My Linode was hosting a phishing site, why was it shut off after only 24 hours?
Linode
Linode Staff
I received a report that my Linode was hosting a phishing website. My Linode had network restrictions placed on it after 24 hours. Why?
1 Reply
We have a low tolerance policy when it comes to phishing websites or phishing spam. When Linode receives a verified complaint of phishing content being hosted on or sent by a server our platform, we fully restrict network access to that machine if the issue has not been resolved within 24 hours.
Phishing websites and spam present an immediate danger to anyone who may interact with them, so it is important for us to mitigate these issues as early as possible. This helps prevent the spread of phishing content, which in turn lowers the chances of them successfully soliciting confidential information.
How did a phishing site end up on my Linode?
More than likely, this is the result of a compromise. We have a great guide for recovering from a compromise here.
If your Linode has been compromised, we strongly suggest that you audit and reevaluate your Linode's security going forward. We also have a guide on strengthening your Linode's security which can be found here.
In general, you should be sure to keep your operating system and any applications you are running up-to-date. Tools such as Cisofy's Lynis can also help by auditing your current system configuration for common vulnerabilities.
You might also benefit from a dedicated security consultant, such as Sucuri. These companies can help you recover from serious compromises, and put measures in place to mitigate reoccurrence.
Connecting to your Linode while network restrictions are in place
We have a community post that goes over how to fix your Linode while restrictions are in place here.
How can I remove the phishing content?
First, you will want to ensure that your Linode is booted into rescue mode. This is a safe environment in which you are able to perform system recovery and disk management tasks. For details on how to boot into rescue mode, feel free to reference this section of our Rescue and Rebuild guide.
Once your Linode is booted into rescue mode, it is recommended to perform a scan using ClamAV. ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. We have a guide here on configuring and running a scan using ClamAV.
After ClamAV has run and you have ensured that no malware is present on your Linode, auditing your web server's directories for files that do not belong is the next step. Look for any files that should not belong there. If you have not made any changes to these directories, using the date stamp can be very helpful.