A False Sense of Security

A good friend purchased a website and domain from someone at one of the sales portals a few years ago. He moved all the files, setup the database, and started building his traffic with great posts and information. His site was at a well known and respected hosting company that supposedly was taking care of him. However, they are one of the hosting companies that oversell their servers.

Fast forward about a year and someone hacked his site. This was at about the same time as the ‘Tim Thumb’ vulnerability was discovered. He cleaned it up and checked it every way he could think of. It still wasn’t working like before, so he paid his hosting company to check and repair his site.

Everything seemed ok and he went back to running his site like before, except he added some security plugins. He thought he was safe. During one of the WordPress Brute Force attacks, his site was hacked again. The hosting company blamed it on him. They cleaned it up and of course charged him, but it was never the same.

He thought the problem might be the hosting company, as he had noticed some other problems like his site getting pushed out was slow at times. He decided to move his site to the hosting company we suggest, and the slowness problems were gone since they don’t oversell their servers and are very proactive about maintenance.

After being at the new host for about two weeks, he received the following email.

Our antivirus software found some issues with your site, the details are below: These are viruses found on USERNAME.com:

# ClamAV detected virus = [Win.Trojan.3998692]:
‘/home/USERNAME/public_html/Insider.zip’
# (decoded file [depth: 1]) ClamAV detected virus = [PHP.Shell-38]:
‘/home/USERNAME/public_html/ rt_sameheight.php’
# (decoded file [depth: 1]) ClamAV detected virus = [PHP.ShellExec]:
‘/home/USERNAME/public_html/ wp-content/plugins/WPRobot3/wprobot.php’

Please check these files for any malicious coding or viruses – if these files are supposed to exist, it may be a false alarm. We are unable to tell you how long they have been like this at the moment.

These are just e-mail attachments, not too concerned about these:

(43) USERNAME, Scanning /home/USERNAME:
# ClamAV detected virus = [Heuristics.Phishing.Email.SpoofedDomain]:
‘/home/USERNAME/mail/new/HOSTING COMPANY,S=8509′
# ClamAV detected virus = [Heuristics.Phishing.Email.SpoofedDomain]:
‘/home/USERNAME/mail/new/HOSTING COMPANY,S=8525′
# ClamAV detected virus = [Heuristics.Phishing.Email.SpoofedDomain]:
‘/home/USERNAME/mail/new/HOSTING COMPANY,S=8548′

He proceeded to check everything right away, especially the plugin that showed a Trojan. He had a fresh copy of that plugin, extracted it and compared the files. It had a Trojan. He finished cleaning up everything he had been advised about for FREE.

Then he checked the original site files from the previous owner, and that plugin had a Trojan in it from the start. Two paid clean and tests by his former host missed the Trojan. The lesson here is to check your site and all plugins against original copies, add security plugins that help and choose a hosting company that does not oversell their servers.

Leave a Reply

Your email address will not be published. Required fields are marked *