Bluehost’s Poorly Thought Out Attempt to Clean Up Hacked Websites

We have repeatedly brought up the web host Bluehost in the past on this blog due to various security related issues involving them, including things like using phishing emails to sell unnecessary security services and it looking like a security issue on their end might be leading to websites being hacked. Recently we have started running into another issue while working on hack cleanups with websites hosted with them, it appears that Bluehost is attempting to do some cleanup of hacks in way that doesn’t seem well thought out and can lead to websites having more problems beyond just the ones caused by the hack.

What looks to be going on is that to try to clean files with malicious code, Bluehost is removing code from the files and making a copy of the previous version of the files with a different name. As an example of those different names, in one recent instance the copy of a file named link-manager.php was named link-manager.php.suspected.1524640055. The new files have no permissions, so you can’t view the contents of them (or change the permissions to be able to do that). In many instances the original files have been totally emptied, even if it appears that they had contained legitimate code in addition to malicious code.

One of the problems that is causing is that legitimate files that are used to generate websites are being emptied, which then causes the website to stop working. Due to permissions on the new files it isn’t possible to easily see the previous contents of files to be able to quickly restore the non-malicious portion without getting access to another copy of the file.

Where things get more problematic is that they are changing the permissions on some directories as well as files, which not only restricts seeing what is in the directory, but also introducing a complication that doesn’t occur with the change to individual files, you can’t delete the directories through FTP or the file manager in Bluehost’s control panel.

Bluehost does have the capability to make the files and directories accessible if you contact them.

What is important note is that in every instance we have run into this so far there have been malicious files that were not dealt with by this cleanup, so the upside from them attempting to clean things up is limited while it can come with a fairly significant downside. Another problem with this type of approach is that simply cleaning up hacked files doesn’t deal with the underlying cause that allowed the hacker to be able to add or modify files in the first place, so the hacking could continue.