Sites Compromised PHP Backdoor

[bill]

Hello, AITpro.

I am running BPS Pro on ea. of my websites, presently hosted on GoDaddy by way of cPanel. In short, I noticed that my clients weren’t receiving contact form correspondences, so I ran some tests and confirmed that there was an issue with form submissions. I reached out to GoDaddy and they confirmed that there was a block on my account due to excessive mail being sent from one or more of my sites. They would then confirm malware on three of the sites after running malware identifying scans on ea. site. I was told that it was some “backdoor” malware and they emailed me the following:

Site 1

Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpjdry.php Details: php.backdoor.generic.068

Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpkdzk.php Details: php.backdoor.generic.068

Site 2

Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpixyo.php Details: php.backdoor.generic.068

<b><i>Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpv9jh.php Details: php.backdoor.generic.068

Site 3

Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpd2xy.php Details: php.backdoor.generic.068

Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpvwdy.php Details: php.backdoor.generic.068

Cleared malware from file: ./website.com/wp-content/bps-backup/quarantine/root-files/deleteme.wpx8v4.php Details: php.backdoor.generic.068

According to the GoDaddy (Daily) Scan/Malware Removal service I also have, there was some sort of breach on the 15th of October. Unfortunately, it doesn’t automatically delete any issues detected, so I’m just discovering the issue. That said, I wanted to know if I did something wrong? I’ve been using BPS Pro for years and I’ve only encountered one (1) other hacking incident in the past 7 years or so and that had nothing to do with BPS Pro (the entry point was a Joomla site)… so I know it works. I’m just unsure how this could have happened. Please advise and thanks.

Bill

[AITpro Admin]

The files that your web host malware scanner found and renamed using “deleteme” in the filename are in the BPS Pro quarantine folder.  Please send us your Quarantine Log file contents so we can see how long the hacker files have been quarantined.

Cleaning up a hacked hosting account is pretty easy.  Figuring out the Point of Entry (PoE) is pretty difficult if you are not a coder and do not have experience with cleaning up hacked web hosting accounts. Typically a hosting account is hacked anywhere from a day to several years before the website owner finds out that their entire hosting account is hacked/compromised.

How to clean up a hacked hosting account > https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

Important Notes:
Once a website/hosting account has been hacked all future symptoms of a hacked website come from within the hosting account and do not come from an external source.  Most people assume their website is being hacked each time externally when a hack shows up again, but the hack is actually originating internally from the original hack if all hacker files and code were not found and cleaned up when the website/hosting account was originally hacked.
You can use malware scanners to find some of the hackers code and files, but malware scanners are simply not capable of finding all hacker files and code. Hackers intentionally create hacker files and code that are undetectable by website malware scanners.
The only way to completely clean up a hacked hosting account is to clean it up manually.
If you miss a hacker Shell script when you do the hosting account hack cleanup then the entire hack will occur again until you locate and delete the hacker Shell script or PHP backdoor script.

So your hosting account may still have been hacked from 7 years ago if you did not find all hacker files and code when you cleaned up your hosting account 7 years ago. If you would like for us to find the PoE and clean up your hacked hosting account then contact us directly via email: info at ait-pro dot com. We charge very reasonable rates to do PoE forensics and hosting account hack clean up. You can of course do that for free using the link I posted above.

[bill]

Thank you for your response.

Re: the files: They were no longer in quarantine at the time of my posting. They were removed by GD’s security team following the manual check.

Re: the PoE: Scary to think about… but certainly an unfortunate truth. Per your instructions, I will follow-up you via email to chat further about the forensics piece.

Thanks,

Bill

[AITpro Admin]

BPS Pro has a perfect track record so far.  It’s possible that your site is the first site to be hacked with BPS Pro installed in over 8 years, but most likely your hosting account was already hacked prior to installing BPS Pro and was not completely cleaned of all hacker files and code.  If the hackers somehow beat BPS Pro then we will not charge you anything to do PoE forensics and clean up your hacked hosting account, but like I said BPS Pro has a perfect track record so far. 😉

[bill]

Thank you. Please check your email.

[AITpro Admin]

After doing a thorough forensic investigation of your entire hosting account this turned out to be a false alarm.  Your hosting account is not hacked and was not hacked.  The files that your web host security scanner found are cPanel Installatron files, which can be dangerous and considered to be a backdoor file that can be exploited by hackers.  Per our email discussion please be sure to turn off Installatron in cPanel for several of your websites that were originally installed using Installatron and some appear to still be doing WordPress updates, which will cause problems with BPS Pro AutoRestore|Quarantine.  Important Note:  The Installatron files that were quarantined by BPS Pro AutoRestore|Quarantine and stored in the Quarantine folder are not accessible and cannot be exploited since the Quarantine folder is specifically designed to be inaccessible for obvious reasons.

Since your hosting account was not hacked and no hack cleanup was needed then the forensic investigation is on the house.  😉  I’m very glad your hosting account was not hacked for 2 reasons:  #1 BPS Pro still has a perfect track record and #2 cleaning up a hacked hosting account is never any fun.

[bill]

AITpro, I cannot thank you enough for your time, patience, unmatched support and an UNDEFEATED product/plugin in BPS/BPS Pro. Please keep up the good work… many depend on you. Whether they take the time to say it or not. Thank you.

-Bill

[Author]

Posts