Confused by Abuse Reports


#1

This isn’t directly related to the thread above, but it’s about phishing complaints. I’ve just received two, but, that I know of, there have been no compromises at my host or anywhere else. I’m not sure what to do…

Here’s the note:

Cloudflare received a phishing report regarding:

Below is the report we received:

Reporter’s Name: [email protected]
Reporter’s Email Address: [email protected]

Reported URLs:

    http://injuredathletestoolbox.com/wp-content/uploads/www/secure.bankofamerica.com/login/sign-in/signOnV2Screen.go/B/

Logs or Evidence of Abuse: Bank of America verified the below phishing content hosted on your network. We request that you take the following two steps:

  1. Reply with any Personally Identifiable Information (PII) that the reported phishing content captured and stored on your network to this email address.

  2. Remove phishing content and captured PII from your network.

Phishing content:

xxxxxxx

We have provided the name of your hosting provider to the reporter. We have forwarded this complaint to your hosting provider. We have restricted access to the phishing-related content until it has been removed.

Regards,

Cloudflare Abuse


Do you ever have users complain about your use of Cloudflare
#2

Hi @heidi I would contact cloudflare support directly

https://support.cloudflare.com/hc/en-us/requests/new


#3

Have you looked in that Uploads directory to see if the content is there?

In general, I strongly suggest you install Wordfence. It’ll scan and protect your site.


#4

After doing all the common good practices i.e. installing updates… you need to find the php shell(s) on your host. This is not an easy task. Usually hackers upload multiple of them in different folders under different names.
First you need to keep track of changing files and folders. There a re security plugins to do that. You do this to prevent new shells while eliminating existing ones.
Second you need to keep an eye on access logs, specially low visit counts of odd paths, to find the shell(s).
Personally won’t trust on such a compromised server and install everything from begining.


#5

Hi - It would probably be best to reply directly to the email you received, as they can provide more personal detail in a response.