To delete a spam/malware site or not?

Forums › Off topic › To delete a spam/malware site or not?

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#44003 23-Oct-2009 18:42

Hi all,

I have an interesting one. I got a malware link via a spam e-mail.
It was VERY amateur it say the least. (In the form in ftp://user:pass@11.1.1.1/randomnumber.htm

So I used my FTP client to get the file and sure enough on total antivirus a 20% hit rate for a malware downloader.
Looking at the html it's encrypted. (Haven't figured how yet)
Soooo, I downloaded the whole site.
Then I renamed the randomnumber.htm to r.htm on the site so no-one could get to the malware link.
On investigating the sites other pages, loads of encrypted pages, loaded of porn banners.

I'm wondering if I should just delete the whole site via FTP.
This is not an ethical debate on wether or not I'm perceived as hacking following a link sent to me by malware (Which just happened to contain the username and password DUH!), but more an ethical debate on if I should kill the whole site to stop the idiots who would click on links like that for the site.

Cheers,
Tel
EDIT : fixed some typos and clarified.

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#266438 23-Oct-2009 18:55

Oh, the site is in turkey, so they are not up yet, BUT each time I connect when I disconnect I change my IP.
You gotta be safe especially downloading a malware installers complete site. :)

zocster

1983 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#266447 23-Oct-2009 19:25

Dodgy, have a read at this and this.

Andy Ghozali Geekzone Member	E: andy@ghozali.ru M: +64 21 395 458 A: Andy's Business Services, 231 High St, Christchurch 8011, NZ
www.andy.mobi

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#266458 23-Oct-2009 20:05

Interesting.
The ftp server running this is FileZilla Server, but strangely enough their site has been majorly done over with heaps of malware http code and porn site banners and a "mass_send.php" in a whole load of directories.

I'd say your right, it was a legit site but has been compromised, probably by your first link.
The IP address itself seems to be a user of "Radore Telekomunikasyon" in Turkey.

Your thoughts on should I go to the effort to force the admin of this FTP server to look at their security?
(Read delete everything off the site as it's almost all malware and porn links now)

zocster

1983 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#266463 23-Oct-2009 20:39

hmm i guess if you're kind enough to spend time, sure why not let them know. from the articles i read, I think not saving ftp password on your local machine is a good start lol.

Andy Ghozali Geekzone Member	E: andy@ghozali.ru M: +64 21 395 458 A: Andy's Business Services, 231 High St, Christchurch 8011, NZ
www.andy.mobi

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#266475 23-Oct-2009 21:28

Yes it definately is Andy, lol.
I think this should serve as a warning for the person who runs the ftp site. (saved as warning.txt on the FTP site)

"Your security is comprimised.
Change ALL your FTP, online (Internet banking and the such passwords) and your local user passwords on the machine.
Then use SFTP as opposed to open FTP from now on."

Hopefully that should give them an idea they have been compromised.