As far as I am aware, most attacks that go under the heading of 'phishing' consist of spam email messages that try to appear to come from some bonafide source and direct the recipient to a fake web site where confidential data is harvested...
Conseqnently if your server is implicated in phishing then the first thing I would look for is evidence of it serving suspect HTML pages. If you are running a HTTP server on the host, with users that are able to serve there own pages, then your machine may not have been compromised and you may simply have a rogue or compromised user that needs to be ejected. Otherwise, if a server has been installed without your knowledge or consent (or an authorised server has had its content compromised) then I would tend to concur with the earlier suggestion of reinstall. In any case, I would hope that your ISP would co-operate in providing additional information to help you resolve the problem. They may not want to help you investigate, but should at least be willing to make available the information that implicated your host in the first place.. Regards, DigbyT On Sat, Apr 08, 2006 at 05:10:57PM +0100, M A wrote: > Details thats all the ISP gave me, > > Surely there must be a way to detect this is happening, or the source of it, > > I have since removed all my secondary IP's, > > Does IPtables need to have rules for all my secondary Ips? > > > On 4/8/06, Roberto C. Sanchez <[EMAIL PROTECTED]> wrote: > > > > M A wrote: > > > Hi there Got this from my ISP the other day > > > > > > We have been forced to take your server off line, since your server is > > > performing phishing from your secondary IP address xxx.xxx.xxx.224. > > > > > > that IP address was one my secondary IP's, using debian sarge, have > > > iptables firewall, > > > using qmail as the mail server .. > > > > > > How do i fix this, or detect that is happening .. > > > > > > > Without more detail, I would say to format and reinstall. Once a > > machine has been compromised, you can never be sure it is completely > > clean. > > > > -Roberto > > > > -- > > Roberto C. Sanchez > > http://familiasanchez.net/~roberto > > > > > > -- Digby R. S. Tarvin digbyt(at)digbyt.com http://www.digbyt.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
