April 21, 2011
Dealing with a phishing attack
That is when someone is using your website to attack other websites/ extract passwords, etc.
Use HORDE: The path from where these mails are bouncing is usually indicated in these emails.
Once identified first download, zip and backup these suspicious files – and save in E:\WEB-BKUP\WEB-ATTACKS which will be automatically backed up on Carbonite – in case there is need for an audit trail (I don't have backups of whatever was planted on our server prior to 10 April 2011). Apparently some of these files can provide info on the attacker's identity.
Then delete them from the website. Note that this does not mean they won't come in again! They are driven by a process that may source them from somewhere on the internet.
Make sure you delete and empty the Horde folder so that you can monitor if any other emails are bouncing. This is a very useful to detect whether the attack has been stemmed.
From the shell, check all zip files (the phishing attack usually puts in a zip file that expands into the fake website).