{"id":3249,"date":"2017-01-24T11:49:15","date_gmt":"2017-01-24T18:49:15","guid":{"rendered":"https:\/\/www.whitefirdesign.com\/blog\/?p=3249"},"modified":"2018-10-24T11:33:03","modified_gmt":"2018-10-24T17:33:03","slug":"dont-ignore-a-message-from-sitelock-or-your-web-host-that-your-website-has-malware","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2017\/01\/24\/dont-ignore-a-message-from-sitelock-or-your-web-host-that-your-website-has-malware\/","title":{"rendered":"Don&#8217;t Ignore a Message From SiteLock or Your Web Host That Your Website Has Malware"},"content":{"rendered":"<p>When it comes to the poor state of web security we often find that security companies play an important role in that. That includes <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/08\/02\/no-one-is-trying-to-brute-force-your-wordpress-admin-password\/\">making up threats<\/a> and <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/10\/10\/cyber-security-companys-poor-website-security-reminder-of-industrys-lack-of-focus-on-actually-improving-security\/\">telling people they need to take advanced security measure, while many, including those same companies are still failing to do the basics<\/a>.<\/p>\n<p>Another area we have seen this involves the security company SiteLock and their web hosting partners. We have written numerous posts about <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/11\/07\/looking-at-how-sitelock-sells-their-services-versus-the-reality-behind-them\/\">SiteLock&#8217;s<\/a> <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2017\/01\/11\/sitelock-misleads-potential-customers-about-why-websites-get-hacked-to-lock-them-in-to-long-term-commitments\/\">bad<\/a> <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2017\/01\/12\/cancelling-sitelock-services-sounds-like-it-is-just-as-bad-as-everything-else-with-them\/\">practices<\/a>, one of them being that they and their web hosting partners (<a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/09\/09\/sitelock-hosting-partner-gets-majority-of-fees-for-sitelock-services\/\">who get paid handsomely to push their services<\/a>) sometimes <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/05\/03\/it-looks-like-sitelock-is-scamming-people\/\">falsely claim that websites contain malware or have otherwise been hacked<\/a>. What we have consistently said though is that you shouldn&#8217;t assume that the website isn&#8217;t hacked and recommended getting a second opinion (something we are happy to provide for free). Unfortunately people often conflate SiteLock&#8217;s\u00a0many bad practices, with the idea that any claim by them or their partnered web hosts that a website is\u00a0hacked as being false.<\/p>\n<p>For example, yesterday we ran across someone on Twitter claiming that Bluehost\u00a0was falsely stating\u00a0a website had malware on it:<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">No longer recommending <a href=\"https:\/\/twitter.com\/bluehost?ref_src=twsrc%5Etfw\">@bluehost<\/a> anymore. They&#39;re holding my Mom&#39;s blog hostage with some BS malware\/Sitelock scam.<\/p>\n<p>&mdash; Amanda Howell (@AmandaSueHowell) <a href=\"https:\/\/twitter.com\/AmandaSueHowell\/status\/823589000330039296?ref_src=twsrc%5Etfw\">January 23, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>We asked how them how they determined that and the answer was they hadn&#8217;t actually done that:<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">My dad is in computers so her stuff is always super locked down. And this is a well known scam. Google malware sitelock scam<\/p>\n<p>&mdash; Amanda Howell (@AmandaSueHowell) <a href=\"https:\/\/twitter.com\/AmandaSueHowell\/status\/823613655380017161?ref_src=twsrc%5Etfw\">January 23, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>We then tried to explain that while there are false claims made by them and the web hosting partners, the claims are often true and suggested that they get a second opinion from a security company (and letting them know we do that for free), at that point they blocked us.<\/p>\n<p>If the website did contain malware, which seems to be of decent likelihood, then their tweets help perpetuate the issue.<\/p>\n<h2>Ignoring the Evidence<\/h2>\n<p>What makes the false claims is even more problematic is that\u00a0it feeds in to an existing belief that we have often seen with\u00a0people assuming that claims that their website are hacked are not true, even when coming from parties that have no profit motive (like Google).<\/p>\n<p>When it comes to SiteLock and their web hosting partners we see two very different scenarios.<\/p>\n<p>In some cases access to the\u00a0website is shut off immediately and they haven&#8217;t provide any evidence of the supposed hack that lead to that happening, which makes the claim\u00a0legitimately seem questionable.<\/p>\n<p>In others they actually provide evidence, which should be easily checked, but is instead ignored. Take for example, someone, also hosted with Bluehost, that contacted us recently. They had been\u00a0sent the following email by their web host:<\/p>\n<blockquote><p>[redacted],<br \/>\nYour [redacted] account has been deactivated due to the detection<br \/>\nof malware. The infected files need to be cleaned or replaced with clean<br \/>\ncopies from your backups before your account can be reactivated.<\/p>\n<p>Examples: \/home1\/[redacted]\/public_html\/config.php.suspected<br \/>\n\/home1\/[redacted]\/public_html\/post.php.suspected<\/p>\n<p>\/home1\/[redacted]\/public_html\/administrator\/components\/com_weblinks\/tables\/s<br \/>\nession.php<\/p>\n<p>\/home1\/[redacted]\/public_html\/components\/com_content\/models\/articles.php<\/p>\n<p>To thoroughly secure your account, please review the following:<br \/>\n* Remove unfamiliar or unused files, and repair files that have been<br \/>\nmodified.<br \/>\n* Update all scripts, programs, plugins, and themes to the latest<br \/>\nversion.<br \/>\n* Research the scripts, programs, plugins, and themes you are using<br \/>\nand remove any with known, unresolved security vulnerabilities.<br \/>\n* Update the passwords for your hosting login, FTP accounts, and all<br \/>\nscripts\/programs you are using. If you need assistance creating secure<br \/>\npasswords, please refer to this knowledge base article:<br \/>\nhttps:\/\/my.bluehost.com\/hosting\/help\/418<br \/>\n* Remove unused FTP accounts and all cron jobs.<br \/>\n* Secure the PHP configuration settings in your php.ini file.<br \/>\n* Update the file permissions of your files and folders to prevent<br \/>\nunauthorized changes.<br \/>\n* Secure your home computer by using an up-to-date anti-virus program.<br \/>\nIf you&#8217;re already using one, try another program that scans for<br \/>\ndifferent issues.<br \/>\nYou may want to consider a security service, such as SiteLock, to scan<br \/>\nyour website files and alert you if malicious content is found. Some<br \/>\npackages will also monitor your account for file changes and actively<br \/>\nremove malware if detected. Click here to see the packages we offer:<br \/>\nhttps:\/\/my.bluehost.com\/cgi\/sitelock<\/p>\n<p>Please remove all malware and thoroughly secure your account before<br \/>\ncontacting the Terms of Service Department to reactivate your account.<br \/>\nYou may be asked to find a new hosting provider if your account is<br \/>\ndeactivated three times within a 60-day period.<\/p>\n<p>Thank you,<\/p>\n<p>Bluehost Support<\/p>\n<p>http:\/\/www.bluehost.com<br \/>\nFor support, go to http:\/\/my.bluehost.com\/cgi\/help<\/p><\/blockquote>\n<p>Over a month later they were notified by SiteLock that the website had been deactivated. Even then they didn&#8217;t look at the files that Bluehost had provided as examples of the malware infection, while questioning if they were really hacked.<\/p>\n<p>When we took a look at the names of the files and their locations mentioned in that email, we noticed one of them wouldn&#8217;t normally be in that location in a Joomla website. That isn&#8217;t something\u00a0we expect that the average person would know, but it does show how easy it should be for someone that has actual expertise with dealing hacked websites using the software running your website to\u00a0double check the claims for you.<\/p>\n<p>Looking at the content of the files, we think that even a layman would think that something was off with them. And for us it was obvious by just looking at them that they really were part of a hack and not a false positive, so we could easily confirm that the claim was actually true in this case.<\/p>\n<h2>Get a Free Consultation From Us<\/h2>\n<p>If you are have been contacted by SiteLock or a web host (whether a SiteLock partner or not) claiming your\u00a0website is hacked, feel free to <a href=\"https:\/\/www.whitefirdesign.com\/contact\/sitelock-second-opinion-contact-form.html\">contact us<\/a> to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on\u00a0how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock is providing to back up their claim.<\/p>\n<p>If your web host is pushing you to use SiteLock you <a href=\"\/blog\/2016\/11\/08\/what-you-need-to-know-when-sitelock-contacts-you-claiming-your-website-has-malware-or-is-otherwise-hacked\/\">should be aware of a number of items before making any decisions<\/a>\u00a0and you should know that <a href=\"\/sitelock-comparison.html\">we can provide you with a better alternative for cleaning up the website for less money<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When it comes to the poor state of web security we often find that security companies play an important role in that. That includes making up threats and telling people they need to take advanced security measure, while many, including those same companies are still failing to do the basics. Another area we have seen &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2017\/01\/24\/dont-ignore-a-message-from-sitelock-or-your-web-host-that-your-website-has-malware\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Don&#8217;t Ignore a Message From SiteLock or Your Web Host That Your Website Has Malware&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,27],"tags":[39],"class_list":["post-3249","post","type-post","status-publish","format-standard","hentry","category-bad-security","category-website-hacked","tag-sitelock"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=3249"}],"version-history":[{"count":6,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3249\/revisions"}],"predecessor-version":[{"id":4347,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3249\/revisions\/4347"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=3249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=3249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=3249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}