Sites Compromised PHP Backdoor

Home Forums BulletProof Security Pro Sites Compromised PHP Backdoor

  • This topic has 6 replies, 2 voices, and was last updated 2 years ago by bill.
Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #38159
    bill
    Participant

    Hello, AITpro.

    I am running BPS Pro on ea. of my websites, presently hosted on GoDaddy by way of cPanel. In short, I noticed that my clients weren’t receiving contact form correspondences, so I ran some tests and confirmed that there was an issue with form submissions. I reached out to GoDaddy and they confirmed that there was a block on my account due to excessive mail being sent from one or more of my sites. They would then confirm malware on three of the sites after running malware identifying scans on ea. site. I was told that it was some “backdoor” malware and they emailed me the following:

    Site 1

    Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpjdry.php Details: php.backdoor.generic.068

    Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpkdzk.php Details: php.backdoor.generic.068

    Site 2

    Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpixyo.php Details: php.backdoor.generic.068

    <b><i>Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpv9jh.php Details: php.backdoor.generic.068

    Site 3

    Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpd2xy.php Details: php.backdoor.generic.068

    Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpvwdy.php Details: php.backdoor.generic.068

    Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpx8v4.php Details: php.backdoor.generic.068

    According to the GoDaddy (Daily) Scan/Malware Removal service I also have, there was some sort of breach on the 15th of October. Unfortunately, it doesn’t automatically delete any issues detected, so I’m just discovering the issue. That said, I wanted to know if I did something wrong? I’ve been using BPS Pro for years and I’ve only encountered one (1) other hacking incident in the past 7 years or so and that had nothing to do with BPS Pro (the entry point was a Joomla site)… so I know it works. I’m just unsure how this could have happened. Please advise and thanks.

    Bill

    #38164
    AITpro Admin
    Keymaster

    The files that your web host malware scanner found and renamed using “deleteme” in the filename are in the BPS Pro quarantine folder.  Please send us your Quarantine Log file contents so we can see how long the hacker files have been quarantined.

    Cleaning up a hacked hosting account is pretty easy.  Figuring out the Point of Entry (PoE) is pretty difficult if you are not a coder and do not have experience with cleaning up hacked web hosting accounts. Typically a hosting account is hacked anywhere from a day to several years before the website owner finds out that their entire hosting account is hacked/compromised.

    How to clean up a hacked hosting account > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

    Important Notes:
    Once a website/hosting account has been hacked all future symptoms of a hacked website come from within the hosting account and do not come from an external source.  Most people assume their website is being hacked each time externally when a hack shows up again, but the hack is actually originating internally from the original hack if all hacker files and code were not found and cleaned up when the website/hosting account was originally hacked.
    You can use malware scanners to find some of the hackers code and files, but malware scanners are simply not capable of finding all hacker files and code. Hackers intentionally create hacker files and code that are undetectable by website malware scanners.
    The only way to completely clean up a hacked hosting account is to clean it up manually.
    If you miss a hacker Shell script when you do the hosting account hack cleanup then the entire hack will occur again until you locate and delete the hacker Shell script or PHP backdoor script.

    So your hosting account may still have been hacked from 7 years ago if you did not find all hacker files and code when you cleaned up your hosting account 7 years ago. If you would like for us to find the PoE and clean up your hacked hosting account then contact us directly via email: info at ait-pro dot com. We charge very reasonable rates to do PoE forensics and hosting account hack clean up. You can of course do that for free using the link I posted above.

    #38170
    bill
    Participant

    Thank you for your response.

    Re: the files: They were no longer in quarantine at the time of my posting. They were removed by GD’s security team following the manual check.

    Re: the PoE: Scary to think about… but certainly an unfortunate truth. Per your instructions, I will follow-up you via email to chat further about the forensics piece.

    Thanks,

    Bill

    #38175
    AITpro Admin
    Keymaster

    BPS Pro has a perfect track record so far.  It’s possible that your site is the first site to be hacked with BPS Pro installed in over 8 years, but most likely your hosting account was already hacked prior to installing BPS Pro and was not completely cleaned of all hacker files and code.  If the hackers somehow beat BPS Pro then we will not charge you anything to do PoE forensics and clean up your hacked hosting account, but like I said BPS Pro has a perfect track record so far. 😉

    #38177
    bill
    Participant

    Thank you. Please check your email.

    #38203
    AITpro Admin
    Keymaster

    After doing a thorough forensic investigation of your entire hosting account this turned out to be a false alarm.  Your hosting account is not hacked and was not hacked.  The files that your web host security scanner found are cPanel Installatron files, which can be dangerous and considered to be a backdoor file that can be exploited by hackers.  Per our email discussion please be sure to turn off Installatron in cPanel for several of your websites that were originally installed using Installatron and some appear to still be doing WordPress updates, which will cause problems with BPS Pro AutoRestore|Quarantine.  Important Note:  The Installatron files that were quarantined by BPS Pro AutoRestore|Quarantine and stored in the Quarantine folder are not accessible and cannot be exploited since the Quarantine folder is specifically designed to be inaccessible for obvious reasons.

    Since your hosting account was not hacked and no hack cleanup was needed then the forensic investigation is on the house.  😉  I’m very glad your hosting account was not hacked for 2 reasons:  #1 BPS Pro still has a perfect track record and #2 cleaning up a hacked hosting account is never any fun.

    #38204
    bill
    Participant

    AITpro, I cannot thank you enough for your time, patience, unmatched support and an UNDEFEATED product/plugin in BPS/BPS Pro. Please keep up the good work… many depend on you. Whether they take the time to say it or not. Thank you.

    -Bill

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.