The Curious Mind
From a Hacked UberEats Account to a Live Zombie Server Running Phishing Attacks
← Back to all posts
CybersecurityIncident ResponseOSINT

From a Hacked UberEats Account to a Live Zombie Server Running Phishing Attacks

April 5, 2026

Found a live 'zombie' machine being used for phishing. Port 22 is wide open with a massive uptime—classic signs of a compromised server. Stay sharp out there.

It started with a craving for pad thai at midnight.

What it turned into was a deep dive into compromised infrastructure, phishing kits, and the digital underworld of abandoned servers. This is the story of how a hacked UberEats account led to uncovering a live zombie machine being used to harvest credentials at scale.

The Hack: An $87 Order I Never Placed

A few nights ago, a notification buzzed in at 3:42 AM. An UberEats order confirmation — $87.43 worth of food delivered to an address across the city. An address I'd never seen. A device I'd never used.

Seconds later, the security alert hit my inbox.

UberEats security alert showing suspicious login from an unknown device in Eastern Europe

The email spelled it out clearly: someone had logged into the account from an unrecognized Linux device, originating from an IP geolocated to Eastern Europe. The session was active for just long enough to place the order and vanish.

After securing the account — new password, 2FA enabled, active sessions revoked — the immediate fire was out. But that IP address in the alert was still sitting there. And curiosity is a dangerous thing for someone who knows how to use a terminal.

Pulling the Thread: Tracing the IP

The IP from the security alert wasn't a VPN exit node or a Tor relay. It was a static address assigned to a small hosting provider. That alone was interesting — most account-takeover bots rotate through residential proxies. This one didn't bother.

A quick Shodan lookup told a story all on its own.

Shodan results showing open ports, expired SSL, EOL operating system, and threat intelligence warnings

The server was running CentOS 7 — an operating system that reached end-of-life in June 2024. The SSL certificate had expired months ago. Shodan flagged 4 critical and 12 high-severity vulnerabilities. The host appeared on multiple threat intelligence feeds.

This wasn't a sophisticated attacker's carefully maintained C2 server. This was someone's forgotten infrastructure — a machine that had been quietly rotting on the internet, eventually discovered and repurposed by whoever found it first.

Port 22: Wide Open and Waiting

The next step was targeted reconnaissance. A focused nmap scan and SSH audit revealed exactly what you'd expect from a neglected box.

Terminal showing nmap scan results with OpenSSH 7.4, weak key exchange, password auth enabled, root login enabled, and ancient PHP version

OpenSSH 7.4 — released in 2016. Password authentication enabled. Root login allowed. Weak key exchange algorithms still active. The HTTP headers revealed nginx 1.12.2 serving pages through PHP 5.4.16, a version so old it hasn't received security patches since 2015.

Every single finding pointed to the same conclusion: this server had been set up years ago, probably for legitimate hosting, and then completely abandoned by its owner. No patches. No monitoring. No one watching the front door — which was wide open.

The Phishing Kit: A Fake UberEats Login

Here's where it got interesting. Checking the web server revealed a robots.txt file that was trying to hide several suspicious directories: /secure/, /phish/, /creds/. Whoever took over this box wasn't even trying to be subtle.

Navigating to the /secure/login.php endpoint revealed exactly what was expected — a pixel-perfect clone of the UberEats login page.

Fake UberEats login page hosted on the compromised server, designed to harvest credentials

The phishing page was well-crafted. The branding was current, the form fields looked legitimate, and on mobile it would be nearly indistinguishable from the real thing. Submitting credentials here would send them straight to the attacker's collection endpoint — likely the /creds/ directory that robots.txt was trying to hide.

This is how the account got compromised in the first place. At some point, a phishing link was clicked — maybe from a text message, maybe from an email — and credentials were entered into this exact page. The attacker then used those credentials to log in and place a fraudulent order.

The Zombie: 847 Days of Uptime

The final piece of the puzzle confirmed the full picture. An uptime fingerprint scan estimated the server had been running continuously for 847 days — since approximately November 2023. No reboots. No maintenance. No one home.

Terminal showing 847 days uptime, whois data from Moldova with no abuse contact, and robots.txt revealing phishing directories

The WHOIS data pointed to a small hosting company in Moldova with no responsive abuse contact. This is textbook zombie infrastructure: a server that was provisioned, forgotten, compromised, and then turned into a phishing platform. It sits there quietly, collecting credentials around the clock, until someone notices and pulls the plug.

The Bigger Picture

This single investigation — from a late-night food delivery notification to a full infrastructure analysis — illustrates a pattern that plays out thousands of times a day across the internet:

  1. An old server gets abandoned. The owner moves on. The bills are on autopay. Nobody's watching.
  2. Vulnerabilities pile up. No patches, no updates. The attack surface grows with every CVE.
  3. Someone finds it. Automated scanners sweep the internet constantly. A box with password auth, root login, and ancient software is trivial to compromise.
  4. It becomes a tool. Phishing kits get deployed. Credential harvesting begins. The server's legitimate IP reputation provides cover — it's not a known-bad address yet.
  5. Victims get hit. Phishing links go out. People enter their credentials. Accounts get taken over. Fraudulent orders get placed.

The whole chain, from abandoned server to stolen pad thai, takes almost no effort on the attacker's part. The infrastructure was already there, waiting.

Lessons Learned

If you run servers, maintain them or shut them down. A forgotten VPS is a gift to attackers. If you're not actively using infrastructure, decommission it. Set calendar reminders. Audit your cloud accounts.

Enable 2FA on everything. If the UberEats account had 2FA enabled from the start, the stolen password alone wouldn't have been enough. This applies to every service — especially ones with payment methods attached.

Check your credentials. Use a password manager. Check Have I Been Pwned. Don't reuse passwords. The phishing page that captured these credentials might have yielded access to other services using the same email/password combination.

Be suspicious of login links. If you get a text or email asking you to sign in, go directly to the app or website. Don't tap the link. Phishing pages are getting harder to distinguish from the real thing, especially on mobile.

Report what you find. After documenting everything, reports were filed with the hosting provider's abuse contact, relevant threat intelligence platforms, and UberEats' security team. Even if one report goes unanswered, the aggregate data helps the security community track and take down malicious infrastructure.

Stay sharp out there. The internet's full of zombie machines, and they're not all as obvious as this one.

Comments

Leave a comment — no account required.