kdev Posted November 18, 2012 Posted November 18, 2012 a. your HelioHost usernamekdevdatab. the server your account is onsteviec. your HelioHost main domainkdevdata.heliohost.org Has been suspended as of just moments ago. Please advise and I will gladly fix the problem. I apologize ahead of time.
Tjoene Posted November 18, 2012 Posted November 18, 2012 Your were suspended for the following reason: Malware (1 file) PHP.Shell-22 found.That means that there are some malware files found on your account. For your safety, your account has been suspended.You need to clean your files within 24 hours, or you will be suspended again. To find the infected files you can take a backup of your site, download the files to your computer and scan the files using a virus- and mall-ware scanner like AVG Virus scanner and Malwarebytes.If you are you certain that it is a false-positive, we strongly encourage you to file a false positive form here: http://cgi.clamav.net/sendvirus.cgi Your account should be unsuspended now.
Krydos Posted November 19, 2012 Posted November 19, 2012 It's been 13.5 hours already and this still isn't taken care of. Here is a hint: /home1/kdevdata/public_html/airlines/hq/e107_images/ss.php You only have 10.5 hours left to take care of this yourself before your account is suspended again.
kdev Posted November 19, 2012 Author Posted November 19, 2012 It's been 13.5 hours already and this still isn't taken care of. Here is a hint: /home1/kdevdata/public_html/airlines/hq/e107_images/ss.php You only have 10.5 hours left to take care of this yourself before your account is suspended again. There were other files too! I downloaded a backup and scanned it. So this is another new file since I fixed it this morning. I'm trying to figure out how they are getting in. I have copies of their scripts/php files (2 of them so far) and they seem to be targeting "images" folders dont know if thats on purpose or not. This sucks. I dont know how they managed to do this and why in the first place. But this happened to me before in the past with E107. I've removed the stuff I found, and set permissions correctly to 644 on all those folders... Still kind of at a loss and scratching my head on this one. Thank you for giving me the time to correct it! Appreciated.
Krydos Posted November 19, 2012 Posted November 19, 2012 I dont know how they managed to do this and why in the first place.The most common way for hackers to gain access to your site is by offering free themes and plugins that have some sort of a shell hidden in them. You download the theme or plugin and install it and it phones home to the hacker letting them know it exists. Then they can come along and alter files in your directory, send spam emails from your accounts, or just gain access to your data.Thank you for giving me the time to correct it! Appreciated.Yeah, no problem. Your account is now showing up as clean. Thanks for taking care of this.
Recommended Posts