Updates on ~oiushd5 Phishing attack on Paypal

This post is in English as the issue might affect a lot of international sites.

2.19 PM today we received an email from Netcraft Service that one of our websites that is currently hosted at a shared server @ Webhostinghub is facilitating a phishing attack on one of their clients, Paypal.

Ps. none of our main websites or clients websites are affected as they are not hosted by Webhostinghub.

The email from Netcraft:

———————–

You are currently hosting a phishing attack against PayPal:

http://www.nameofdomain.com/~oiushd5/support.nappl/Support/update/index.php

You may not have been aware of this attack, however, you are still responsible for removing it.

Please remove this fraudulent content as soon as possible.

Additionally, please keep the contents of the site controlled by the fraudster safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.

———————-

Quick research:

After some quick Google research, we found out that the entire server might be hacked as there was a report that could support that hypothesis:
http://ehub22.webhostinghub.com/~oiushd5/support.nappl/Support/update/

Contact with Webhostinghub

We informed Webhostinghub regarding this matter and asked if they were aware of it.

Measures

As these kind of issues can take some time, meanwhile we started to investigate the matter ourselves. We downloaded the website for further inspection.

Update 16.08 PM

Our techy confirmed that the tilde (~) tells apache to jump to the home folder, so every site on the server is infected. and the host should check it themselves before they wreck themselves. Reverse IP lookup tells us that least 999 sites seems to be infected.

As it seems to be a server problem, taking down individual sites might not be the solution.