index.php Files with the Comment “Silence is golden.” on a WordPress Website Are Not Malware

When it comes to dealing with hacked websites a lot of people would be best off leaving it to professionals (assuming you can find one, among all the unqualified companies), as it is easy for people to get very confused about what is going on. We recently had someone contact us about cleaning up a hacked WordPress website where they were saying that part of the malware was that index.php files had been corrupted with “Silence is golden.” and nothing else.

What they were referring to are files that come with WordPress that had the following contents:

<?php
// Silence is golden.

The purpose of those files is to make sure that a listing of files in the directory they are located is not shown in certain server configurations. So those files are harmless and not in any way malware.

MySQL 5.7 Upgrades By Web Hosts Can Lead to or Expose MySQL Table Issue That Causes Errors on Websites

We were recently brought in to provide support for a Moodle website where when submitting an answer to a quiz question the following error was shown:

Error reading from database

That error message doesn’t provide much to go on. Something like that should not happen randomly, so some change likely caused it, but the webmaster for the website wasn’t aware of any changes that had occurred shortly before that happened.

Turning Moodle’s debugging to its highest setting led to more details being shown about the error:

Debug info: Table ‘performance_schema.session_variables’ doesn’t exist
SHOW VARIABLES LIKE ‘max_allowed_packet’
[NULL]
Error code: errorprocessingresponses

That table isn’t a Moodle table, but instead one that is one of the tables for the MySQL database server.

When we did a search on part of that message we found a Stack Overflow conversation that seemed to match the situation, as the MySQL version in use, 5.7.26, had been out for less than week, so it must have been recently upgraded to and that conversation described the error occurring after an upgrade to a version of 5.7.

Based on the information in that conversation either something gets messed up with that table when doing the upgrade or there was a pre-existing issue that is now causing an error because MySQL 5.7 is relying on that table in a way it previously wasn’t.

If you have dealt with the tech support at a web host before you might not be surprised what came next. When they were contacted about the issue they at first didn’t address what was being mentioned and suggested unrelated solutions. When it came to the former, they stated they couldn’t downgrade MySQL, which was an odd response to the suggestion that the upgrade needs to be fixed. When it came to the latter, they were suggesting upgrading Moodle, claiming that it would resolve this and that the new version was compatible MySQL 5.7 (the version of Moodle in use was actually also compatible with that version of MySQL).

While it took several back and forths between them and our client, eventually they seem to come around that there really was an issue on their end and from there it took tens of minutes for it to be fixed, much to the relief of our client.

Sucuri’s 30 Day Refund Guarantee Scam Gets Worse

Back in May of last year someone contacting us about cleaning a hacked website mentioned that Sucuri had told them that they had 30 day refund guarantee, but when we went to look into that we found that in reality Sucuri didn’t provide refunds if someone had requested a cleanup, which is what that person had contacted them about having done.

Here is how the refund guarantee was advertised on their homepage at the time:

30-Day Guarantee

You have 30 days to request a refund according to our Terms of Service.

If you looked at the terms of service it turned out there was one exception for that refund guarantee, the aforementioned limit if you had requested a clean up to be done:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the “Cancellation Period”), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not submitted a Malware Removal Request during the Cancellation Period.

They could spelled that on the homepage in less than words than it took to mention the terms of service, which seems like a good indication they are tying to hide that.

Since then the terms of service haven’t changed, but as we noticed when we went to look at something on their website recently, the marketing of the refund guarantee has gotten worse. For example at the top of the page about their website malware removals they write this:

Repair and restore hacked websites before it damages your reputation. We offer a 30-day money-back guarantee because we know we can help. You can rely on our dedicated incident response team, state-of-the-art technology, and excellent customer service.

If you actually try to get help though, they won’t provide you a refund, even if they didn’t even do anything, seeing as there is no refund if you request help.

Similar on the Immediate Help page which has its own menu section at the top of all the website’s pages, the description of the second step in the process is:

We offer a 30-day money-back guarantee because we know we can help. After completing your billing information, you’ll get access to the Sucuri Dashboard.

Why Are Experienced Security Analysts Failing To Get Websites Clean?

If you look at the rest of their information on their website malware removal page it seems like they are providing a good warning they something is amiss.

They claim that their cleanups are done by “experienced security analysts” and that that “we aim to provide the best malware removal service”:

Experienced Security Analysts

Our dedicated researchers monitor active malware campaigns. With a trained team of analysts, we aim to provide the best malware removal service around.

They also claim that “[n]o hack is too complex for our incident response team”:

Automatic and Manual Cleanups

We use scripts and tools to quickly scan your website for malware. Our analysts check your site manually too. No hack is too complex for our incident response team.

That makes another section seem rather odd, since they highlight that they provide “unlimited cleanups”, which shouldn’t be needed if they properly cleaning and securing websites (they actually do neither of those things properly):

Unlimited Cleanups

We love complex malware infections, and you’ll never pay more for them. Each plan covers your website for a year, including unlimited cleanups, pages, and databases.

Another claim that stands out is this:

Consider us an extension of your team. With professional security analysts available 24/7/365, you never have to worry about dealing with a hacked site.

In reality what we have hearing over and over from people coming to us after having used their service, is that they can’t get in touch with anyone at Sucuri. That doesn’t seem to be isolated issue, as numerous recent reviews of Sucuri on the website Trustpilot include the same complaint.

Fixing Missing Sessions Database Table Error After Upgrading to Zen Cart 1.5.6

When doing a Zen Cart upgrade or any similar upgrade it is always a good idea to do a test of the upgrade first, since unexpected issues can come up and by doing a test first you can more easily work thorough those instead of trying to triage a broken production website. When we are hired to do Zen Cart upgrades we always do that.

That came in handy during a recent upgrade from Zen Cart 1.5.5a to 1.5.6a where we ran into what is an obscure enough issue we couldn’t find any mentions of it when we were troubleshooting it.

After we ran the database updater we found that the instead of being served the website we got an error message, “An Error occurred, please refresh the page and try again.”.Looking at the related error log file in the “logs” directory it was indicated that the sessions table didn’t exist in the database:

PHP Fatal error: 1146:Table ‘[databasebprefix]_sessions’ doesn’t exist :: select value

Looking at the databases for the production website and the test we found that the table existed prior to the database update, but not after.

Looking at the database changes made during the 1.5.6 update we found that the table is dropped and recreated, so for some reason the recreation was failing.

In looking at the debug log for the database updater we found that there were multiple errors like this:

MySQL error 1273 encountered during zc_install:
Unknown collation: ‘utf8mb4_general_ci’
) ENGINE=InnoDB;

After looking at various things we found that in the configuration file, configure.php, for the frontend of the website the “DB_CHARSET” was undefined. Defining that as “utf8”, re-importing the database, and starting the database update process over resolved the errors and the table was properly recreated.

Further in the process we found the apparent reason for the “DB_CHARSET” being missing , it was causing characters to be improperly encoded, which we were able to resolve by simply changing the charset to proper one for those characters.

Wix Doesn’t Currently Support Importing WordPress Websites or Blogs

One of the services we offer is to do transfers of websites from one web host to another, though we often have people that contact us about this service looking to transfer the content of a website to or from a website design platform, like Weebly or Squarespace. We recently had someone contact us about moving a WordPress based website to one of those platforms, Wix. We did a quick to see if it was possible to do that, so we could at least let them know if that is possible, even though we don’t offer that. After we did that we tried to email them that information, but it turned out they hadn’t provided a valid email address, but we can at least share this information with others.

Currently Wix doesn’t support importing websites in to their service:

Currently, importing a site created outside of Wix is not supported.

They also don’t currently support importing blog content in to their service either:

Currently, importing blog content or data from an external source or blog is not supported.
So either you would need to do the transfer manually or look for a third-party solution for that.

These Security Rules Are Not an Indication Your WordPress Website is Hacked

Recently we mentioned the importance of security companies checking to make sure that websites they are being contacted about cleaning are in fact hacked. The reason for that is often problems unrelated to a hack are believed to beloved to be caused one, leading to people looking for unnecessary cleanups.

In one reason situation the person who contacted us was sure that their WordPress website was hacked due to rules (or code) in the web.config, which is a configuration for websites being hosted on IIS web servers, for the website that actually were there to protect the website.

As an example of what was at issue, the following rule would restrict accessing .php files in the WordPress uploads directory, which would prevent a hacker from running code if they could upload .php files through some vulnerability:

<rule name="Deny scripts from wp-content/uploads for WordPress instance #6" enabled="true" stopProcessing="true">
	<match url="^wp-content/uploads/.+\.php" />
	<conditions />
	<serverVariables />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>

The rules may have been generated by the Plesk control panel.

Here are all the rules in question in case someone else is searching for information on this:

<rule name="Block wp-config.php for WordPress instances" enabled="true" stopProcessing="true">
	<match url="wp-config.php" />
	<conditions />
	<serverVariables />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="Deny scripts from wp-includes for WordPress instance #6" enabled="true" stopProcessing="true">
	<match url="^wp-includes/.+\.php" />
	<conditions>
		<add input="{REQUEST_URI}" pattern="^/wp-includes/js/tinymce/wp-tinymce\.php$" ignoreCase="false" negate="true" />
	</conditions>
	<serverVariables />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="Deny scripts from wp-content/uploads for WordPress instance #6" enabled="true" stopProcessing="true">
	<match url="^wp-content/uploads/.+\.php" />
	<conditions />
	<serverVariables />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>

Make Sure to Upgrade Zen Cart Before Your Web Host Changes the PHP Versions They Support

We recently have had a significant number of people coming to us for Zen Cart upgrades needed due to web hosts changing the minimum PHP version they support. Unfortunately a lot them have been at the point that the website is broken due to that PHP change happening, so now would be good time to assess whether you are in need of an upgrade before you run in to problems.

The lowest version of PHP still supported is 7.1 and version 1.5.5 of Zen Cart and above are designed to support that. Support for PHP 7.1 will end on December 1.

If you upgrade to the latest version of Zen Cart, 1.5.6, you have years of support built in as that is designed for PHP versions up to PHP 7.3, which is supported until December of 2021.

While the lowest supported version of PHP is currently 7.1, one of the recent situations where we were brought in involved the web host raising the minimum PHP version to 5.6, which Zen Cart 1.5.3 and above were designed for.

Making the upgrade process more difficult in some instances is that one change made with Zen Cart 1.5.6 is that it will not run with versions of PHP lower than 5.5 (previous Zen Cart versions would run on older versions of PHP enough to test things out before switching to a newer version).

SiteLock is Now Trying to Scam People Out of $70 to $100 a Month Due to Non-Malicious Files Created by cPanel

From our years of experience dealing with the cleanup of hacked websites the first thing legitimate providers would want to do when contacted is to make sure that the website that they are being contacted about is in fact hacked, as we have found that people experiencing just about any problem with a website can jump to the conclusion that it was caused by the website being infected with malware or otherwise hacked. Much of the security industry isn’t what we would call legitimate and the company that seems to be the farthest from legitimate is SiteLock, which has a well earned reputation for scamming people. Part of how they can stay in business despite that reputation is that they have “partnerships” with web hosts where the web host pushes their services and SiteLock in term provides them a large commission for services they can sell through that. That type of relationship is often to the disadvantage of customers of the web hosts, as a situation we were just consulted on shows.

Recently one of SiteLock’s partners, HostMonster, deactivated one of their customer’s websites due to claimed malware on the website. When the customer contacted the support department they were transferred to SiteLock and told the only way to get the website back up was to pay to pay them $70 to $100 a month (charged annually). In reality the web host only requires that the website be cleaned for them to reactivate it. In this case though the situation is much worse since there wasn’t any malware on it.

All of the files that were claimed to be malicious had names similar to .wysiwygPro_preview_edcf331f0ffc35r4b482f1d15a887w3b.php and had contents similar to this:

<?php
if ($_GET['randomId'] != "Qd8f8yQpZe0JyipHkqUDWIwUrHqUixgfdQfEvwy1fU29Q0V_3kf_mw01oJmeF_g6") {
    echo "Access Denied";
    exit();
}
 
// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);
 
?>

Those are legitimate files created by an HTML editor that has come with the cPanel control panel offered by the web host. They are not malicious. The code in them is potentially susceptible to reflected cross-site scripting (XSS) due to outputting user input without escaping it, but someone would have to know both the apparently randomized name of the file and the apparently randomized additional value checked for that to even come in to play.

Based on the identifier given for them, “SL-PHP-JSINCLUDE-cu.UNOFFICIAL FOUND”, it appears that SiteLock is causing them to be falsely flagged as malicious.

Based on our years of seeing what SiteLock is up to, it seem possible that the incorrect flagging here is caused by SiteLock’s incompetence instead of actual malice, but in either case this is scam, since if they can’t correctly handle identifying malicious files then they shouldn’t be offering the services they are.

When we were contacted about the situation the first thing we did was to ask about the evidence provided by the web host to support the shutting down of the website and once we saw that, we were able to explain what was going on and help get this resolved for free instead of scamming money out of someone who was already attempted to be scammed.

Get a Free Consultation From Us

If you are have been contacted by SiteLock or a SiteLock partnered web host claiming your website is hacked, feel free to contact us to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock or the web host is providing to back up their claim.

If your web host is pushing you to use SiteLock you should be aware of a number of items before making any decisions and you should know that we can provide you with a better alternative for cleaning up the website for less money.

123 Reg’s Idea of Security Also Involves Leaving Websites to Get Hacked

Earlier this week we noted that GoDaddy’s idea of security involved leaving websites insecure and dealing with the after effects of that. They are not alone, as here is how another web host, 123 Reg, promotes a security service provided by their security partner SiteLock:

Malware is malicious code that can attack your website and cause security or performance issues.

Google has discovered that approximately 30,000 sites are affected by this malicious code every day and just 14% are protected, leaving 86% of websites vulnerable to attack. It sounds scary, but there is a way to protect your website.

SiteLock® from 123 Reg provides your website with a credible, state-of-the-art diagnostic system that scans for threats and identifies known malicious code, removing it from your website automatically. Giving you peace of mind in knowing that your site is malware free.

There are 110 million variants of malware in existence today. You can’t check your website every day in case you’ve been attacked. Let us do it for you.

Of course if SiteLock is detecting malicious code on your website then it has been affected by malicious code. Real protection would stop the malicious code from getting there in the first place.

What seems like it should also raise questions there is if the really were “110 million variants of malware in existence today”, what are the chances that SiteLock might miss some. The answer from an earlier post of ours is that in reality SiteLock misses malicious code that 123 Reg is able to spot themselves.

Even if they were good at spotting malware, if code is able to get on the website then its malicious impact could already have happened by the time it gets removed. For example if the malicious code copies all of an online store’s customer details, removing the malicious code isn’t going to undo it.

If you are looking to protect your website we recommend doing the security basics since those will actually stop the possibility of many attacks, while services that claim to protect websites present no evidence they are effective at all and we frequently had people coming to us looking for one of those that works after having used a service that didn’t prevent their website from being hacked. If your website has already been hacked, then the solution is to have it properly cleaned instead of security service.

SiteLock Falsely Claims That Website Hosted By Their Partner 123 Reg Is Malware Free

Over two years ago we noted the that then recently started partnership between the web host 123 Reg and the security company SiteLock was already producing the bad results expected that should have been expected based on SiteLock’s well earned reputation as being scammers. If the website we were contacted about earlier this week is any indication, things haven’t changed.

One of the more annoying aspects of the scam that is so much of the security industry is that after people get scammed by security companies like SiteLock that don’t even attempt to properly do the work they are being hired to do, people come to us wanting us to help them out for free since they already paid the scamming company (which we are not in the business of doing for what should be obvious reasons). That was the case with someone that contacted us after being told by 123 Reg that their website was hacked, hiring their partner SiteLock to clean it, and having SiteLock claim to have cleaned it up. While SiteLock claimed the website was the malware free, 123 Reg wouldn’t unsuspend the website to due them claiming their still was malicious code on it.

When we were contacted about the website it was suspended, so we couldn’t see what was going on with it, but when we went to check on the website a couple of days after we were initially contacted, we found that the website was no longer suspended and that clearly it still had malicious code on it since when trying to access the homepage we were redirected to a malicious website.

What this situation shows is that 123 Reg should certainly be aware that the security company they have partnered with isn’t getting things done. That they continue the partnership is a good indication that the partnership is based not on helping their customers get connected with a reputable security company, but instead is based on them getting paid to push their customers to hire SiteLock.

What is the most unfortunate element is that there really isn’t a solution apparent here. If people hired reputable companies like ours they could avoid this type of situation, but what we have found is that most people will ignore warnings about companies like SiteLock until after they have been scammed and then in situation like this they want someone else to help them for free.