| Question: |
Hello Some problems with my hand again or something you have? |
| Answer: |
Hello. Check amps. what kind of domain is it? |
| Question: |
*.*.* |
| Answer: |
Your sites highly contaminated, so when you log the antivirus is blocking access to them. We launched a scan of Your account at the end of synervoice into Your mailbox will receive the report. |
| Question: |
Check please. Last time everything was in order. And Avast blocked them retroactively. I wrote to them they replied that the lock will be removed after upgrading their database |
| Answer: |
scan carried out, a report sent to Your Inbox. |
| Question: |
Well, you checked. I have no viruses. They were last week. I reinstalled everything already, but a database of viruses have updated like Avast came here. Those * script that you are suspicious - it was after reinstalling. I wrote to the doctor, they said everything is fine and that you are using an old version of Dr. Dolittle |
| Answer: |
Aybolit is a simple scanner, the sites contained in the database of the antivirus is blocked, You need to contact Avast so they checked and removed the site from the database. |
| Question: |
I wrote to you ) Avast sites blocked in hindsight. I wrote to Avast and they replied that the lock will be removed after upgrading their database |
| Answer: |
what does avast? You check your email? Str***@mail.ru is your box? yesterday we sent another complaint on your website [ SpamCop V*.*.* ]
This message is brief for your comfort. Please use links below for details.
Spamvertised web site: http://art-asfalt.com/z*hnl
https://www.spamcop.net/w*m?i=z**********z**e*b******d*d*****d***f*e****e*z
http://art-asfalt.com/z*hnl is **.**.*.**; Tue, ** Oct **** **:**:** GMT
[ Offending message ]
\"From Conrad.***@daniellysimmer.com Tue Oct * **: **:** ****\"
Return-Path:
Received: from dslb-***-***-***-***.***.***.pools.vodafone-ip.de
(dslb-***-***-***-***.***.***.pools.vodafone-ip.de [**.***.**.*])
by thor.haveland.com (*.**.*/*.**.*) with ESMTP id u**Kxoai******
for ; Tue, * Oct **** **:**:** +****
Received: (from hq@localhost)
by daniellysimmer.com (*.**.*/*.**.*/Submit) id CAFC*F*C****.
Tue, ** Oct **** **:**:** +****
(envelope-from hq)
Date: Tue, ** Oct **** **:**:** +****
Message-Id:
To: x
Subject: contact information
MIME-Version: *.*;
Content-Type: multipart/mixed; boundary=\"--****** cf****c***fcd******ef***d*\"
From: \"Moshe Conrad\"
----******cf****c***fcd******ef***d*
Content-Type: text/plain;
charset=\"utf-*\"
Content-Transfer-Encoding: *bit
Infected sites referenced in the attachment:
http://art-asfalt.com/z*hnl |
| Question: |
I see the email, it was Spam I don`t understand such complaints. Tell me the Russian language, my site has a virus right now or the fact that the site was in the database of Avast for old sins? On the website complain and who? |
| Answer: |
is a world renowned organization against spam and viruses www.spamcop.net they brought forth the complaint in Cento yeah that one site is spreading viruses and provided a link to the virus itself. http://art-asfalt.com/z*hnl this file was in the Koren website. what did you do in order to clear the site and secure it from last time? |
| Question: |
I have the last time a virus got because I don`t have time to update WordPress. I installed an old backup, upgraded WordPress and all plugins + extra plugins poudalyat. Again some updates of WordPress missed. Okay, I`ll be back tonight to check everything, and if that specialist can give on finding vulnerabilities |
| Answer: |
when will work with the website, please report Your ip, we will open You the access |
| Question: |
And it will be possible to * ip to open if I give the website a specialist? |
| Answer: |
it is possible. you can at least * * |
| Question: |
Please unlock me - **.***.***.*** |
| Answer: |
open access |
| Question: |
I have another question, can non-standard ) And it is possible for my account to close completely the FTP access? If I do not use it, because it can no longer affect my sites? |
| Answer: |
You can simply change the password, and this password sruzu set to login via FTP. |
| Question: |
And is it possible to watch the IP addresses from which access was gained to the site? Or this information is stored day? If so, might it be time to see if will continue hacking? |
| Answer: |
the Question referred to the administrator, wait for amp. |
| Question: |
And the password in the personal Cabinet of your site and FTP will be the same as always? I just don`t use FTP at all, I think that maybe for security it is generally easier to disable? |
| Answer: |
this should not be done, assign a more complex password, if You want to appear in сPanel via a button in Your personal profile, passwords must match. |
| Question: |
I`m in C-panel under Settings-Password changed password is * password and on the C-panel and FTP? |
| Answer: |
Yes, the password is changed immediately and on the FTP. |
| Question: |
Clear. Then I expect the administrator will respond I want to make the IP of the attacker to the blacklist And I have another request - I uploaded a backup, re-install please files from the two sites, just in case there was something else changed besides adding the virus |
| Answer: |
check amps. what sites, and when was the backup made? |
| Question: |
*.*.* I only have * them in your account. Backup for ** ** **** |
| Answer: |
the attacker does not work with your ip, no burglar in their right mind will polzovalas his ip, so calculating the ip and blocking it completely meaningless http://lukomore.org/lurk/Вычислю_по_IP the Only thing for which you may need the ip so it to search the action log from this ip utochnyat please name the file backup |
| Question: |
Well, the search log can be done I * the backup file is in the root, the name contains the date date** ** **** |
| Answer: |
utochnyat on what ip to do a search? |
| Question: |
The attacker? I asked you how to do this, find the IP, I don`t know. |
| Question: |
If you have not reinstalled yet - can I quickly make a backup of the hacked website to have to look for some damage? Or you started a replacement already? |
| Answer: |
need to review the logs and look for the attacker. |
| Question: |
I can do it myself or do I need to ask you? I`ve never done this before I Actually have how last time went the updates on the plugin as I don`t have time to update, and the hacking, I think this is the reason. But I can`t understand this need to constantly and daily to monitor the updates? It seems to me not watching, it turns out must be a bunch of hacks due to late updates |
| Answer: |
you can view the logs. logs you can find in paneeli menu - neopentane access logs. we can assist you in finding the right koncertnoy information in the log. ie you say what specifically , what specific word you need to seek and we will make You a sample of the log in fact, to leave the site unattended without updates for a long time impossible. it happens that there are critical vulnerabilities and their need to quickly eliminate. of course break not all sites. hosting there are sites which are already over *-* years that has not been updated in , have a bunch of critical vulnerabilities and not hacked. but they are very lucky. usually hacking is not a person but a robot using kriticheskie vulnerability just takes ukad server ip and scans sites on it and breaks all websites that have this critical issue **% of break-ins are done exactly. |
| Question: |
Sorry, I don`t understand where to look logs. In C-panel, I see this header and other headers associated with the logs |
| Answer: |
American translators once again screwed up with the translation, each update panel, change the name menu block - metrics menu - access to the raw data |
| Question: |
I downloaded the app, unzipped, and these files to open? |
| Answer: |
with Notepad. these are text files |
| Question: |
I`m tired already I guess, but tell me still, if not difficult, I Have here the log file of FTP, there is one record from * ** **given the fact that I do not use FTP, it is a record, and you`ve blocked the sites * ** **, it turns out I was hacked still on the FTP? The text of the record: * ** **:**:** **** * ***.***.**.*** * /***/public_html*ftpchk*.*admin*.*ftp * * * ** **:**:** **** * ***.***.**.*** * /***/public_html*ftpchk*.*admin*.*ftp * * * ** **:**:** **** * ***.***.**.*** * /***/public_html*ftpchk*.*admin*.*ftp * * * ** **:**:** **** * ***.***.**.*** * /***/public_html*ftpchk*.*admin*.*ftp * * * ** **:**:** **** * ***.***.***.*** ****** /***/public_html***admin*.*ftp * * * |
| Answer: |
what is the password from the user [email protected] ? http://whatismyipaddress.com/ip/***.***.***.*** |
| Answer: |
now, change all the passwords |
| Question: |
OK, I`ll switch. Was password - ***^***From FTP was easy |
| Answer: |
and check your computer for viruses. to crack the password it is impossible, unless of course it is not too simple, but to steal a password Trojan elementary |
| Question: |
So you tell me, was I right? This is the log of the attacker was? Via FTP still downloaded the virus? Yes, I now change everything and will check the computer |
| Answer: |
judging by the log TOD, this file was in the downloads, ip is clearly not your |
| Question: |
Well. Then I`m scanning the computer. I re-install please files sites from a backup, just in case. Backup root for ** ** ****. I then go do the updates of the plugins, and in any case will be for them often follow. You tonight will you start? After all the updates, when I get them? |
| Answer: |
account vosstanovlen from your backup |
| Question: |
Hello I had another virus on the website And the FTP logs again appeared, I do not use * ** **:**:** **** * **.***.***.*** ** /***/public_html*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*.*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*.*wp*admin*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*.*wp*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*.*wp*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*mysql*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*wp*admin*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*wp*admin*images*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*wp*admin*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ** /***/public_html*wp*admin*.php*admin*.*ftp * * * ** **:**:** **** * **.***.***.*** ***** /***/public_html*.*.php*admin*.*ftp * * *This is hacking in the logs recorded?What is that box admin*.*? It is through him that done? I do not and did not use them ever |
| Question: |
And as for your letter, which says *: * ** **:**:** **** +*****: `/***/public_html*.*wp*admin*images*: *** emails* ** emails:****-**-** **:**:** ***/public_html*.*wp*admin*images * *: /*sendmail* This virus was in this directory are loaded by an attacker, or I could upload a picture of a virus? You have removed this file? What was that about? |
| Answer: |
Hello. utochnyat what exactly should be recorded in the logs? let what to look for and we will make You a sample of logs. we can only check You site again antivirus |
| Question: |
In General, in order to understand the reason I want to know the time of hacking. If you take the FTP logo - as I understand all third-party zafiksirovany there IP it will be IP of the attacker? My IP is static - **-***-***-***. I just have the * option, or the password stolen again was on the FTP was hacked, or I * day overlooked the plugin update and the attackers took advantage. Or variant even if the antivirus was in the pictures, could I image to fill with the virus?And I put in the root of your backup in * August, please replace balami backup files two sites. So viruses were not any exactly |
| Answer: |
connect to the website service https://virusdie.ru specify which folders you what to replace |
| Question: |
OK. And there can be * to besplatnipornici or *? If * is the one that cracked last or main? How do you usually make a replacement. The folders where the virus can be. But in order not to touch the database, so that the texts will not disappear |
| Answer: |
just specify the path to the folder you want to replace |
| Question: |
How do you usually do? I`ve never said I understand that all files of the site or those files, which might suffer in the Wake of the virus. The backup I have a clean, virus-free. Well, just to change files, Publichtml fundamentally, so what extra files have appeared. Need to once was nothing. In plugins, imagej need to replace it on both sites. In the roots they have. Well, at its sole discretion. You yourself before doing the replacement, I didn`t say where to change. I trust, I have after a backup was not particularly change |
| Answer: |
what are the sites which you need vosstanovit from backup |
| Question: |
There * site, both just in case |
| Answer: |
the request sent to the administrator. |
| Question: |
Well, hacking - turns out it is again FTP? |
| Answer: |
if ftp then you need to scan your computer. because different passwords can not be stolen |
| Question: |
I`m at work you go to the computer in the mail. Maybe there is a virus and so was stolen.Here is the place in the FTP logs. That I got hacked ** Oct? IP is not mine. And what is this email?* ** **:**:** **** * **.***.***.*** ***** /***/public_html*.*.php*admin*.*ftp * * * |
| Answer: |
have you added ftp user [email protected] ? |
| Question: |
Must have been year *,*-* ago, I can`t remember it. I have not used FTP since then |
| Answer: |
delete this user or smenet him the password |
| Question: |
Removed. Now I have no accounts only * special left. It probably had something to protect? So all the same in the logs that the hack was ** numbers? |
| Answer: |
change passwords |
| Question: |
Changed password, email, your website, and spanel *-administrator accounts from the site. The computer Kaspersky installed. |
| Answer: |
ok
|
| Question: |
Then write backup when everything resets. And that there is a need to quickly plug-ins to update. |
| Answer: |
do not change until nichego sites |
| Question: |
Before replacing with a backup, I mean? Well, don`t touch anything, only the password changed |
| Answer: |
files replaced by files from backup |
| Question: |
Then all turns out? I do all the updates, FTP account deleted, I hope this helps. And Virusi connect if that helps |
| Question: |
Thank you for the help |
| Answer: |
virusdie this additional monitoring of the site. |
| Question: |
Sorry, I have to my left a file behind ** the number, it was not in the old backup - *.php.* It can be malicious? |
| Answer: |
This is an empty file. You can delete it. |
| Question: |
And please tell me more. Give the virus found in the file as suspicious. *. ***.php created * ** ***. ***.php is also created * ** ** Better to remove them? I personally files are not created. One in the root of the site, the second in the folder wp*/ |
| Answer: |
Expect. We ran a scan of your account. |
| Question: |
Well. I actually scanned on Virusi and found. And-at least partially-I see that the truth is the left file. But the doctor did not find |
| Answer: |
Yes. |
| Question: |
There * files threatening. I understand I can remove except for wp*.php? This is a working file, but there is written the code is malicious. To remove only * line of code. In the same way ? And tell me, after this cleaning I need more time to change all passwords? |
| Answer: |
at the beginning, copy all these files to his computer, just in case, to have something to replace if not correct edit the file. |
| Question: |
And about the passwords, what do you say? We need to change again after removal? |
| Answer: |
it is Desirable to change, for greater reliability. |
| Answer: |
Result: str**/public_html/AI-BOLIT-REPORT-__-******-**-**-****_**-**.html |
| Question: |
Tell me, can you give me all finally changed, and it was all mark? This backup was tested by Dolittle immediately, there were not as many viruses |
| Question: |
Maybe even all files to be replaced? |
| Answer: |
What to replace? |
| Question: |
I last time I checked the backup Dolittle. There were no viruses. Now you have something partially changed, but a lot of virus left. So maybe it was necessary to replace? |
| Question: |
All, I found a bunch of threats via the antivirus Virusi and cleaned it up. Please check Dolittle again |
| Answer: |
please Wait. |
| Answer: |
check Report: /public_html/AI-BOLIT-REPORT-__-******-**-**-****_**-**.html |
| Question: |
And you can check my backup, which I will fill, and if there isn`t so much vredanosnuyu files - completely rearrange everything from the old backup, in addition to the database? |
| Question: |
And you can check my backup, which I will fill, and if there isn`t so much vredanosnuyu files - completely rearrange everything from the old backup, in addition to the database? |
| Answer: |
upload, will check it out. |
| Question: |
Uploaded |
| Answer: |
Specify the name of the file |
| Question: |
Backup root for * * * * * he`s there * |
| Answer: |
the scan started at the end, Your Inbox will be sent the report. |
| Question: |
Thank you, received. Please check again the current sites Dolittle. It seems to have everything cleaned up |
| Answer: |
the rescan is running. |
| Question: |
Can he file Dr. Dolittle to get to file Manager I can see? And then the post is not clearly at all, the text is not structured |
| Answer: |
It is in your public_html folder, you can download to your local computer. |
| Question: |
It is not there |
| Answer: |
please Wait. |
| Question: |
Thank you very much for your help. Everything seems to be fine already |
| Answer: |
the report in the folder. You have downloaded? |
| Question: |
Yes, I had already downloaded and deleted. Now everything check it again and make a backup yourself |
| Answer: |
ok
|
