Bad Security | White Fir Design Blog

You Shouldn’t Hire Someone to Clean Up a Malware Infected Website Until They Have Confirmed There is an Issue

If you deal with malware infected websites on a regular basis, like we do, you know that with just about any issue that can occur with a website there will be someone who thinks it was caused by malware or some other hack, so what we always want to determine before taking on a cleanup of a website the owner thinks is infected, is if it is really infected. That isn’t the case with everybody, as this recent review of another company in the industry, Sucuri, which we noticed while looking at another review that a recent clients of ours (after having hired previous hire Sucuri) left about them on Trustpilot:

In December 2019, I received several urgent messages from my webhost, SiteGround, stating that Malware had been detected in 3 URLs on my website. Each alert urged me to use professional clean-up service by Sucuri and included a link to purchase Sucuri’s service. Panicked, I signed up for an annual service with Sucuri for $199.99 (the cheapest option) that included a 30-day trial period in which I could cancel. I immediately put in a ticket for Sucuri to address the urgent malware problem on my website that I’d been informed about by SiteGround. Sucuri was unable to find any evidence of malware. Meanwhile, SiteGround continued to send me malware notifications, and each time, Sucuri said there was no malware to be found. Realizing Sucuri couldn’t fix the issue and that I’d need to find another service, I immediately requested my service be cancelled as I was still well within the initial 30 day trial period. I was informed by Sucuri that they could not refund me anything because if a customer puts in even one ticket for malware removal–and EVEN IF SUCURI FAILS TO REMOVE IT–it voids the customer’s ability to cancel their service.

That Sucuri wasn’t finding something that existed, isn’t surprising considering our own experiences like what we mentioned in a previous blog post, a situation where we were brought in after they were claiming there was no issue, despite it being easy to find.

That all is out of line with how they market their service, as they make claims like this:

Our dedicated researchers monitor active malware campaigns. With a trained team of analysts, we aim to provide the best malware removal service around.

And this:

We use scripts and tools to quickly scan your website for malware. Our analysts check your site manually too. No hack is too complex for our incident response team.

Trustpilot

That review also highlights a problem when it comes to trying to find the right company to hire to do website malware removal, as that company, like others, is paying review sites, which allows them to hide negative reviews:

**I’d like to also point out that where Sucuri’s customer service team does appear to spend their time is flagging their negative reviews here on Trust Pilot. This is my 2nd time posting a review about Sucuri. Sucuri challenged my last review as not being valid, stating I wasn’t one of their customers. After I provided evidence of my customer status and my back-and-forth with Sucuri to Trust Pilot, my review was reinstated. However, Sucuri then claimed that my review violated Trust Pilot’s guidelines (for reasons that have not been disclosed to me) and they ultimately succeeded in getting my first review removed. If this is how Sucuri conducts themselves on Trust Pilot in order to get the numerous negative reviews about their services removed, then I think there’s likely little hope of their customer service and business model improving anytime soon.**

SiteGround

Also worth noting, is that like people we have dealt with after they had a bad experience with Sucuri, the web host SiteGround had promoted them. It would appear they continue to do that despite at least having some awareness of the problems with Sucuri:

After getting nowhere with Sucuri’s customer service, in February, I finally decided to address my terrible experience with Sucuri with SiteGround, my webhost, since SiteGround was the one who referred me to Sucuri–a fact that made me question whether or not I should continue using SiteGround as my webhost. SiteGround immediately contacted Sucuri on my behalf and got them to issue a refund in the full amount of $199.99. Prior to SiteGround’s involvement, I had been in contact with multiple customer service representatives at Sucuri and their only reply was basically, “Sorry you misunderstood the terms of our contract, but it is what it is and we can’t refund you.” I’m very relieved to see that at least SiteGround takes an interest in their customers and in doing the right thing in their business practice because my webdesigner recommends SiteGround to all her clients. As for Sucuri, my opinion of them remains unchanged. I have no interest in ever using their services again and I cannot in good faith recommend them to anyone.

What might explain why they continue to promote them is that they are getting paid to do that.

The Wordfence Security Plugin Continues to Fail to Live Up to its Claim to Stop Websites from Being Hacked

A couple of hacked websites we were contacted about recently are reminders contrary the marketing of the most popular WordPress security plugin, Wordfence Security, that it “stops you from getting hacked”, it doesn’t accomplish that.

In one of those situation we were provided a list of malicious files that had been supplied by the web host and one of them was stored in directory for the Wordfence plugin:

/home3/[redacted]/public_html/thefaraharchives/wp-content/plugins/wordfence/modules/login-security/classes/model/wp-pingg.php: SL-PHP-SHELL-yp.UNOFFICIAL FOUND

So it clearly didn’t stop the website from being hacked.

In the other we were told after the website was hacked the plugin “locked the site down”, which means it only came in to play after the website was hacked.

That shouldn’t be surprising since a) the developer of that plugin doesn’t provide evidence to support the claim (before using something like that there should be that type of evidence provided) and b) a plugin simply can’t do that, so the developer is lying (something we ran across an employee of theirs admitting several years ago).

A Web Application Firewall (WAF) is Not the Way to Deal With the Reoccurrence of a Hack of a Website

These days quite a bit of our business dealing with the cleanup of hacked websites is re-cleaning websites after other security companies didn’t clean them up properly before us. Troublingly we recently noticed a company that offers to clean up websites, ASTRA Security, treating that as a normal result and using it to promote using web application firewall (WAF), which they also sell:

Even after clean up and restoring your site, the Magento admin hack may reoccur. The reasons could be a backdoor left by the attacker or simply a vulnerability that may be left unpatched. To avoid such scenarios it is highly recommended to use a WAF or security solution of some sort.

If there is still a backdoor on the website that means it hasn’t been cleaned up, since that would be something would be removed during the cleanup, which someone cleaning up hacked websites should understand.

Part of a proper cleanup is trying to figure out how the website was hacked, so if a vulnerability is left unpatched then things probably have not been done right either.

The providers of WAF’s don’t provide evidence that they provide effective protection against vulnerabilities, while we have seen plenty of evidence that they don’t provide it. It would be even more difficult for them to protect against exploitation of backdoors due to wide variety of their location and what is done through them, which someone cleaning up hacked websites should also understand.

The best way to handle a reoccurrence is to avoid one in the first place by hiring someone like us that will properly clean up the website. If you didn’t do that then the next best solution is to hire someone to re-clean it that will do things properly.

ASTRA Security is Promoting Cleaning Up Hacked Magento Websites Despite Not Knowing Basics of Dealing With Them

While looking around to see if others had already written blog posts about something we ran across while dealing with a hacked website we noticed something from a security company, ASTRA Security, that seems like worth noting, since the company appears to not have a basic understanding of what they are doing. In a post that seems to be built around promoting having that company clean up hacked Magento websites there were multiple glaringly strange claims.

There is this section:

Config.php is an important file of the Magento installation. This file basically facilitates connection between the file system and the database. Config.php contains the database connection credentials. Apart from this, it can also be used to:

Define the security keys.

To specify the database prefix.

To set the default language for your admin panel.

Magento 1

In the first version of Magento, app/etc/config.php contained the list of installed modules, themes and language packages apart from the shared configuration settings.

That file doesn’t exist in Magento 1 and in Magento 2, where the file does exist, it doesn’t contain what is mentioned there.

Things getting odder right after that as this written:

Magento 2

In the newer version which is Magento 2, the app/etc/config.php file is no longer an entry in the .gitignore file. This was done to facilitate better development of the software.

Multiple times, config.php has been infected with malicious code by the hackers to steal user credentials. Here is one such malware sample which was found inside /includes/config.php

The files /app/etc/config.php and /includes/config.php are different files, it seems that this company doesn’t understand that the two files can share a name without being the same.

All of that indicates this company shouldn’t be dealing with Magento websites since they lack a basic understanding of the software, but it appears they don’t have even a basic understanding of web development, as they also wrote this in their post:

Tools like phpMyAdmin are of great help in searching for multiple Magento admin hack infected files in one go. Search for malicious code using phpMyAdmin as shown in the image below.

phpMyAdmin is a database administration tool, so it can’t search files at all, much less search multiple at once. That is very common tool, so failure to understand that seems odd for someone dealing with websites, much less doing something more advanced, namely cleaning up hacked websites.

Unfortunately the security industry seems to be filled with companies that don’t seem to care about having the necessary skills to handle the work they offer and the results are not surprisingly often bad.

If you need someone to clean up a hacked Magento website that actually has years of experience of working with Magento websites and cleaning up hacked ones, we provide that.

Sucuri’s 30 Day Refund Guarantee Scam Gets Worse

Back in May of last year someone contacting us about cleaning a hacked website mentioned that Sucuri had told them that they had 30 day refund guarantee, but when we went to look into that we found that in reality Sucuri didn’t provide refunds if someone had requested a cleanup, which is what that person had contacted them about having done.

Here is how the refund guarantee was advertised on their homepage at the time:

30-Day Guarantee

You have 30 days to request a refund according to our Terms of Service.

If you looked at the terms of service it turned out there was one exception for that refund guarantee, the aforementioned limit if you had requested a clean up to be done:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the “Cancellation Period”), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not submitted a Malware Removal Request during the Cancellation Period.

They could spelled that on the homepage in less than words than it took to mention the terms of service, which seems like a good indication they are tying to hide that.

Since then the terms of service haven’t changed, but as we noticed when we went to look at something on their website recently, the marketing of the refund guarantee has gotten worse. For example at the top of the page about their website malware removals they write this:

Repair and restore hacked websites before it damages your reputation. We offer a 30-day money-back guarantee because we know we can help. You can rely on our dedicated incident response team, state-of-the-art technology, and excellent customer service.

If you actually try to get help though, they won’t provide you a refund, even if they didn’t even do anything, seeing as there is no refund if you request help.

Similar on the Immediate Help page which has its own menu section at the top of all the website’s pages, the description of the second step in the process is:

We offer a 30-day money-back guarantee because we know we can help. After completing your billing information, you’ll get access to the Sucuri Dashboard.

Why Are Experienced Security Analysts Failing To Get Websites Clean?

If you look at the rest of their information on their website malware removal page it seems like they are providing a good warning they something is amiss.

They claim that their cleanups are done by “experienced security analysts” and that that “we aim to provide the best malware removal service”:

Experienced Security Analysts

Our dedicated researchers monitor active malware campaigns. With a trained team of analysts, we aim to provide the best malware removal service around.

They also claim that “[n]o hack is too complex for our incident response team”:

Automatic and Manual Cleanups

We use scripts and tools to quickly scan your website for malware. Our analysts check your site manually too. No hack is too complex for our incident response team.

That makes another section seem rather odd, since they highlight that they provide “unlimited cleanups”, which shouldn’t be needed if they properly cleaning and securing websites (they actually do neither of those things properly):

Unlimited Cleanups

We love complex malware infections, and you’ll never pay more for them. Each plan covers your website for a year, including unlimited cleanups, pages, and databases.

Another claim that stands out is this:

Consider us an extension of your team. With professional security analysts available 24/7/365, you never have to worry about dealing with a hacked site.

In reality what we have hearing over and over from people coming to us after having used their service, is that they can’t get in touch with anyone at Sucuri. That doesn’t seem to be isolated issue, as numerous recent reviews of Sucuri on the website Trustpilot include the same complaint.

SiteLock is Now Trying to Scam People Out of $70 to $100 a Month Due to Non-Malicious Files Created by cPanel

From our years of experience dealing with the cleanup of hacked websites the first thing legitimate providers would want to do when contacted is to make sure that the website that they are being contacted about is in fact hacked, as we have found that people experiencing just about any problem with a website can jump to the conclusion that it was caused by the website being infected with malware or otherwise hacked. Much of the security industry isn’t what we would call legitimate and the company that seems to be the farthest from legitimate is SiteLock, which has a well earned reputation for scamming people. Part of how they can stay in business despite that reputation is that they have “partnerships” with web hosts where the web host pushes their services and SiteLock in term provides them a large commission for services they can sell through that. That type of relationship is often to the disadvantage of customers of the web hosts, as a situation we were just consulted on shows.

Recently one of SiteLock’s partners, HostMonster, deactivated one of their customer’s websites due to claimed malware on the website. When the customer contacted the support department they were transferred to SiteLock and told the only way to get the website back up was to pay to pay them $70 to $100 a month (charged annually). In reality the web host only requires that the website be cleaned for them to reactivate it. In this case though the situation is much worse since there wasn’t any malware on it.

All of the files that were claimed to be malicious had names similar to .wysiwygPro_preview_edcf331f0ffc35r4b482f1d15a887w3b.php and had contents similar to this:

<?php
if ($_GET['randomId'] != "Qd8f8yQpZe0JyipHkqUDWIwUrHqUixgfdQfEvwy1fU29Q0V_3kf_mw01oJmeF_g6") {
    echo "Access Denied";
    exit();
}
 
// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);
 
?>

Those are legitimate files created by an HTML editor that has come with the cPanel control panel offered by the web host. They are not malicious. The code in them is potentially susceptible to reflected cross-site scripting (XSS) due to outputting user input without escaping it, but someone would have to know both the apparently randomized name of the file and the apparently randomized additional value checked for that to even come in to play.

Based on the identifier given for them, “SL-PHP-JSINCLUDE-cu.UNOFFICIAL FOUND”, it appears that SiteLock is causing them to be falsely flagged as malicious.

Based on our years of seeing what SiteLock is up to, it seem possible that the incorrect flagging here is caused by SiteLock’s incompetence instead of actual malice, but in either case this is scam, since if they can’t correctly handle identifying malicious files then they shouldn’t be offering the services they are.

When we were contacted about the situation the first thing we did was to ask about the evidence provided by the web host to support the shutting down of the website and once we saw that, we were able to explain what was going on and help get this resolved for free instead of scamming money out of someone who was already attempted to be scammed.

Get a Free Consultation From Us

If you are have been contacted by SiteLock or a SiteLock partnered web host claiming your website is hacked, feel free to contact us to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock or the web host is providing to back up their claim.

If your web host is pushing you to use SiteLock you should be aware of a number of items before making any decisions and you should know that we can provide you with a better alternative for cleaning up the website for less money.

123 Reg’s Idea of Security Also Involves Leaving Websites to Get Hacked

Earlier this week we noted that GoDaddy’s idea of security involved leaving websites insecure and dealing with the after effects of that. They are not alone, as here is how another web host, 123 Reg, promotes a security service provided by their security partner SiteLock:

Malware is malicious code that can attack your website and cause security or performance issues.

Google has discovered that approximately 30,000 sites are affected by this malicious code every day and just 14% are protected, leaving 86% of websites vulnerable to attack. It sounds scary, but there is a way to protect your website.

SiteLock® from 123 Reg provides your website with a credible, state-of-the-art diagnostic system that scans for threats and identifies known malicious code, removing it from your website automatically. Giving you peace of mind in knowing that your site is malware free.

There are 110 million variants of malware in existence today. You can’t check your website every day in case you’ve been attacked. Let us do it for you.

Of course if SiteLock is detecting malicious code on your website then it has been affected by malicious code. Real protection would stop the malicious code from getting there in the first place.

What seems like it should also raise questions there is if the really were “110 million variants of malware in existence today”, what are the chances that SiteLock might miss some. The answer from an earlier post of ours is that in reality SiteLock misses malicious code that 123 Reg is able to spot themselves.

Even if they were good at spotting malware, if code is able to get on the website then its malicious impact could already have happened by the time it gets removed. For example if the malicious code copies all of an online store’s customer details, removing the malicious code isn’t going to undo it.

If you are looking to protect your website we recommend doing the security basics since those will actually stop the possibility of many attacks, while services that claim to protect websites present no evidence they are effective at all and we frequently had people coming to us looking for one of those that works after having used a service that didn’t prevent their website from being hacked. If your website has already been hacked, then the solution is to have it properly cleaned instead of security service.

SiteLock Falsely Claims That Website Hosted By Their Partner 123 Reg Is Malware Free

Over two years ago we noted the that then recently started partnership between the web host 123 Reg and the security company SiteLock was already producing the bad results expected that should have been expected based on SiteLock’s well earned reputation as being scammers. If the website we were contacted about earlier this week is any indication, things haven’t changed.

One of the more annoying aspects of the scam that is so much of the security industry is that after people get scammed by security companies like SiteLock that don’t even attempt to properly do the work they are being hired to do, people come to us wanting us to help them out for free since they already paid the scamming company (which we are not in the business of doing for what should be obvious reasons). That was the case with someone that contacted us after being told by 123 Reg that their website was hacked, hiring their partner SiteLock to clean it, and having SiteLock claim to have cleaned it up. While SiteLock claimed the website was the malware free, 123 Reg wouldn’t unsuspend the website to due them claiming their still was malicious code on it.

When we were contacted about the website it was suspended, so we couldn’t see what was going on with it, but when we went to check on the website a couple of days after we were initially contacted, we found that the website was no longer suspended and that clearly it still had malicious code on it since when trying to access the homepage we were redirected to a malicious website.

What this situation shows is that 123 Reg should certainly be aware that the security company they have partnered with isn’t getting things done. That they continue the partnership is a good indication that the partnership is based not on helping their customers get connected with a reputable security company, but instead is based on them getting paid to push their customers to hire SiteLock.

What is the most unfortunate element is that there really isn’t a solution apparent here. If people hired reputable companies like ours they could avoid this type of situation, but what we have found is that most people will ignore warnings about companies like SiteLock until after they have been scammed and then in situation like this they want someone else to help them for free.

GoDaddy’s Idea of Security Involves Leaving Websites to Get Hacked

If it were not for seeing the great value we can provide in quickly resolving hacking situations that have gone on for weeks or months, we likely wouldn’t have anything to do with the security industry, since it is such an awful industry, which seems to be largely built around taking advantage of people. One reoccurring example of that is that those in the security industry promote leaving websites insecure as security, instead of telling people what would actually keep websites secure (which doesn’t involve the services they are selling). As yet another example of that, here is how GoDaddy sells people on a security service that they charge up to 29.99 a month for:

Complete protection for complete peace of mind.

Website Security powered by Sucuri is advanced protection made simple. There’s no software to install, daily security scans run automatically and if there’s ever an issue our auto removal tools can’t fix, our security experts will repair it manually – no matter how long it takes and at no additional cost to you.

By repairing the issue, they are talking about cleaning up a hack, which shouldn’t happen since the website is supposed to be protected.

Also of note, with the claims made in that quote, is that our experience from often being brought in to re-clean websites after their security division, Sucuri, fails to get the job done, is that sometimes they will keep doing incomplete cleanups and in other instances they won’t come back in and will falsely claim that a website is clean when it isn’t. In either case what they don’t do is attempt to properly clean up the websites in the first place, which would negate the need for even discussing repeated cleanups.

Paying a Lower Yearly Fee for an Ongoing Website Security Service When You Have a Hacked Website is Not a Deal

When people have had their website hacked the unfortunate reality is that there are lot of people out there looking to take advantage of them. A lot of that involves telling people what they want to hear while knowing that you are lying to them. Based on what people say when contacting us, what a lot of people with hacked websites are looking for is a service that will protect their website from being hacked again. The reality we tell them is that while there are plenty of services that claim to do that, they don’t work (as an example of that, we often have people coming to us asking if we offer a service like that that works after using one that didn’t prevent their website from being hacked) and in fact the providers of them don’t even present any evidence that even tries to support that they do. The additional reality is that the companies behind these services usually don’t even try to do the work that could possibly make them work.

That last element is in some ways the most important when it comes to someone that already has a hacked website, since part of the work that these service don’t do to try to protect website also is important part of cleaning up a hacked website. Just last Friday we mentioned an example of that with a company named Sucuri, which had press coverage for something that wasn’t meaningful when the real story should have been that they were publicly admitting cutting corners with hack cleanups by not even trying to determine how the website got hacked. If you don’t know how websites are being hacked, you are going to have a hard time even trying to protect them. That they admitted to that isn’t really surprising to us because we have been dealing with the after effects of their improper clean ups and their failure to protect website from being hacked in the first place for years.

Recently we had someone contact us while looking for a better deal for a website service after their web host GoDaddy was trying to sell them on a $299 a year subscription for a service provided Sucuri, which GoDaddy owns, after they claimed their website was hacked. Paying less for a service that won’t properly deal with a hack, isn’t a better deal, since at any price it isn’t going to properly resolve the situation. Instead, if your website is hacked what needs to be done is to get it properly cleaned up. Properly cleaning up a hacked website involves three key components:

Cleaning up the hack.
Getting the website secured as possible (which which usually involves getting any software on the website up date).
Trying to determine how the website was hacked and fix that.

Once that has been done, then doing the security basics is what is going to do a better job than these services to keep your website from being hacked again.

If you want your hacked website properly cleaned up your best bet is to hire us. On the other hand, if you want to get ripped off, then check out the other companies out there, since a lot of them would love to take advantage of you.