Am Freitag 30 Oktober 2009 12:12:17 schrieb Erik P. Roderwald:
Einverstanden. Es muss beim geringsten Verdacht neu installiert
werden. Wird ein erfolgreicher Angriff entdeckt, gibt es keine
andere sichere Möglichkeit, evtl. installierte Schadsoftware
wieder los zu werden. Vollkommen einverstanden. Es ging aber
erst einmal darum, die Tatsache, ob ein Angriff stattgefunden
hat, festzustellen, und nicht um die Beseitigung der Folgen. Bei
der Beseitigung der Folgen gebe ich Dir vollkommen recht. No
way.
Genau damit schlage ich mich gerade rum. War da wirklich wer im System oder
ist es das Ergebnis externer "Spielereien".
Ich erhielt zu mehreren Domains ein ähnliches Mail. Rufe ich die angebliche
Phishing-Seite auf, so existiert sie nicht. Zugriff per ssh ist nur über Keys
möglich.
Müsste ich nicht irgendwo im System Namen des angeblichen Phishing-Links
finden? Die einfachste Erklärung wäre, dass irgendwer einen Link gesetzt hat
und Google den dann aufgrund der Begriffe gesperrt hat.
_______________
Return-Path:
<3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com>
X-Original-To: $localuser@localhost.local.localdomain.tld
Delivered-To: $localuser@localhost.local.localdomain.tld
Received: from localhost (localhost [127.0.0.1])
by sv.local.localdomain.tld (Postfix) with ESMTP id BCCE942D9F4
for <$localuser@localhost.local.localdomain.tld>; Thu, 29 Oct 2009
00:15:18 +0100 (CET)
X-Virus-Scanned: amavisd-new at local.localdomain.tld
Authentication-Results: sv.local.localdomain.tld (amavisd-new); dkim=pass
header.i=@google.com
Authentication-Results: sv.local.localdomain.tld (amavisd-new);
domainkeys=pass
header.from=noreply@google.com
Received: from sv.local.localdomain.tld ([127.0.0.1])
by localhost (sv.local.localdomain.tld [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id Rm4CVSAbWaIF for
<$localuser@localhost.local.localdomain.tld>;
Thu, 29 Oct 2009 00:15:12 +0100 (CET)
Received: from sv.local.localdomain.tld (localhost [127.0.0.1])
by sv.local.localdomain.tld (Postfix) with ESMTP id C824D2BDC09
for <$localuser@localhost>; Thu, 29 Oct 2009 00:15:12 +0100 (CET)
Delivery-date: Thu, 29 Oct 2009 00:06:32 +0100
Received: from mail.utanet.$ [213.90.36.103]
by sv.local.localdomain.tld with POP3 (fetchmail-6.3.9-rc2 polling
mail.utanet.$ account $username)
for <$localuser@localhost> (single-drop); Thu, 29 Oct 2009 00:15:12
+0100 (CET)
Received: from solitaire.xoc.tele2net.at ([213.90.36.15])
by mary.xoc.tele2net.at with esmtp (Exim 4.69)
(envelope-from
<3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com>)
id 1N3Hb6-0006Zu-KV
for $localpart@utanet.$; Thu, 29 Oct 2009 00:06:32 +0100
Received: from m1.dnsix.com ([66.11.225.176])
by solitaire.xoc.tele2net.at with esmtp (Exim 4.69)
(envelope-from
<3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com>)
id 1N3Hb5-0003U2-KF
for $localpart@utanet.$; Thu, 29 Oct 2009 00:06:32 +0100
Received: from [209.85.222.227] (helo=mail-pz0-f227.google.com)
by m1.dnsix.com with esmtp (Exim 4.63)
(envelope-from
<3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com>)
id 1N3Hb4-0002CR-R9
for postmaster@angebliche.phishing.domain; Wed, 28 Oct 2009
16:06:30 -0700
Received: by pzk24 with SMTP id 24so371179pzk.11
for ; Wed, 28 Oct 2009
16:06:29 -0700 (PDT)
Received-SPF: neutral (solitaire.xoc.tele2net.at: domain of
3dc7oSgcKCncijmZkgtbjjbgZ.XjhkjnohVnoZmWjbiZm.kmdq.Vo@phishing.bounces.google.com
is neutral about designating 66.11.225.176 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=beta;
h=domainkey-signature:mime-version:auto-submitted:received:message-
id
:date:subject:from:to:content-type;
bh=4c5t09T4RP/cuZbb7N0jWmErmFmdbKncIEznpX/1HAA=;
b=hl7pZH/+M61gOw+JN6KJfR8kqG4OXt8OtmDIannysmu/LLYprX3JUzmJ9w7Ch6gjxD
edfFA4Cxus/eDtcAARjA==
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=google.com; s=beta;
h=mime-version:auto-submitted:message-id:date:subject:from:to
:content-type;
b=uhkkRsNvNi6hPVbMFeRqlU1e/qRO1Pm3cVW/oOx2oUSUNZERomyYqKS7GK6OXzBh7k
B8ZLi7eLNzEp3HT4yl6w==
MIME-Version: 1.0
Auto-Submitted: auto-generated
Received: by 10.142.74.4 with SMTP id w4mr2363299wfa.5.1256771189788; Wed,
28
Oct 2009 16:06:29 -0700 (PDT)
Message-ID: <001636e1fbb054d317047706d8d5@google.com>
Date: Wed, 28 Oct 2009 23:06:29 +0000
Subject: Phishing notification regarding angebliche.phishing.domain
From: noreply@google.com
To: abuse@angebliche.phishing.domain,
admin@angebliche.phishing.domain,
administrator@angebliche.phishing.domain,
contact@angebliche.phishing.domain,
info@angebliche.phishing.domain,
postmaster@angebliche.phishing.domain,
support@angebliche.phishing.domain,
webmaster@angebliche.phishing.domain
Content-Type: multipart/alternative;
boundary=001636e1fbb054d307047706d8d2
X-DCC-UTA-Metrics: solitaire.xoc.tele2net.at 32731; Body=1 Fuz1=1 Fuz2=1
X-TELE2-DKIM-Check: header.i=@google.com result:good
X-Virus-Scanned: Yes, on solitaire.xoc.tele2net.at
X-Spam-Score-Int: 30
X-Spam-Checker: Spamassassin 3.2.5 on solitaire.xoc.tele2net.at
X-TELE2-Spam-Relay-Countries: US US
X-UIDL: J\B!!(/d"!1mM"!Q;o"!
Status: R
X-Status: N
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
Dear site owner or webmaster of angebliche.phishing.domain,
We recently discovered that some pages on your site look like a probable
phishing attack, in which users are encouraged to give up sensitive
information such as login credentials or banking information. We have begun
showing a warning page to users who visit this site in certain browsers
that receive anti-phishing data from Google, as well as users redirected to
this site from various Google properties.
Below are one or more example URLs on your site which appear to be part of
a phishing attack:
http://www.angebliche.phishing.domain/~dbean/components/com_letterman/images...
cards;jsessionid=0000pDFvvK08lyoIpQOFOAhC_Ct11j74l29q/
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.angebliche.phishing.doma...
cards%3Bjsessionid%3D0000pDFvvK08lyoIpQOFOAhC_Ct11j74l29q/
We strongly encourage you to investigate this immediately to protect users
who are being directed to a suspected phishing attack being hosted on your
web site. Although some sites intentionally host such attacks, in many
cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the content
involved in the phishing attack, but to also identify and fix the
vulnerability that enabled such content to be placed on your site. We
suggest contacting your hosting provider if you are unsure of how to
proceed.
Once you've secured your site, and removed the content involved in the
suspected phishing attack, or if you believe we have made an error and this
is not actually a phishing attack, you can request that the warning be
removed by visiting
http://sb.google.com/safebrowsing/report_error/
and reporting an "incorrect forgery alert." We will review this request and
take the appropriate actions.
Sincerely,
Google Search Quality Team
_______________
Al
--
Um die Liste abzubestellen, schicken Sie eine Mail an:
opensuse-de+unsubscribe@opensuse.org
Um eine Liste aller verfuegbaren Kommandos zu bekommen, schicken
Sie eine Mail an: opensuse-de+help@opensuse.org