Deleting Files Your Web Host Identified as Malicious is Not a Proper Hack Cleanup

Websites don’t just happen to get hacked, something has to have gone wrong for that to happen. Far too often we see that original problem is compounded by improperly cleaning up the website from the hack, which if properly done involves trying to determine how the website was hacked so the source of the hack can be determined and fixed. If you don’t do that then the website can get hacked again. You might get lucky and the hacker doesn’t come back, but if they do, it can lead to repeated issues if not resolved (which is the point where we are often brought in to clean things up).

For whatever reason we recently have been contacted by a lot of people coming to us through information we have written about the web security company SiteLock, who have, instead of doing or getting a proper cleanup done, decided just to delete files that their web host has indicated contain malicious code. In some cases they contact us because they then continue to have problems and in others they are looking for security solutions that won’t actually resolve the possibility of being re-hacked to try to deal with the possibility of that occurring.

It isn’t that no one has suggested doing something other than what they have done, as an example, one of the people that contacted in this type of situation, forwarded us a file with a list of malicious files their web host, Bluehost, had provided. Right above the list was the following information:

Files may have false positives. Please review each file to make sure each file actually contains malware. Please note that we are not a security company
The Content listed below may not be a complete list of malicious content on your account.
You are ultimately responsible for all of your content.
This is just what we have found that appears to be malicious.
These files appear to contain malicious code.
You will want to review the files and remove the injected code from important files and/or remove unused or invalid files.

Bluehost usually also sends out an email like the following when they are notifying someone that their hosting account is being deactivated, which includes some example files:

Your [redacted] account has been deactivated due to the detection of malware. The infected files need to be cleaned or replaced with clean copies from your backups before your account can be reactivated.

Examples: /[redacted]/public_html/tracking/include/pclzip.lib.php
/[redacted]/public_html/calltrack/include/pclzip.lib.php

To thoroughly secure your account, please review the following:

 

* Remove unfamiliar or unused files, and repair files that have been modified.
* Update all scripts, programs, plugins, and themes to the latest version.
* Research the scripts, programs, plugins, and themes you are using and remove any with known, unresolved security vulnerabilities.
* Update the passwords for your hosting login, FTP accounts, and all scripts/programs you are using. If you need assistance creating secure passwords, please refer to this knowledge base article: https://my.bluehost.com/hosting/help/418
* Remove unused FTP accounts and all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program. If you’re already using one, try another program that scans for different issues.

 

You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before contacting the Terms of Service Department to reactivate your account.

In the case of that message, it is rather explicit that those are just examples, not all of the files, but we have people contacting us that just deleted those files.

Bluehost is one of many brands that the Endurance International Group (EIG) does business under, which is one of SiteLock’s largest partners (and also run by SiteLock’s owners). Their other brands include A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others. Many of those who have contacted after just deleting those files have been at their various brands, so they likely would have received a similar message.

Proper Cleanup

In both types of message shown above it is suggested to not just delete files. That is important because hackers often add malicious code to existing files, so just deleting the files could cause the website to no longer function if they are needed for normal usage of the website.

If you just remove malicious code that was on the website that will not resolve the issue, as the code had to get their somehow. That is why in addition to making sure you have removed all of the malicious content, you need to secure the website (which usually mainly consists of updating the software) and try to determine how it hacked in the first place, so that issue can resolved and the hacker can’t get back in.

If you can afford it, your best bet to get all this done is to hire someone that provides a service that does all those things, which as far as we aware is not a service that SiteLock provides.

Going Forward

Once the website has been properly cleaned up the best solution is to make sure you are taking steps to keep the website secure going forward. We have people coming to us that instead of being interested in doing those things are looking for a scanning service or a protection service. We have yet to see any service like that were evidence, much less evidence from independent testing, is being provided that they are effective at doing those types of services. We have had plenty of people that are using those types of services that have come to us because they didn’t provide the type of protection that was claimed (often after the websites has been hacked again), so they don’t seem like a good use of money unless you can find one that provides evidence of its effectiveness.

Leave a Reply

Your email address will not be published.