Investigating a phishing complaint

Question

UPDATE: Seems it was a fake email, so not really that urgent, but the questions are still valid.

So I received an email about a VPS I host (I'm a VPS hosting company, this is a customer VPS) being used for phishing sites, on both IPs for the VPS, and I'm wondering what to do. I tried setting local hosts file such that I'd be seeing their phishing site, but didn't seem to work, and no I didn't do it wrong :P

Anyway, that aside, at the moment I'm grepping the whole openvz directory for the particular domain, however nothing has come up.

So I guess what I'm wondering is:

1. Is there some cool fancy tool I don't know about that lets you check if an IP:[port optional] answers to a vhost/domain? (maybe needs a 2nd question for that? :) )
2. This VPS is running nginx, what should I be looking for (at the moment all I see is some proxy stuff to vk.com, maybe the phishing email I got is old?)

3. Any other advice.

   cat /etc/nginx/conf.d/default.conf
   server {
       listen xxx.xxx.199.213:30;
       server_name redirectvk;
       access_log /dev/null;
               location / {
                 proxy_bind xxx.xxx.199.213;
               proxy_pass http://vk.com:80;
               }
       }
   
   
   server {
       listen xxx.xxx.199.213:31;
       server_name redirectlvk;
       access_log /dev/null;
               location / {
               proxy_bind xxx.xxx.199.213;
               proxy_pass http://login.vk.com:80;
               }
       }
   
   server {
       listen xxx.xxx.199.213:32;
       server_name redirectmvk;
       access_log /dev/null;
               location / {
               proxy_bind xxx.xxx.199.213;
               proxy_pass http://m.vk.com:80;
               }
       }
   
   
   server {
       listen xxx.xxx.199.213:80;
       server_name redirectvk;
       access_log /dev/null;
               location / {
               proxy_set_header Host $host;
             proxy_bind xxx.xxx.199.213;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://5.9.90.49:80/;
               }
       }
   
   
   
   
   server {
       listen xxx.xxx.199.214:30;
       server_name redirectvk;
       access_log /dev/null;
               location / {
                 proxy_bind xxx.xxx.199.214;
               proxy_pass http://vk.com:80;
               }
       }
   
   
   server {
       listen xxx.xxx.199.214:31;
       server_name redirectlvk;
       access_log /dev/null;
               location / {
               proxy_bind xxx.xxx.199.214;
               proxy_pass http://login.vk.com:80;
               }
       }
   
   server {
       listen xxx.xxx.199.214:32;
       server_name redirectmvk;
       access_log /dev/null;
               location / {
               proxy_bind xxx.xxx.199.214;
               proxy_pass http://m.vk.com:80;
               }
       }
   
   
   server {
       listen xxx.xxx.199.214:80;
       server_name redirectvk;
       access_log /dev/null;
               location / {
               proxy_set_header Host $host;
             proxy_bind xxx.xxx.199.214;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://5.9.90.49:80/;
               }
       }
   

Thanks!

(also how did ladadada get the config post to look so nice, mine went all fubar :?)

Answer 1

vk.com is the most popular Russian social network (think facebook.com).

So you got to host Russian phishers' proxy server. The actual landing pages are hosted elsewhere - they set up multiple servers with multiple hosters and a proxy server (like yours). Phishers do a mass mailing campaign with links to the proxy and then just change the redirects to the next hosting site as the current one gets closed by its hoster. So phishers get longer lasting effect from their mass mailing.