Am Freitag 30 Oktober 2009 12:12:17 schrieb Erik P. Roderwald:
Einverstanden. Es muss beim geringsten Verdacht neu installiert werden. Wird ein erfolgreicher Angriff entdeckt, gibt es keine andere sichere Möglichkeit, evtl. installierte Schadsoftware wieder los zu werden. Vollkommen einverstanden. Es ging aber erst einmal darum, die Tatsache, ob ein Angriff stattgefunden hat, festzustellen, und nicht um die Beseitigung der Folgen. Bei der Beseitigung der Folgen gebe ich Dir vollkommen recht. No way.
Genau damit schlage ich mich gerade rum. War da wirklich wer im System oder ist es das Ergebnis externer "Spielereien". Ich erhielt zu mehreren Domains ein ähnliches Mail. Rufe ich die angebliche Phishing-Seite auf, so existiert sie nicht. Zugriff per ssh ist nur über Keys möglich. Müsste ich nicht irgendwo im System Namen des angeblichen Phishing-Links finden? Die einfachste Erklärung wäre, dass irgendwer einen Link gesetzt hat und Google den dann aufgrund der Begriffe gesperrt hat. _______________ Return-Path: <3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com> X-Original-To: $localuser@localhost.local.localdomain.tld Delivered-To: $localuser@localhost.local.localdomain.tld Received: from localhost (localhost [127.0.0.1]) by sv.local.localdomain.tld (Postfix) with ESMTP id BCCE942D9F4 for <$localuser@localhost.local.localdomain.tld>; Thu, 29 Oct 2009 00:15:18 +0100 (CET) X-Virus-Scanned: amavisd-new at local.localdomain.tld Authentication-Results: sv.local.localdomain.tld (amavisd-new); dkim=pass header.i=@google.com Authentication-Results: sv.local.localdomain.tld (amavisd-new); domainkeys=pass header.from=noreply@google.com Received: from sv.local.localdomain.tld ([127.0.0.1]) by localhost (sv.local.localdomain.tld [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rm4CVSAbWaIF for <$localuser@localhost.local.localdomain.tld>; Thu, 29 Oct 2009 00:15:12 +0100 (CET) Received: from sv.local.localdomain.tld (localhost [127.0.0.1]) by sv.local.localdomain.tld (Postfix) with ESMTP id C824D2BDC09 for <$localuser@localhost>; Thu, 29 Oct 2009 00:15:12 +0100 (CET) Delivery-date: Thu, 29 Oct 2009 00:06:32 +0100 Received: from mail.utanet.$ [213.90.36.103] by sv.local.localdomain.tld with POP3 (fetchmail-6.3.9-rc2 polling mail.utanet.$ account $username) for <$localuser@localhost> (single-drop); Thu, 29 Oct 2009 00:15:12 +0100 (CET) Received: from solitaire.xoc.tele2net.at ([213.90.36.15]) by mary.xoc.tele2net.at with esmtp (Exim 4.69) (envelope-from <3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com>) id 1N3Hb6-0006Zu-KV for $localpart@utanet.$; Thu, 29 Oct 2009 00:06:32 +0100 Received: from m1.dnsix.com ([66.11.225.176]) by solitaire.xoc.tele2net.at with esmtp (Exim 4.69) (envelope-from <3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com>) id 1N3Hb5-0003U2-KF for $localpart@utanet.$; Thu, 29 Oct 2009 00:06:32 +0100 Received: from [209.85.222.227] (helo=mail-pz0-f227.google.com) by m1.dnsix.com with esmtp (Exim 4.63) (envelope-from <3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com>) id 1N3Hb4-0002CR-R9 for postmaster@angebliche.phishing.domain; Wed, 28 Oct 2009 16:06:30 -0700 Received: by pzk24 with SMTP id 24so371179pzk.11 for <postmaster@angebliche.phishing.domain>; Wed, 28 Oct 2009 16:06:29 -0700 (PDT) Received-SPF: neutral (solitaire.xoc.tele2net.at: domain of 3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com is neutral about designating 66.11.225.176 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:auto-submitted:received:message- id :date:subject:from:to:content-type; bh=4c5t09T4RP/cuZbb7N0jWmErmFmdbKncIEznpX/1HAA=; b=hl7pZH/+M61gOw+JN6KJfR8kqG4OXt8OtmDIannysmu/LLYprX3JUzmJ9w7Ch6gjxD edfFA4Cxus/eDtcAARjA== DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:auto-submitted:message-id:date:subject:from:to :content-type; b=uhkkRsNvNi6hPVbMFeRqlU1e/qRO1Pm3cVW/oOx2oUSUNZERomyYqKS7GK6OXzBh7k B8ZLi7eLNzEp3HT4yl6w== MIME-Version: 1.0 Auto-Submitted: auto-generated Received: by 10.142.74.4 with SMTP id w4mr2363299wfa.5.1256771189788; Wed, 28 Oct 2009 16:06:29 -0700 (PDT) Message-ID: <001636e1fbb054d317047706d8d5@google.com> Date: Wed, 28 Oct 2009 23:06:29 +0000 Subject: Phishing notification regarding angebliche.phishing.domain From: noreply@google.com To: abuse@angebliche.phishing.domain, admin@angebliche.phishing.domain, administrator@angebliche.phishing.domain, contact@angebliche.phishing.domain, info@angebliche.phishing.domain, postmaster@angebliche.phishing.domain, support@angebliche.phishing.domain, webmaster@angebliche.phishing.domain Content-Type: multipart/alternative; boundary=001636e1fbb054d307047706d8d2 X-DCC-UTA-Metrics: solitaire.xoc.tele2net.at 32731; Body=1 Fuz1=1 Fuz2=1 X-TELE2-DKIM-Check: header.i=@google.com result:good X-Virus-Scanned: Yes, on solitaire.xoc.tele2net.at X-Spam-Score-Int: 30 X-Spam-Checker: Spamassassin 3.2.5 on solitaire.xoc.tele2net.at X-TELE2-Spam-Relay-Countries: US US X-UIDL: J\B!!(/d"!1mM"!Q;o"! Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: Dear site owner or webmaster of angebliche.phishing.domain, We recently discovered that some pages on your site look like a probable phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have begun showing a warning page to users who visit this site in certain browsers that receive anti-phishing data from Google, as well as users redirected to this site from various Google properties. Below are one or more example URLs on your site which appear to be part of a phishing attack: http://www.angebliche.phishing.domain/~dbean/components/com_letterman/images... cards;jsessionid=0000pDFvvK08lyoIpQOFOAhC_Ct11j74l29q/ Here is a link to a sample warning page: http://www.google.com/interstitial?url=http%3A//www.angebliche.phishing.doma... cards%3Bjsessionid%3D0000pDFvvK08lyoIpQOFOAhC_Ct11j74l29q/ We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because: 1) the site was compromised 2) the site doesn't monitor for malicious user-contributed content If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed. Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting http://sb.google.com/safebrowsing/report_error/ and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions. Sincerely, Google Search Quality Team _______________ Al -- Um die Liste abzubestellen, schicken Sie eine Mail an: opensuse-de+unsubscribe@opensuse.org Um eine Liste aller verfuegbaren Kommandos zu bekommen, schicken Sie eine Mail an: opensuse-de+help@opensuse.org