| Question: |
Good day. The account is suspended. And the reason? a letter in the mail? |
| Answer: |
Hello. account blocked for sending spam. the antivirus has detected in your account a lot. This is a consequence of the vulnerability of the components of the engine to your site /home/remixoff/public_html/images/stories/gif.php: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i4231mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i9744mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i1693mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i3367mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i6165mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i9680mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i1443mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i3958mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i6804mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i2872mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/gif1.php: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i3276mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/i7828mg.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php_copy.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php.jpg.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/im6713n5g.php.jpg.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.php.jpg.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/cache/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/upload/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/tmp/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/cache/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/tmp/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/cache/im6713n5g.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/images.php: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im5281n1g.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im3960n9g.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im4186n0g.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/cache/im6951n0g.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im1527n7g.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im9799n5g.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im6887n7g.gif: PHP.Hide FOUND
/home/remixoff/public_html/cache/im3428n4g.gif: PHP.Hide FOUND
/home/remixoff/public_html/cache/im3409n0g.gif: PHP.Hide FOUND
/home/remixoff/public_html/cache/im3789n7g.gif: PHP.Hide FOUND
/home/remixoff/public_html/im7356n8g.gif: PHP.Hide FOUND
/home/remixoff/public_html/im8477n1g.gif: PHP.Hide FOUND
/home/remixoff/public_html/im6579n3g.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/img916m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/images/stories/img102m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/images/stories/im2201n7g.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/img660m.php.gif: PHP.Hide FOUND
/home/remixoff/public_html/cache/img988m.php.gif: PHP.Hide FOUND
/home/remixoff/public_html/cache/img639m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/cache/img421m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/cache/im9349n4g.gif: PHP.Hide FOUND
/home/remixoff/public_html/img671m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/img685m.php.gif: PHP.Hide FOUND
/home/remixoff/public_html/im5989n1g.gif: PHP.Hide FOUND
/home/remixoff/public_html/img407m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/images/stories/img800m.php.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/img828m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/images/stories/img303m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/images/stories/img374m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/cache/img634m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/cache/img965m.php.gif: PHP.Hide FOUND
/home/remixoff/public_html/img798m.php.gif: PHP.Hide FOUND
/home/remixoff/public_html/img843m.php.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/images/stories/imlt32r.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/cache/imlt32r.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/imlt32r.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/images/stories/imlt32r.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/cache/imlt32r.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/imlt32r.gif: Trojan.PHP-43 FOUND
/home/remixoff/public_html/cache/imlt21r.gif: PHP.Hide FOUND
/home/remixoff/public_html/imlt21r.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/imlt21r.gif: PHP.Hide FOUND
/home/remixoff/public_html/cache/images.php: PHP.Hide FOUND
/home/remixoff/public_html/cache/imlt21r.gif: PHP.Hide FOUND
/home/remixoff/public_html/imlt21r.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/imlt21r.gif: PHP.Hide FOUND
/home/remixoff/public_html/images/stories/im7779n.php.jpg: PHP.Hide-1 FOUND
/home/remixoff/public_html/images/stories/gif.php: PHP.Hide FOUND |
| Question: |
Do not understand two things: 1. why the lock I was not notified? the website two days is... not critical, but unpleasant... I2. why FTP? I`ll even clean can not now, although I`ll try to go through the web interface... I would like to work through these moments... |
| Question: |
so... through the web-interface comes... clean, please see the list and open an account - I`ll poke around for other \"unexpected\" files.. )))) shall be glad of the reference to Jumla with a covered vulnerability ) |
| Answer: |
1. the message sent to the mailbox specified in the profile. the actual EMAIL box? 2. let ip with which you will work, we orcream you access |
| Question: |
Oh, and... perhaps a coincidence, but personally I doubt it ))) just a couple of days ago checked the website vulnerability on the reference, sent by the company eHost. the letter I quote: Dear customers, discovered a serious vulnerability in the Wordpress CMS, which allows you to use your site for DDoS attacks and creates a significant load on our servers. Convincingly we ask to take measures to eliminate this problem. Read more about the issue can be read here: http://habrahabr.ru/post/215543/,check out her website here: http://labs.sucuri.net/?is-my-wordpress-ddosing.есть suspicion of involvement in this service. The headings in this letter: Delivered-To: EMAILReceived: by IP with SMTP id l65csp47439ykf; Thu, 13 Mar 2014 03:43:26 -0700 (PDT)X-Received: by IP with SMTP id z1mr1270676eel.97.1394707405844; Thu, 13 Mar 2014 03:43:25 -0700 (PDT)Return-Path: Received: from mail.ehost.by (mail.ehost.by. [IP]) by mx.google.com with ESMTP id z42si3603547eel.212.2 IP.43.25 for ; Thu, 13 Mar 2014 03:43:25 -0700 (PDT)Received-SPF: pass (google.com: domain of EMAIL designates IP as permitted sender) client-ip=IP;Authentication-Results: mx.google.com; spf=pass (google.com: domain of EMAIL designates IP as permitted sender) smtp.mail=EMAILReceived: from my.ehost.by (unknown [IP]) by mail.ehost.by (Postfix) with ESMTP id CFF5F14A80D for ; Thu, 13 Mar 2014 12:43:24 +0200 (EET)Date: Thu, 13 Mar 2014 12:43:24 +0200To: =?utf-8?B?0JDQu9C10LrRgdC10Lkg0JPQu9C10LHQunc6?= From: \"eHost.by\" Subject: =?utf-8?B?0KPRj9C30LLQuNC80L7RgdGC0YwgV29yzhbyzxnziq==?=Message-ID: X-Priority: 3X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=\"b1_c69738b5509c190b6de1a41733124be4\" |
| Question: |
box actual.(((( ip: ip |
| Answer: |
access is opened |
| Answer: |
we visalli you the list of matched you have a virus on the box EMAIL came? |
| Question: |
it came, but somehow fell into the \"spam\", although \"the answer to your ticket\" - normally come to the Inbox... but no spam warning... ((( |
| Question: |
\"A network error when sending a login prompt. Please try again. If this condition persists, contact your network service provider.\" What could it be? |
| Answer: |
check prinee our message also ended up in \"spam\" and you deleted it, there was also the list. |
| Question: |
no, I don`t brush my spam... and even occasionally read now and then, because there, at times, fall not spam messages. The first letter in the spam dated the 11th of February... actually, the date auto-purge Google... it seems that this message did not come at all... (((( |
| Answer: |
We always send notification. What sense to block the customer`s account without his knowledge? the first is the notification and then the lock , if the promo is crucial. Spam account unfortunately the critical situation of the Negro=ative affect the reputation of the ip of the server |
| Question: |
Yes it is, I just, you know.... in the case of spam, and block... from spam-base are no joke... I still do not understand: I specified files do not see (((( I would guess that they are available via MOD_REWRITE, but links a file... |
| Question: |
Oh, and... I understand that Jumla I better change?prompt, on what? |
| Answer: |
Joomla better than WordPress you can try a DLE, but she paid in Ukraine. |
| Question: |
But she is clearly vulnerable. Fresh version, I hope will not suffer from this? And, as I understand it, the files You cleaned yourself? ACC can unlock? |
| Answer: |
What did you do to resolve the problem? |
| Question: |
to start off the website level Joomla. presumably, this has disabled potentially dangerous part of it, and will not let me on the site without admin`s authorization. and not wait from You the answer to the questions, where are these files!!! THEY ARE NOT!!! |
| Answer: |
We had them removed. Why keep it? You need to change all passwords and check your computer for viruses. |
| Question: |
Passwords changed, the computer on viruses is checked in real time regularly updated official database ESET. |
| Answer: |
open. |
| Question: |
SPS. Jumla found, tomorrow I will try put ) |
| Answer: |
OK
|
| Question: |
Are you guys kidding, or network of hosters is over? Enable the account and check your antivirus. Lock again, and again a single letter. |
| Question: |
And yet You take the time to answer, at the same time tell us: why blocked cpanel and ftp? to solve the problem, it is sufficient to disable vhost, and give me the opportunity to at least see the problem. The situation strongly reminded that no vulnerabilities were ever used, but the problem is the result of incorrect operation of Your software. |
| Question: |
opensource projects, eh.... support has deteriorated badly... ((( Okay, I sleep... really looking forward to either unlock, or clear explanation of the reasons for the blocking. Somehow correlated with the real state of things... |
| Answer: |
the antivirus is not to blame. you received a complaint, the mourning you were sent, you didn`t do anything (for full uri, please scroll to the right end ...
This information has been generated out of our comprehensive real time database, tracking worldwide portals URI`s
If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !
Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server`s owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.
DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!
You may forward my information to law enforcement, CERTs
other responsible admins, or similar agencies.
+-----------------------------------------------------------------------------------------------
|date |id |virusname |ip |domain |Url|
+-----------------------------------------------------------------------------------------------
|2014-03-12 00:00:05 CET |3073660 |defaced_site |IP |remixoff.ru |http://remixoff.ru/ganteng.gif the Files that the hacker has been and remains on your account. How do you check a website? the Question of what and how you checked? the files you have from the 12th of March! |
| Question: |
I went through FTP and through the file Manager. A single file from the list was not! |
| Answer: |
this can not be, files hacker you on the 12th and they had not been touched /home/remixoff/public_html]# stat ganteng.php
File: `ganteng.php`
Size: 758 Blocks: 8 IO Block: 4096 regular file
Device: fd02h/64770d Inode: 46299899 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1137/remixoff) Gid: ( 1149/remixoff)
Access: 2014-03-20 01:43:22.711996726 +0400
Modify: 2014-03-12 02:51:02.823992449 +0400
Change: 2014-03-12 02:51:02.823992449 +0400 |
| Question: |
do not see the answer to block CPANEL. Maybe you read my messages CAREFULLY? I can`t test it. I don`t even know!!! |
| Answer: |
neobhodimosti caused by blokirovanie full access for a hacker, because you do not respond to notices and we get in your website the complaint. Now you have access to the panel and ftp |
| Question: |
You can read a few messages earlier: 23:55 We had them removed. Why keep it? You need to change all passwords and check your computer for viruses.Vladimir |
| Answer: |
what you deleted? ganteng.php and ganteng.gif? you could remove because they were uploaded on March 12 and did not change over. you said that fully checked out the website and really did not do, for which we received another complaint on here is the server data center, we believe you and you have just set up. |
| Question: |
when I checked, they were not, as the long list of files that were sent. And in this list was not ganteng.php. And the file was not. The words \"once removed\" was said to me by Vladimir. You may guess that I`m very disoriented about the situation? view the list of received files. Won this ticket on the last page. I do not want to think that all this is the result of illegal actions of Your admins, but until I have the clarity comes about what is happening |
| Answer: |
these files came on 12 March, and there they were, and that long list as you said , this is the list of already deleted files antivirus. you need to check the site . files ganteng.php not defined by antiviruses. how do you check a website? the way the files ganteng as there is at the root of the account, presumably the hacker has access to ftp, check your computer for viruses. |
| Question: |
Journal propertywire database of virus signatures: 9560 (20140319)date: 20.03.2014 Time: 9:30:21Просканированные disks, folders and files: operating patikrinta of scanned objects: 890Количество detected threats: 0Время runtime: 9:32:05 Total scan time: 104 seconds. (00:01:44)so much for the RAM... check the \"smart scan\".... |
| Answer: |
OK
|
| Question: |
tried to download the whole archive with the website - NOD yelled. Ie viruses website there is. It is doubtful that a Trojan could slip on my comp, if it is in the database, and the real-time scan will not turn off. the database updates daily.Made: 1. Killed the site completely.2. Changed the password again.Offer: 1. Will include сайт2. To create a cron script that checks the new files in my Director. Killing all these new files. Reporting about these murders.3. To see what happens. I am ready to suffer for some time without a website to carry out these experiments.While the car will not touch, if the attack was from my computer - we will see. But personally I doubt it.The script requests to write to You, because just don`t have time for this work... |
| Question: |
And, all! found! Brute force the admin panel of Joomla.... (((( |
| Answer: |
drop the protection on the admin area. will load up .htaccess directives. deny from all the allow from Your ip remove component JCE, disable a random check without podtverzhdeniya. put a ban on modifying configuration files (law 444 can be placed only via the file Manager panel) . the site is open to access for your ip. at the end of works report, open access for all mail, sorry , vremenno will be blocked for all sites. anti-virus regularly checks the files of all users on the server |
| Question: |
Eugene>remove component Cache.... remixoff>Undertook: remixoff>1. Killed the site completely.well, I really killed the site. entirely. kept on locally. reach your hands up back... will try to take into account the vulnerability.... although you know... there are people who spend time hacking something is difficult to guarantee. PS: please pass to Vladimir to continue it more fully told about the reasons of blocking, especially after the coded phrase \"no letter\". The problem could be filmed for the first time. |
| Question: |
ZZY: the key for me was the word ganteng.php that you have quoted, together with the contents of the complaint. |
| Answer: |
you had a few reasons for blocking spam and against the deface. |
| Question: |
and it would be very nice if this info had to pull ticks between work. The list of reasons a clear explanation of actions and administrators, recommendations for fixing (optional) - all this would have dramatically increased comfort in finding causes of the problem. And so, my first thought - well, if Your antivirus has worked, everything is almost fine. Ie - it was not the entire picture, nor the reasons for the problem, no further action by the host. And in such a situation, you will agree, it is difficult to make adequate decisions. |
| Answer: |
the antivirus deletes the files and not the cause. |
| Question: |
As practice shows, not all files. Later, it would be very nice to have adequate feedback support. Please understand that not everyone has time to read hundreds of pages about all the vulnerabilities, attacks, reviews, etc., and even constantly monitor this, because the info is constantly updated. Therefore, for investigation of specific cases of good feedback much solves the problem. I`d like to hope that You drew attention to the fact that the letter is about blocking not come twice. And solve this problem... |
| Answer: |
the actual EMAIL box? all notices will be sent to him. |
| Question: |
My goodness.... I have the feeling that with the wall talking. 1. Yes, relevant.2. Notification tickets come успешно3. There was no message. And spam was not. And not removed!!!!! |
| Answer: |
you sent to this box is now a test message with a list of viruses. it got through? |
| Question: |
It came ))))) a notice was.... here`s a-that`s strange )))) screenshots to send? ))) |
| Answer: |
no, screenshots are not necessary |
| Question: |
Good day.Everything you can unlock. The threat has fundamentally eliminated the stitching .htaccessRedirect 301 / http://home.remixoff.ru/ Your IP will not suffer more! |
| Answer: |
open access |
