The other day I was interviewing a guy for a position with our company and we got on the topic of phishing. Normally I pretty much avoid the topic, because I was way too intimately involved with it for too long, but he brought it up so we were talking about it. Then he proceeds to tell me his personal phishing story. Inside I was was shuddering because I’ve heard exactly 1 billion personal phishing stories now, and I really didn’t need to hear another one. But then he starts telling me a story I hadn’t heard yet. The story of someone who has had his website used as a phishing site.
Unfortunately I didn’t get a lot of details out of him because I had other things to do, like make sure he was a worthwhile candidate, but I did manage to get an interesting story out of him. He had a crappy little Linux box (he didn’t say what flavor) sitting on an open network - no firewall, no nothing. He was using it to host some domains for some consulting work he did. One day he gets a call from AOL saying that he was hosting a phishing site. Sure enough, he looks at his website and indeed, he was.
He was non-technical so he called a friend of his who was vacationing in the south pacific at the time, and asked him to log in and find out what had happened. It was a pretty boring SQL injection attack that had gained them access. The hole was plugged, the site removed and everyone went back to their day jobs.
The next day, AOL calls him again, saying that he was indeed hosting a phishing site (again) and to please take it down post haste. Well he called up his friend (who I am imagining is getting a little tired of taking phone calls in the middle of the night while visiting Thailand - telling him to jump out of the saddle and nerd out). Anyway, he logs in and cannot see that anyone has logged in. He checks around and finds that there is a timed function to replace the phishing site each day if it happens to be gone.
He didn’t tell me if it was a “cron” job or an “at” job but that was a fairly effective tactic of re-owning a server, without actually exploiting any other holes in the security. Be warned, if you are hacked into, check your cron tasks!