Results 1 to 10 of 10

Thread: Site Disabled Due To Malicious Files

  1. #1
    Registered
    Join Date
    Feb 2007
    Location
    USA
    Posts
    24
    Rep Power
    0

    Site Disabled Due To Malicious Files

    I got an email this morning from Powweb saying that they've disabled my site due to finding malicious files.

    Why would you disable my entire site without warning? It turns out the files were from an old wordpress installation that had been compromised by some script kiddies. I had cleaned it up and apparently there were some remnant files left behind.

    I'm absolutely fine with Powweb running these scans but they should send a warning before disabling the entire site! I would have been fine with an email saying you have 24 hours to clean up your site or it will be disabled.

    I cleaned up the files then replied to the email asking for my services to be reactivated. When I got no reply from that, I contacted live chat and was told it will take 12 hours for my site to be reenabled!

    So Powweb will shut down my site without warning and no matter how quickly I respond and fix the issue, I'll be offline for 12 hours???

    Considering that the email ends with a suggestion to use powwebs new "Sitelock" tool, which of course costs an extra fee per month, this is looking more like a ransom demand than anything... "If your site ever has any malicious files, we'll shut it off for at least 12 hours. ...but if you use our paid service..."

    This is ridiculous. I sincerely hope that Powweb decides they need to either give warnings first, or reactivate sites much faster. If not, they'll lose customers.

    No one should have to worry that their PAID service may be shut off at a moments notice and kept offline for 12+ hours unless they pay for another monthly service. If this was a FREE web site, I'd have no complaints. I am PAYING for service that powweb has chosen to stop providing for 12 hours at a time. Will I be credited for the downtime imposed upon me?

    Here is the email I received:

    Hello,

    When we conducted a routine scan, we found the infected or malicious files in your account [my account name]. We have uploaded a file named 'list.txt' within the directory /stats/ of your account which contains the full list of files.

    To prevent these from being used to infect additional files on your account, and to prevent potential issues for visitors to your website or your domains status with search engines, we have temporarily suspended web services.

    This kind of attack takes place when the FTP account credentials are compromised or due to loopholes in your scripts. We request you to either remove these scripts or replace them with clean copies. If possible it's recommended to delete the entire site and upload a known clean copy; this should then erase any other code which may have been injected into your pages to allow 'back-door' access by unauthorized people.

    Once services are restored it's recommended that you take the following actions to secure your account from further malicious attack:
    1. Upgrade all the applications in your account, including any extensions/themes, to their latest stable versions.
    2. Update your control panel and any additional FTP account passwords.
    3. Remove unwanted FTP sub-users.

    Please take appropriate actions and reply back to us so that we can restore the services.

    If you require additional help in securing your website, we recommend you to use SiteLock Fix product which scans your website daily and removes any malicious contents. To learn more about it, please visit the link below:
    https://secure.powweb.com/product/sitelock/

    We thank you in advance for understanding. Your cooperation will help us provide optimum service for you and all of our customers.

    Sincerely,

    [name of person withheld by me]
    Support Specialist
    Last edited by nyjosh; 5-27-15 at 04:14 PM.

  2. #2
    Thinkin' out loud again Builder's Avatar
    Join Date
    Nov 2002
    Location
    Illinois
    Posts
    2,088
    Rep Power
    20
    For what little it's worth I'm in complete agreement. I first saw the SiteLock spider in my logs a week(-ish?) ago. Went to their website, said to myself, "Don't need it, don't want it, you're banned." Added their spider to my banned list in .htaccess. Later that same day I got the email from Powweb announcing their "partnership" with SiteLock. Oh, well. I still don't need it, so I left the spider on the banned list.

    Next day I checked again. Curious. When that spider hit its first 403 it changed UserAgents, then stated it was coming from a really odd google.com/yahoo.com address mashup which doesn't even come close to existing. OK, you don't behave yourself in my sandbox, I go nuclear. It's now banned by IP range.

    Over the weekend I looked all over OPS for a way to opt out of this "service" and couldn't find one. So the .htaccess ban seems to be the only way. Someone can correct me if I'm wrong there.

    Now that your site is squeaky clean, and once Powweb gets you back up, add a line or 2 to your .htaccess file to ban the bot. No more shutdowns due to SiteLock. That means you'll have to keep up with CMS updates etc. but that's been your responsibility all along anyway...

    Good luck,
    Kevin
    A good friend will come and bail you out of jail...
    but a true friend will be sitting next to you saying,
    "Damn... that was fun!"

  3. #3
    Registered
    Join Date
    Feb 2007
    Location
    USA
    Posts
    24
    Rep Power
    0
    That's a great idea Builder! As you said, keeping things up to date is my responsibility. I'd happily let sitelock scan my site and report back issues for me to fix, but if my site is going to get shut down when it finds something, it's doing more damage than any malware issues I've ever had (no site is worse than broken site!).

    As of now, my site is still disabled despite live chat making my ticket "the highest priority". Once it comes back online and I verify it's actually working again, I think I will block our friends at sitelock until powweb comes up with a more responsible way of dealing with suspect files.

  4. #4
    Thinkin' out loud again Builder's Avatar
    Join Date
    Nov 2002
    Location
    Illinois
    Posts
    2,088
    Rep Power
    20
    Code:
    Deny from 184.154.36.	# SiteLock
    and if you don't like anything from Singlehop.net/.com change to 184.154.


    Kevin
    A good friend will come and bail you out of jail...
    but a true friend will be sitting next to you saying,
    "Damn... that was fun!"

  5. #5
    Registered
    Join Date
    Feb 2007
    Location
    USA
    Posts
    24
    Rep Power
    0
    It's now more than 12 hours since I contacted support saying the flagged files were deleted. My site is still disabled.

    Live chat said the rescan is running but it can take a long time to scan and that they'll activate my site whenever it finishes.

    I feel really bad for anyone else that has to go through this. I'll be seeking a refund of my hosting fees for the time that my site is down and if it's not back up soon I'm just going to find a new host. Who does business this way?

  6. #6
    Registered
    Join Date
    Feb 2007
    Location
    USA
    Posts
    24
    Rep Power
    0
    It ended up taking a full 24 hours to get powweb to reenabled my site. I'm not off to lock it down so site lock can't kill it again.

    Hopefully powweb will learn they've got this process wrong when it hurts their wallets and people cancel their accounts.

  7. #7
    Registered
    Join Date
    Jun 2015
    Location
    new jersey
    Posts
    1
    Rep Power
    0
    This happened to me as well on my site psychobillydeluxe.com .

    Powweb was of no help at all. Everytime I fixed something they said was wrong, it was rescanned and I was told there were more issues. Their support is probably the worst ever.

    I lost 9+ years of a website thanks to powweb. I now tell anyone and everyone to stay as far away as possible.

  8. #8
    Thinkin' out loud again Builder's Avatar
    Join Date
    Nov 2002
    Location
    Illinois
    Posts
    2,088
    Rep Power
    20
    Quote Originally Posted by Lumbersquatch View Post
    I lost 9+ years of a website
    How does that happen? They don't delete your files. And even if they did you should have had a local copy.
    A good friend will come and bail you out of jail...
    but a true friend will be sitting next to you saying,
    "Damn... that was fun!"

  9. #9

    Join Date
    Jan 2005
    Location
    Around Here
    Posts
    132
    Rep Power
    13
    The same thing just happened to me. I got a "malware" alert that said they performed a "routine scan" of my site and found exploits (old Wordpress files). They then shut my site down, and it's still down as of this writing.

    They also included a link to the same paid service that claims to prevent this from happening. This is looking more like extortion.

  10. #10
    Registered
    Join Date
    Sep 2008
    Location
    Isle-of-Skye
    Posts
    3
    Rep Power
    0
    I have the same thing on three separate web sites and am being contacted directly by sitelock, however it is of little consequence now.

    The support has become so bad that I am already in the process of moving to an other service provider, will it be inconvenient if they take 15 or so web sites down - yes it will. But recent experience and problems with the most basic of functions on the control panel indicates that Powweb no longer has sufficient technical expertise to support their customer base.

    For me this has forced the issue, I know that I'm small fry - probably just less that $1,000 PA - but I'm left with little option but to vote with my custom.

    Here is an update to this issue, the techies were absolutely right - three of my web sites have been compromised. It was great that they could tell me about these issues, it wasn't so good that it took them FOUR YEARS! to tell me. Now as I've said I only pay Powweb a bit less than $1000.00 Per Annum and I'm delighted that they have started looking for compromised web sites. Goodness knows that in my 35 years in the IT industry, I've been caught out a couple of times.

    So how did I discover this fact, was it through some incredible sleuthing - with incisive insight, razor sharp intellect and massive powers of deduction. No it was by looking through some very old log files, down loaded to a monitoring box. This runs Xymon to check that all my sites are up, so what can I say - well lo and behold all my sites have remained up. And I must say I consider myself to be extremely lucky, despite the best efforts of Powweb support.

    Although I'm ploughing through the deletion of these files, having to use a GUI sucks - but I'll learn the perl to do this type of thing using a list file as an argument. The end result of this exercise will be the removal of my accounts and the almost 30 hosted domains from powweb, the strange thing about it all is that not that log ago I would have said that there wasn't any possibility of a company like powweb being bested.

    Which is probably why I haven't won the lottery.
    Last edited by dpmunro; 9-1-15 at 09:14 PM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •