They took my website down due to a virus scare.

ocpmovie

My web hosting provider, Siteground, just took my website down claiming there was some sort of virus or hacking or some sort of "illegal activity" detected. The email they sent is very vague, and the email from "Singlehop" which provoked them to pull my site isn't even in good English, and simply says "defaced_site" for an explanation, as far as I can tell.

They're asking $50 an hour to fix the problem, with it taking perhaps three hours. They say the problem, which could be imaginary, has to be fixed professionally, and quick, otherwise they're deleting everything. I can't really reupload everything, as the forums and other content haven't been backed up ...

I've been hosting with Siteground for several years.

I'm very poor and being suddenly charged an unknown amount somewhere around $150 doesn't appeal to me. I already have a traffic ticket here I haven't paid. And I don't know if the complaint is legit or what.

Thoughts?


Here's the original email.

SiteGround has received a complaint from its upstream provider -
SingleHop, that some illegal activity has been performed through your
website.

The infringing material is located at:

orangecow.org

You can find the complaint we have received at the bottom of this message.

Due to the fact that this activity severely violates SiteGround's
Terms of Use and Acceptable Use Policy, we were forced to suspend your
account in order to prevent any further issues caused by the illegal
activity.

We are very much aware of the inconvenience this issue may cause you,
so we would like to take a moment and explain the reasons for our
actions: as you know, your account is hosted on a shared hosting
server and thus sharing the resources of the server with other
customers' accounts. When some illegal activity performed through a
shared hosting account is detected, we must take immediate actions to
stop that activity, otherwise we risk having the whole server
unplugged. And we cannot allow the entire hosting server with hundreds
of accounts on it to be unplugged because of one single account.

This is why the above explained precaution was absolutely necessary.

We believe the illegal activity through your account is a result of a
hacked script. For more information about such problems please check
this link:

http://kb.siteground.com/article/hacked_website.html

In order to continue using your account with us you have 3 options:

- Delete all of your web content and lose all of your web files. This
is an option in case you can recreate easily your website from
scratch. Thus you will ensure that no malicious code and backdoors are
left by the attacker.

- Have a professional security audit. This is extremely important
because the attackers always leave malicious code which is very hard
to be detected. Thus they are able to infiltrate your site again which
has devastating consequences.

To prevent this negative scenario one of our specialist will make sure
your site is clean and secured. This is an additionally paid service
$50 per hour and the job usually takes between one and three hours.

- Clean and secure your site by yourself. This option requires
advanced technical skills and your responsibility is huge. For this
purpose we can give you 48 hours to work on your site. However, if you
don't succeed in cleaning and securing it it will remain closed and
after that deleted.

This case has to be fully resolved in 30 calendar days from now or
your account will be terminated and deleted automatically as per our
Terms of Use. Furthermore, in future you will have to take extra care
making sure your site remains secured. This includes applying regular
updates and security patches. Failing to do so for a second time will
lead to termination of your contract and site as per our Terms of use.

Thank you for your understanding and cooperation.

Regards,
Marin Tashkov
System Administrator
SiteGround.com


--- EMAIL COMPLAINT COPY STARTS HERE ---

Dear abuse team,

please help to close these offending portals sites(1) so far.

status: As of 2011-11-02 19:09:44 CET
abuse@singlehop.com&response=alive"
class=link>http://support.clean-mx.de/clean-mx/portals.php?email=abuse@singlehop.com&response=alive

(for full uri, please scroll to the right end ...

This information has been generated out of our comprehensive real time
database, tracking worldwide portals URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see http://www.bfk.de/bfk_dnslogger.html?query=184.154.228.11

If your review this list of offending site, please do this carefully,
pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really
solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+

---

|date |id |virusname |ip |domain |Url|
+

---

|2011-11-02 16:05:57 CET |325409 |defaced_site
|184.154.228.11 |orangecow.org |http://orangecow.org
+

---

Your email address has been pulled out of whois concerning this
offending network block(s).
If you are not concerned with anti-fraud measurements, please forward
this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our
automatic walker process may not detect a closed case

--- EMAIL COMPLAINT COPY ENDS HERE ---

Please do NOT reply to this email. You can add comments on this issue
by logging to your Customer Area
(https://www.siteground.com/login_page.htm) and accessing the ticket
that has been automatically open on your behalf in connection to this
case.

bowen

Call up their support. Have them explain and give proof.

Draygo

Option #3

Use that option to backup the forum database, then delete the site yourself (completely, down to all configuration options). Then reinstall and reconfigure the site (dont download it and re-upload it). While you are at it to be sure disable any contact forms that have the ability to send email.

When you bring the site back online make sure all passwords are changed. IF they end up closing your account after you attempted to fix it just find another provider.

When you are rebuilding the site make sure you are using the latest version of the forum software.

taliosfalcon

From doing some quick googling it looks like siteground just resells singlehops services, so despite the engrish it seems legit.

adytum

Those are some draconian options, jesus. Consider a different host once this is sorted out. I'd be happy to recommend the one I've been using, though their basic plan is a little bit more expensive.

ocpmovie

So it seems I really was hacked. I sent a strongly-worded email to Siteground, and they temporarily restored my site, but it looked like this:


http://i851.photobucket.com/albums/ab72/delaxx-ks/perfundimtari-1.png

respawN. - Pow3rHacK. - PIROMAN+ - K1X
We Are From Albanian !! You think you control this domain, i dont't think so !!!
Msn / Contact : albanianhackerz@live.com
Message From Albanian Hackers : Don't Fuck With Albanian Hackers

AHZ - Crew




Siteground told me the following:

I have scanned your hosting account and found the following files being infected with malicious content:

/jonason/sourrainbow.php
/schat/images/fb5.php
/schat/images/license.php
/schat/images/shelli.php
/chat/info.php

I strongly recommend that you delete the files above.

After this you need to upgrade your applications to their latest versions, since outdated applications contain known bugs for hackers and they can take advantage of your entire hosting account through them.

Currently you have a phpBB in the public_html/board directory version 3.0.8 and the latest version is 3.0.9.

I would also recommend that you change the passwords for your cPanel and FTP users + the passwords for your MySQL users.

Feel free to update this ticket once you complete these steps or if you need further assistance.

Best Regards,
Atanas S.
SiteGround.com

I deleted the files and directories in question ... "sourrainbow" identifies itself in the PHP as a cheap, pre-made hacking script of some kind. The other directories are very old chat programs I don't even use anymore.
I'm going to change my passwords and all, but now I really am worried something is still on the server somewhere.

I do run a message board which often gets spam, but I don't approve the posts or users so no one sees that ....

Draygo

Backup your forum, delete the old forum and database. Install the latest version of phpbb from scratch and restore. Well you may have to install version 3.0.8, restore, then update to 3.0.9. It has been a while.

Also install more effective antispam tools to your forums to mitigate bot registrations even further.

adytum

Yeah, that second response is much more reasonable than "nuke your site or pay us lots of money."

What probably happened- and this is pretty common- is that you're using a site app (forum, photo gallery, whatever) offered by the hoster that had a vulnerability that was exploited. Happens all the time. Update your software regularly and keep an eye out!

ocpmovie

I just deleted a few stray files with names like bot.php and a directory called _vti_pvt which looked suspicious to me [although I'm probably just being stupid]. If it's actually important for the server's functioning they'll probably let me know. I did save it to my HD.

I wouldn't be surprised if it was the old chat programs which the hackers exploited. They're gone now, so ...

I have checked your hosting account and did not detect any more security risks.

I am glad to inform you that the limits placed on your account have been lifted.

I would also like to thank you for the cooperation in resolving this case.

However please note that if this issue appears again we will be forced to suspend the account again.

I would recommend that you always keep your applications up to date and change your cPanel password occasionally in order to avoid such issues in the future.

I will now close this ticket and consider this case solved.

Best Regards,
Atanas S.
SiteGround.com

Draygo

the folders that start with _ are typically (read should be) hidden from being accessed externally (example.com/_private wont work for example even if there is a _private folder on your ftp/cpanel) and are used for a variety of things. Sometimes you can find the database files stored away in a folder like that. Often they are used by frontpage extensions to store file information about your files etc.

I would update your forums as your next step and then look at getting one of those decent registration anti-spam modules to mitigate spam bots using the registration form.

SeñorAmor

FrontPage extensions require folders like _vti_pvt (there are 4 others as well). Unless you use FrontPage to manage your site, I think you're ok having deleted that folder.

I'm curious as to what the malicious code was in a PHP file. It's likely a redirect to a different website, but I still wonder what they found that was bad. I don't suppose you'd mind PM'ing it to me, would you?

Shogun

the real question here is who in Albania has the OP thoroughly outraged

Aldo

Shogun wrote:

the real question here is who in Albania has the OP thoroughly outraged

Although slightly off-topic, it's worth mentioning that there are countless of similar groups who just roam the internet looking for any sites with an exploit they can abuse. Wondering why you were targeted is akin to wondering why you're getting all that viagra spam.

shutz

Having worked for a hosting company for about 2 years, I can tell you that it's likely your site wasn't the only one that was affected: if you're paying a very low monthly price, that means you're on shared hosting (meaning dozens if not hundreds of sites on the same server). Very often, once hackers find a way onto a shared hosting server, they'll hack every account they can. Or, if they're exploiting a vulnerability in well-known web site software (such as WordPress, or in your case, phpBB) they'll find all the instances of that software on the server, and hack them simultaneously.

By the way, the kind of defacement you appear to have been a victim of is common, and usually, all the hackers do is change your index page, without compromising the rest of your site. Updating your forum software, after deleting any suspect files, is often enough.

But your best bet, if your host doesn't do its own backups of your files and databases, is to do your own, regularly. Note that, if your host uses a hosting control panel software, such as cPanel (which is very common) then the backup functionality is usually included, and very easy to use.

The place I worked at made daily backups of all shared hostings, and kept the last 2 weeks' worth of backups. If you requested a restore from those backups (whether a single file, multiple files and/or folders, or a full restore of your hosting) the charge was 5$, to cover the work involved -- but we still encouraged customers to make their own backups, and when the customers couldn't restore directly from those backups, we would usually do it for them, free of charge.

I suspect that the 50$ charge mentioned in the email was part of a template message that was sent to all customers who were affected. A lot of people would rather pay 50$ and get it all fixed than try to restore their site themselves, so the host takes advantage of that. The reason the second email was "nicer" is that they must have recognized that your case didn't warrant as much work, so instead of sticking to the template, they gave you the help you needed.

galdon

Maybe I'm ignorant of how things work; but I'd think that if my domain host got hacked and my site was damaged because of it; the one paying for repairs aught to be the host, not the customer..