One of our client's customer's site was being used for a phishing scam. The site itself had nothing to do with the scam, it's just that someone had uplaoded some pages that looked like a PayPal login screen. Our client wrote in:
We rec'd a call saying that a phishing scam was using XXXXXXXXXXXXXX (a site on XXXXXX) This is the email they rec”d:
Ticket from our client
And yes, the email was a typical phishing email. I had some exchanges with the client. It ended thus:
Did you already remove the problem files? If not, what should we do? And what can we do to prevent this in the future. I'm sure the client didn't know what was going on.
Response from our client
I didn't remove the files, as it's inaccessible anyway due to the Apache configuration. If you want, I can delete them.
As for prevention, remind the client not to let out their account information. Another thing to check is for insecure CGI scripts (PHP, etc) that might allow someone to upload such items.
I think it's best to remove the infected files to prevent the site, or the server, from being blocked or placed on any blacklists or anything. Thank you.
These are not “infected files”—they contain no virus. They don't propagate on their own. They don't infect other files (I'm also tempted to question their reading comprehension, as I clearly stated the files were “inaccessible due to the Apache configuration” but I won't). These files were placed there by someone.
Does no one truely understand this stuff anymore? Does anyone read anymore?
Update a few minutes later
Why am I being so harsh?
I think it's because the client that wrote in is a web design and hosting company (and we do some of the hosting for them). If it was the end customer, the one who's site was being used, that wrote in, I would be more forgiving (or rather, I'd roll my eyes, fix the problem, and go on). But for a company that does web design? That also hosts some of their sites? Them, I would expect a bit more from.
In the end, I rolled my eyes, fixed the problem, and then went on to make a post about it.