Unknown phishing from my mail/web server

gjsnath · 08-29-2008, 05:44 AM

My mail/ web server is running on RHEL 4 with sendmail and apache . I generally access it from web interface of squirellmail.

A few days back I revceived a mail and a call from some security agency looking after a financial site telling me there is a folder called redirect.to in my web server's virtual directory , and to stop this phising I need to delete the folder. I deleted the folder immediately.

I changed the root passwords and stop all the unnecessary services. After this also the folder reapears and started phising all over again.

Urgent help is required .

**wmorri** · 08-30-2008, 04:51 PM

Welcome to TSF!!

I am interested in knowing what security agency called you and told you to remove this folder? I haven't ever heard of this happening. Unless you have a company monitoring your web servers?

Is this financial site hosted from your web server?

Cheers!

lensman3 · 08-30-2008, 06:16 PM

Restore the directory "redirect.to" off of a backup tape and see what was in the directory. From google, it sounds like this is used by Apache to redirect broken links to another site. If your Apache directory tree was "writeable", it is possible someone could have put a redirect meta tag there.

Sorry I don't have any recent Apache experience. Maybe somebody else can help you. I'm with wmorri, some security agency should have been ignored. If they call again, ask for a name and phone number, then you look them up and call back to see if they are legit.

08-29-2008, 05:44 AM	#1 (permalink)
gjsnath Registered User Join Date: Aug 2008 Posts: 1 OS: xp	Unknown phishing from my mail/web server My mail/ web server is running on RHEL 4 with sendmail and apache . I generally access it from web interface of squirellmail. A few days back I revceived a mail and a call from some security agency looking after a financial site telling me there is a folder called redirect.to in my web server's virtual directory , and to stop this phising I need to delete the folder. I deleted the folder immediately. I changed the root passwords and stop all the unnecessary services. After this also the folder reapears and started phising all over again. Urgent help is required .

08-30-2008, 04:51 PM	#2 (permalink)
wmorri Moderator/Fedora Amb. Join Date: May 2008 Location: /pm/etc Posts: 2,275 OS: XP SP3/Fedora 10	Re: Unknown phishing from my mail/web server Welcome to TSF!! I am interested in knowing what security agency called you and told you to remove this folder? I haven't ever heard of this happening. Unless you have a company monitoring your web servers? Is this financial site hosted from your web server? Cheers! __________________ Linux Forever! I won't be back until Tuesday, I am moving this weekend

08-30-2008, 06:16 PM	#3 (permalink)
lensman3 Registered User Join Date: Oct 2007 Location: Littleton, Colorado USA Posts: 470 OS: xp 64 sp2 Fedora Core 8 (vmware xp core 8 x32) Minix	Re: Unknown phishing from my mail/web server Restore the directory "redirect.to" off of a backup tape and see what was in the directory. From google, it sounds like this is used by Apache to redirect broken links to another site. If your Apache directory tree was "writeable", it is possible someone could have put a redirect meta tag there. Sorry I don't have any recent Apache experience. Maybe somebody else can help you. I'm with wmorri, some security agency should have been ignored. If they call again, ask for a name and phone number, then you look them up and call back to see if they are legit.