                                        
                                   * * * * *
                                        
                                  It's magic!
                                        
One of our client's customer's site was being used for a phishing scam [1].
The site itself had nothing to do with the scam, it's just that someone had
uplaoded some pages that looked like a PayPal login screen. Our client wrote
in:

> We rec'd a call saying that a phishing scam was using XXXXXXXXXXXXXX (a
> site on XXXXXX) This is the email they rec”d:
> 
> “Ticket from our client”
> 

And yes, the email was a typical phishing email. I had some exchanges with
the client. It ended thus:

> Did you already remove the problem files? If not, what should we do? And
> what can we do to prevent this in the future. I'm sure the client didn't
> know what was going on.
> 
> “Response from our client”
> 

> I didn't remove the files, as it's inaccessible anyway due to the Apache
> configuration. If you want, I can delete them.
> 
> As for prevention, remind the client not to let out their account
> information. Another thing to check is for insecure CGI (Common Gateway
> Interface) scripts (PHP, etc) that might allow someone to upload such
> items.
> 
> “My response”
> 

> I think it's best to remove the infected files to prevent the site, or the
> server, from being blocked or placed on any blacklists or anything. Thank
> you.
> 
> “Client respnose”
> 

“Infected files?”

These are not “infected files”—they contain no virus. They don't propagate on
their own. They don't infect other files (I'm also tempted to question their
reading comprehension, as I clearly stated the files were “inaccessible due
to the Apache configuration” but I won't). These files were placed there by
someone.

Does no one truely understand this stuff anymore? Does anyone read anymore?

Sigh.

Update a few minutes later

Why am I being so harsh?

I think it's because the client that wrote in is a web design and hosting
company (and we do some of the hosting for them). If it was the end customer,
the one who's site was being used, that wrote in, I would be more forgiving
(or rather, I'd roll my eyes, fix the problem, and go on). But for a company
that does web design? That also hosts some of their sites? Them, I would
expect a bit more from.

In the end, I rolled my eyes, fixed the problem, and then went on to make a
post about it.


[1] http://en.wikipedia.org/wiki/Phishing

Email Sean Conner at sean@conman.org

.