Greetings:
This past weeked we cleaned up an irs.gov plishing site set up for a H-Sphere provider; and then another clean up Monday evening for yet another customer for the same irs.gov plishing site (dealing with fake refunds to get banking and other private data).
For those interested in attacking IP addresses, both attacks came from America Online (AOL): 172.168.217.114 and 172.164.57.71.
The attackers appeared to have used google hacking to find OsCommerce administration areas which were not password protected (this was the vulnerability), and then proceeded to upload .help.php which they then used to craft the plishing site.
The commonalities between the two plishing attacks included the following:
1. Vulnerability was OsCommerce admin area which had no password protection.
2. Attacker used America Online (AOL)
3. Attacker uploaded .help.php typically in the catalog/images directory
4. Attacker created a directory called matrox which in the images directory that either was a holding place for the plishign directory and files or a holding place
for .help.php (one site had a images/mail directory where the plishing site was within.
Thanks to http://www.markmonitor.com/ and http://www.castlecops.com/ for their pointing out the plishing and extra thanks to castlecops.com who in their efforts to fight plishing directly attributed the plishing to specifically the oscommerce admin area.
For those of you who want to check your own servers for an existing “potential” plish, do the following:
cd [to area where your customer's content starts]
find . -name '.help.php' –print
For those of you who want to check your servers to see if you have a vulnerable osscommerce admin area, please note Nessus at http://www.nessus.org/ has a plugin to check for this and other vulnerabilities.
In ending, please make sure your admin area is password protected.
Thank you.