Okay, the story of this, as some of you may know i own a few websites, someone or a hacker has uploaded a fake credit card script on to one of the sites i do own.. According to the Berkly bank Security office, i am now, responcible for fraud, the the idenity thefts of Credit cards as because i am the owner of the site, which in fact has stolen credit card information. I have had no idea of this untill last night. a friend Zac & I have called them regarding this matter, There thoughts are as good as i can imagine, as hopefully the conclusion is that someone hacked my website, to gain access and execute there credit card scripts on my webserver, but untill further notice they have shut down my site, and all that i do host, untill the investigation is over and they come to an conclusion, worse consequences is that i can be prosocuted for Fraud, at the moment i believe they are taking a look through my server and its applications/scripts to determine where this is coming from, Hopefully everything works out fine.

Following sites shut down for this are:

www.Immortal-Legends.com
www.SickMinded.Net
www.Ev-designs.Net
www.NetNX.Net ( switched domain over to another hosting. )


Anyone have any ideas of what they do at this point or after?

How long between when your site was allegedly hacked and when you were informed about this?  If it was short, apparently someone was paying attention.  If it was long, why'd it take you so long to discover?

What were you doing that let the intruder in?  Vulnerable web server, bad script, weak passwords, ...?

Well, the security offices have tryied to contact me on the 21 i have not been on my server for awhile, I just recently found out about this last night, so thats it, And im guessing i may have had a bad script possible a rigged or b'd script. in the folder that contained the script was only suppose to be an empty coded template.


this is the first notice i found, it was from some place from the UK, im guessing they reported it.

_________________________________________________________________________

Hello Patrick ******

Your server is being used to extract money by means of deceit and fraud.

The website address is

http://www.sickminded.net/il/2pages.barclays.co.uk/ibank.co.uk/olb/p/LoginMember.do

The source of information tells me that you are the owner and I must ask you to remove this website from your server and report the registrant to the proper authorities.

I must also inform you that I have sent a copy of the email sent to me that led me to your server to the British Police and Interpol IT crime unit.

Thank you for your help in combating this public nuisance and criminal element.

Mark Shanahan

__________________________________________________________________________

after this one i got

Cyota, an anti-fraud and security company, acting on behalf of Barclays Bank PLC (a leading UK bank) has been made aware that you appear to be providing Internet Services to a fraudulent site, which is part of a “phishing scam”**, and which violates Barclays’ copyright, trade marks and other intellectual property rights.


E-mails have been sent to individuals by a fraudster pretending to be Barclays Bank, requesting them to verify and submit sensitive details related to their Barclays bank accounts.

Within the fraudulent emails there is link that leads the users to a fake Barclays website (at the following address URL http://www.sickminded.net/il/2pages.barclays.co.uk/ibank.co.uk/olb/p/LoginMember.do/) to which you provide services and which is under your responsibility.


but im denied even my own ftp access now, so i can't even check it out..

OK, first piece of advice: when mailing them, employ better grammar and spelling than you're using for your posts here.

Second, why does it matter if you're denied ftp access?  You should be using ssh/sftp, not ftp to control the server!

Third, people actually fall for that kind of fraud?!  It doesn't even look like there was any DNS poisoning or certificate fraud involved (no https://, pages aren't anchored at the root of your site), so it should've been painfully obvious to anyone with a clue that they weren't really dealing with Barclays bank.  All that aside, the bank should've been using an authentication system that lets the user authenticate his/her identity without revealing so much detail that a fraudulent recipient can make use of the information.  See two factor authentication [wikipedia.org] (vulnerable to MitM [wikipedia.org], but better than typical bank authentication), Secure Remote Password [stanford.edu].

btw, IANAL.  From the sound of their mails, they don't intend to hold you personally accountable for the fraud, but don't come crying, complaining, or suing to any of us if I'm wrong. :)

[quote author=Kp link=topic=13638.msg139101#msg139101 date=1135396250]
btw, IANAL.  From the sound of their mails, they don't intend to hold you personally accountable for the fraud, but don't come crying, complaining, or suing to any of us if I'm wrong. :)
[/quote]

Ahh hell, let him sue us.  I would like to see the look on the judge's face when he laughingly dismissed the case.  :P

[quote author=Kp link=topic=13638.msg139101#msg139101 date=1135396250]
it should've been painfully obvious to anyone with a clue that they weren't really dealing with Barclays bank.
[/quote]
Heh heh. You say that like most people actually have a clue :)

Right on, this subject is turning into somthing its not.. why the hell would i waste my time sueing you kids?
I just thought id post somthing about my own little deal, and see what others would think, or might have a clue on the next steps they take so i can be kinda prepared.. But i suppose since no one here has been through this, then there is no help.

You must realise that most people here are compentant with PC's, Servers and security so the first signs of anything like this that they didnt want could stop it so therefore they wouldnt have Barclyes on theyre ass.

Sucks to be you at the moment though. Merry Christmas :P.

[quote author=MyStiCaL link=topic=13638.msg139173#msg139173 date=1135464098]Right on, this subject is turning into somthing its not.. why the hell would i waste my time sueing you kids?[/quote]

How can something be what it is not?  My comment was merely a warning that you shouldn't take any of my posts as legal advice, nor should you base your decisions off any assurances I might make.  It's pretty standard in this kind of thread that anyone who's speaking without a very firm grounding in relevant law warns that his/her comments aren't legal advice.  Even professional lawyers will often put up a disclaimer, since they might be commenting without all the knowledge of the case (and any omitted information could result in their comments being completely wrong).

[quote author=MyStiCaL link=topic=13638.msg139173#msg139173 date=1135464098]I just thought id post somthing about my own little deal, and see what others would think, or might have a clue on the next steps they take so i can be kinda prepared.. But i suppose since no one here has been through this, then there is no help.[/quote]

Well, you really haven't given us much to go on.  What we have:

[list][li]You got cracked and served as host to a fraudulent website.[/li]
[li]The fraudulent site wasn't particularly well designed.[/li]
[li]You cannot get into your server.[/li]
[li]The investigators seem to believe you're innocent, so they probably won't try to hold you liable (or if they do, it'll be for something weaker like negligence).  Of course, bear in mind my earlier comment about this being speculation with no regard for applicable law or other precedent.[/li][/list]

What we don't have:

[list]
[li]how the intruder(s) got into your system(s)[/li]
[li]what services were running on the affected hosts.  This could give hints as to which log files are most likely to hold records of the intruder(s).[/li]
[li]how much privilege the intruder(s) had on the affected system(s).  If they attained full root privilege, a competent intruder could've done quite a bit of damage and fully erased records of his presence.  If the intruder only had upload/modify access on files your web server could modify (which would be the case if he merely compromised a web script), it's much more likely that his address will still be in the logs.  Of course, the address will probably be some throw-away proxy, but you might get lucky.[/li]
[li]how long the fraudulent site was in operation.  This affects how many people could've been deceived, and whether the logs of the initial break-in are likely to have rolled out of existence by now.[/li]
[li]how many people were successfully deceived by the fraud[/li]
[li]how much money/information was stolen from those who were deceived[/li]
[li]what records (if any) your systems kept of the intrusion or other relevant traffic that might have passed through them afterward (for instance, maybe a log was kept which shows an IP address which can be linked to the intruder)[/li]
[li]were your sites on a colocated system, or did you have the server in your possession?  This doesn't affect the investigation (much), but it does have an impact on how easily you can restore the system after the investigation is over.  I would strongly suggest that you wipe the system clean and rebuild it from scratch.  Although it's possible to ensure that the intruders haven't left any nasty surprises behind, it's probably faster just to assume that they did and rebuild the system.  This is especially true if you have a known good backup that you can restore from.[/li]
[li]how competent the fraud investigators are.  For instance, have they taken a copy of the disk as evidence (and done so in a non-destructive way, such as dd(1))?  Are they booting that system off its own drive, or loading its hard drive as a slave inside a known good system?  Did they remember to mount the partitions as noatime,nodev,noexec,ro?[/li]
[/list]

I'm well aware that at least some of this information is not available to you at present since you cannot log in to your system.  I'm mentioning it because it could be useful in commenting on where the situation will go next.

He downloaded something with a trojan in it, and got keylogged.

Owned.

[quote author=Kp link=topic=13638.msg139101#msg139101 date=1135396250]
Second, why does it matter if you're denied ftp access?  You should be using ssh/sftp, not ftp to control the server!

Quite a bit of hosts do not allow SSH. sFTP is iffy.[/quote]

[quote author=JTN Designer link=topic=13638.msg139290#msg139290 date=1135559607][quote author=Kp link=topic=13638.msg139101#msg139101 date=1135396250]Second, why does it matter if you're denied ftp access?  You should be using ssh/sftp, not ftp to control the server![/quote]Quite a bit of hosts do not allow SSH. sFTP is iffy.[/quote]

sftp runs over ssh, just like scp does.  Any host which forbids ssh access and instead mandates a non-encrypted protocol is just begging for hijacking IMO.  Worse, it weakens their case if they should ever need/want to claim negligence on the part of the customer.  Since he was forced to use an unencrypted connection, anyone on the path could've taken the credentials and he'd be none the wiser.  OTOH, if they required an encrypted connection and the customer still got cracked, there'd be a much stronger position for claiming negligence.