http://dl.dropbox.com/u/1227340/chemphish.jpg

Mop · « **Reply #1 on:** December 13, 2010, 03:35:59 PM »

Huh? Be more specific...

Piotr GRD · « **Reply #2 on:** December 13, 2010, 03:49:34 PM »

More specific... The following URL:
ANY_DOMAIN_ON_THE_SERVER/~harjeet/update/valider1.php
displays a phishing page.

I've informed John/zzbomb through email already.

paulspage · « **Reply #3 on:** December 13, 2010, 03:50:39 PM »

Piotr GRD sent me a message this morning about it.

Quote

Hi

Nothing is perfect, so do ChemicalServers.
The server has been hacked. ALL domain names hosted on ChemicalServers are serving phishing page.

... ... ... /~harjeet/update/valider1.php

Phishing pages.

I've got no such files on my account, most probably you don't have it, too, so it's server wide and under John control. I've sent an email to admin@chemicalservers.com already to him, and I've informed rvtraveller who has some admin privileges in there, too.

I know as I received notification from Google about phishing page under my foos.pl domain name.

Piotr

Piotr GRD · « **Reply #4 on:** December 13, 2010, 03:56:56 PM »

Remove the URLs from the post, please, we don't want the Google browse it and detect the pages as they are now as this will require later to request Google to take domains off the malicious sites list when it will be fixed. One of my domains is reported as malicious, already, and it's enough.

I have moved my domains to different server temporarily (DNSes propagate) above won't affect me more, but there is no need to risk with yours or main chemicalservers.com

edit:
Thank you.

zzbomb · « **Reply #5 on:** December 13, 2010, 06:42:00 PM »

Anything in the ~harjeet directory is for the user harjeet. harjeet has those files in his account. Justhost manages that account and I cannot suspend or terminate it.

The actual files cannot affect any of the other accounts on the server and the only place that the google warning should appear is in the ~harjeet directory. No users should be able to see this unless you link to it. Or if google index's it.. Which google should not be indexing ~whatever.. Ever.

Here try it:
http://chemicalservers.com/~piotrgrd/

It works for any account and is an unfortunate side effect of a useful feature on shared hosting..

If it has any effect on any other addresses besides the /~harjeet directory.. let me know immediately otherwise it is absolutely no threat.

I am reporting it to Justhost now and they should take care of it.

paulspage · « **Reply #6 on:** December 13, 2010, 07:01:11 PM »

but when you see from my image that it is infact a phishing page right?

Piotr GRD · « **Reply #7 on:** December 14, 2010, 12:45:16 AM »

This is VERY unfortunate "feature" and should be turned off in my opinion.
As it let anyone use other people domain names for any purposes. Anyone can create an account, put some malicious or any other content and instead of displaying it under own domain name it can be linked from ANY other domain name that is hosted on the same server - very bad in my opinion, very bad.

Just for an example (a dumb example). I'll write something bad about John's girlfriend and I'll send her an email "Hey, look what I did for you, check chemicalservers.com/~account/greetings-for-my-sweetheart/, kisses, John". (let's say I am a "funny" friend of both of you and I know the address) Until you'll explain a situation - you've got at least temporarily troubles. No offence - just dumb example of what can be done by anyone.

No-one except Piotr should have possibility to manage content under foos.pl/ANYURL
No-one except Paul should have possibility to manage content under paulrokicki.com/ANYURL.
No-one except John should have possibility to manage content under chemicalservers.com/ANYURL
etc. This should be turned off. Really.
Or if this is very helpful for you - at least kept ONLY on the direct IP address, so you can use 1.2.3.4/~accountname, but NOT domain/~accountname. But better not at all in my opinion.

Mop · « **Reply #8 on:** December 14, 2010, 11:47:32 AM »

Then disable it in your htaccess

Piotr GRD · « **Reply #9 on:** December 14, 2010, 12:25:42 PM »

Ekhm... Mop.
1. It's not disabled even for main chemicalservers.com
2. Most of the people - including me until now - don't know about existence of this "feature".

And now, imagine that:
Someone is creating phishing page of ChemicalServers.com client area under URL chemicalservers.com/~account/login.php
Or someone is creating phishing page of some-great-community.com under URL some-great-community.com/~account/login.php
Who of the regular visitors will suspect that anything is wrong with that login pages? People gets tricked even on "normal" phishing pages, let alone a page that is accessible under valid real domain name.

I don't think only about me and my domain names. I'm trying to think about all domain names and their owners that are hosted on the server.

zzbomb · « **Reply #10 on:** December 14, 2010, 02:55:29 PM »

Ok. Ive tried writing a fix to remove the ~ from the url with htaccess which i could make a default for all accounts.

Code: [Select]

RewriteEngine On
ReWriteRule ^/~(.*) /$1 [L]

Does not seem to be working.. >.>

Ideas?

Piotr GRD · « **Reply #11 on:** December 14, 2010, 03:29:22 PM »

I don't know how this feature works, but I think that mod_rewrite won't help much in here. For one of the domains I have set (.*) ==> anotherdomain/$1 and... for /~randomstring it's redirecting normally, but for /~existingaccountname it does not redirect, so "/~existingaccountname" seems to be the exception from any other local (on account / in subfolder) rewrite rules.

But I really don't have idea how it works.

Good thing - that account "harjeet" with phishing page is suspended.

rvtraveller · « **Reply #12 on:** December 14, 2010, 06:27:51 PM »

Actually, I'm pretty sure this is an Apache feature that cPanel likes to enable. The good news is that normally when cPanel does stuff like this it bypasses htaccess directives when coming via IP address. The Apache module in use here is mod_UserDir.

ZZBomb, If you can, look in WHM --> Security Center --> Apache mod_userdir Protection and see if you can disable it there.

zzbomb · « **Reply #13 on:** December 14, 2010, 09:18:28 PM »

Yea I already know about that. Resellers are not given access to that control.

Oh the many benefits and disadvantages of self hosting and reselling. Once I use all my space here im def getting a dedi.

mghq · « **Reply #14 on:** December 14, 2010, 10:28:04 PM »

Quote from: zzbomb on December 14, 2010, 09:18:28 PM

~snip
Oh the many benefits and disadvantages of self hosting and reselling. ~snip

Aww lol

antimatter15 · « **Reply #15 on:** December 15, 2010, 12:58:06 AM »

BTW, that "feature" is a really really terrible web security thing, I could hack anyone's site this way, steal cookies, etc.

you should fix it ASAP or else there's nothing that a malicious user can't do. Once a user visits a site, you could load in an iframe <iframe src="clients.chemicalservers.com/~user/xss.html"> which would do some XHR requests using the SOP with cookies to request account cancellation. All without the user noticing.

zzbomb · « **Reply #16 on:** December 18, 2010, 01:48:35 PM »

Justhost has security in place for any sort of hacks by this. Phishing and forms of spoofing cannot be avoided and they will not disable it.

Sorry guys, that's as much as I can do on this front. To be reassured. It does NOT pose a security risk. Only a risk to reputation. and that assumes the phisher stays online.. (I monitor my users)
and justhost seems to be very active in suspending offenders.

I hope that is reassuring.

Krissy-afc · « **Reply #17 on:** December 18, 2010, 06:44:49 PM »

Quote from: zzbomb on December 18, 2010, 01:48:35 PM

Justhost has security in place for any sort of hacks by this. Phishing and forms of spoofing cannot be avoided and they will not disable it.

Sorry guys, that's as much as I can do on this front. To be reassured. It does NOT pose a security risk. Only a risk to reputation. and that assumes the phisher stays online.. (I monitor my users)
and justhost seems to be very active in suspending offenders.

I hope that is reassuring.

You're paying them, generally in business you try your best and make sure you DO get you way. Try harder, threats - go public etc and the WILL do what you say

Pinako · « **Reply #18 on:** December 18, 2010, 06:49:23 PM »

I think you should get Justhost to fix their infrastructure. After all, this is detrimental to your business, and you don't want to be the one taking the fall for their problems.

zzbomb · « **Reply #19 on:** December 18, 2010, 08:57:52 PM »

Haha. Ill consider it. Although from what ive seen and known. Justhost would let me leave before making any changes. They are extremely hardlined.

I'm working on figuring out how much it would cost to get a dedicated setup currently. So we'll see.

Ps. I hope yall dont mind. I changed the title of the topic.. I'd rather like to avoid search engines picking something like that up...