- This topic has 4 replies, 3 voices, and was last updated 7 months ago by mungar.
- AuthorPosts
- March 7, 2024 at 12:55 am #128916gmanParticipant
Hello Diego,
I completed section 3.3 “Cloning Websites & Uploading Them to The Cloud” and uploaded the Facebook login source files about a week ago. No files have been modified to capture credentials.
Today I received the following email apparently from:SUBJECT: Your AWS Abuse Report [15397950604] [AWS ID 471112961935]
From: [email protected]==========================================================
We’ve received a report(s) that your AWS resource(s)
AWS ID: 47111296xxxx Region: us-east-1 EC2 Instance ID: i-060ef4da7288xxxxx
AWS ID: 47111296xxxx Region: us-east-1 EC2 Instance ID: eni-05b58791d1f2xxxxx
has been implicated in hosting content that resembles a phishing website. Hosting a phishing website is forbidden in the AWS Acceptable Use Policy (https://aws[.]amazon[.]com/aup/). We’ve included the original report below for your review.
Please take action to remove the reported content and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.
…
Regards,
AWS Trust & Safety
Detailed abuse report information is included below.
========================================================================
Resource: i-060ef4da7288xxxxx
Region: us-east-1
Resource: eni-05b58791d1f2xxxxx
Region: us-east-1
Abuse Case: 1539795xxxxxx
————————————————————————
Logs:
————————————————————————
http://54[.]172[.]xx[.]xxx/
————————————————————————
Comments:
————————————————————————
* Log Extract:
<<<
Hello,
We have discovered a phishing attack located on your network:
http://54[.]172[.]xx[.]xxx/ [54.172.xx.xxx]
It is possible that this attack is being restricted so it is only visible from certain countries. Before deciding that the attack has been resolved please confirm it cannot be viewed from the following countries:
United States
This attack targets our customer, Facebook, website URL https://www[.]facebook[.]com/.
Would it be possible to have the fraudulent content, and any other associated fraudulent content, taken down as soon as you are able to?
Additionally, please keep the fraudulent content safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.
…
==========================================================Any suggestions or recommendations?
They ask for a reply about my corrective actions. How should I reply?Thank you in advance.
March 8, 2024 at 12:13 am #129154Diego PérezModeratorHi!
Just tell them the true. And may be replace the facebook login page with another page (it could be the default apache page) or shutdown the instance while you are not practicing.Greetings!
DiegoMay 27, 2024 at 6:32 pm #154442mungarParticipantGman
How did you resolve, ran into similar, and shutting down instance while not using does not help, within seconds of creating DNS record, Facebook picked up phishing site. Were you or Diego able to create a default page and php login script, which captures id and password, and reroutes to a different site, which would not be reported as Phishing to AWSMay 27, 2024 at 9:32 pm #154495Diego PérezModeratorHi!
You can use a not popular website like http://testphp.vulnweb.com/, the exercise is the same but this time it shouldn’t be reported.Greetings!
DiegoMay 28, 2024 at 1:49 am #154498mungarParticipantok, just to be clear, clone that sites html, vulnweb.com, as the index.html and use same login.php as noted in Facebook exercise
- AuthorPosts
- You must be logged in to reply to this topic.