monyo07 Posted December 2, 2014 Posted December 2, 2014 a. nui117b. Steviec. clueslearninggroup.com I don't know what just happened and my account got suspended. If I can just backup my data that would be really good.Thanks
Byron Posted December 2, 2014 Posted December 2, 2014 You were suspended for spamming. Your site was found to be infected with the CryptPHP PHP malware. CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below. Fox-IT: CryptoPHP - Analysis of a hidden threat inside popular content management systemsAttackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO CampaignThis infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware. Fox-IT recommends that you should NOT try to "repair" the infection. The infected account should be reinstalled from scratch. I shall repeat the previous paragraph: removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be reinstalled from scratch.
monyo07 Posted December 2, 2014 Author Posted December 2, 2014 Can we know where specifically this is coming from? Can I just backup my website? I'll delete all of it when I'm done backing up.
Byron Posted December 2, 2014 Posted December 2, 2014 How bout I make a backup of your site and then delete ALL files except the backup so you can download it. Once you've downloaded post back so I can delete the account. I think it'll be ok to create a new account but you can't upload any of the files from the backup. Agreed?
monyo07 Posted December 2, 2014 Author Posted December 2, 2014 Yes please. Thanks, man. One more thing, can you detect where it is coming from?
Byron Posted December 2, 2014 Posted December 2, 2014 No, not without making your site active again and that would risk us being blacklisted all over again. I found these 2 links on the CBL site. Maybe they can help? https://threatpost.com/attackers-using-compromised-web-plug-ins-in-cryptophp-blackhat-seo-campaign/109505 http://blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/ Ok you should be able to login here: http://stevie.heliohost.org:2082/frontend/x3/index.phpcp and see the backup tar.gz file in the public_html folder ready for you to download. Let me know when your done.
Recommended Posts