So there I was just updating my website on my local server and I needed a bit of code from my old site. So I opened up my browser typed in boofly.com into the address bar, waited, and nothing but a message telling me "Forbidden", what the...?
My web host sent me a message that had been sent from PayPal claiming that my site was being used as a PayPal Phishing site. A group of hackers naming themselves the "Ramiki Team" had gained access to my site via an open directory exploit. They had managed to upload some files to my server and proceed to direct people to a page that looked just like Paypal's home page.
I have since shut down the open directory on my server and increased security on my site. It took a total of 4 days to convince my webhost and PayPal to put my site back online and to my surprise when they did the hackers had replaced my index page.
On inspection of my logs I have since found out that the attack originated from Preilu, Preili, Latvia using the ISP AD Technology SIA. They originally gained access via an SSH shell probably using a brutforce attack to guess the user name and password. It is actually very simple to do this sort of attack on a server that has just used the default install settings on their system. In order to stop this sort of thing happening there are a number of steps that can be taken. You can change the listening port for SSH or you can restrict the amount of wrong user password combination come from the same IP in a given timeframe, among others.
If you run a web server or web host please check the security protocols you have in place. This is a big bad world we now live in and we have to protect ourselves in this harsh unforgiving virtual world.
