WXforum.net
Miscellaneous Debris => Tech Corner => Topic started by: PaulMy on August 24, 2017, 08:36:54 PM
-
I received an email today from GoDaddy which, in part says:
Our scans flagged your komokaweather.com hosting accounts as containing possible malware.
Please sign in to your hosting account and review the following content and remove or fix the files listed below:
html/.errordocs/missing_bck_old.php
html/j-template/admin/menu/updateMenu.php
(9 more files in Meteotemplate files folder)
html/komokaweather-ca/ec-icons_gif/14p60_noversion.php
html/komokaweather-ca/wsMetNoSA/lang/wsLanguage-de-local_infoold.php
html/wsMetNoSA/lang/wsLanguage-en 2_ver1.php
(3 more add on script files in my Saratoga template folder)
Weather28/ewn_frc/js/highcharts.min.js
html/pws-mysql/eq.php
html/pws-mysql/eqfolder/eqlist.php
html/pws/eq.php
html/pws/eqfolder/eqlist.php
and a few more
Call our security experts at 1-866-938-1119 for assistance.
Prevent future infections.
Add GoDaddy Website Security to your site, so this doesn't happen again.
• Scan and remove malware.
• Stop malware before it reaches your site.
• Detect security gaps and back doors before they're exploited.
These files are mostly from my Meteotemplate, Leuven and PWS templates, and some are redundant old versions that I had not removed from my webserver so will be doing that now.
I called GoDaddy to make sure this is a legitimate message and it is. GoDaddy says they have done a scan, which he said they rarely do, and those files showed up. I can have them clean the files for a $300 fee and subscribe to their Website Security to avoid this happening in the future. However they are not telling me at this time that I actually have to do anything.
Anyone experienced this before, or is this a GoDaddy solicitation for their services?
Paul
-
IME GoDaddy always tries to get money from you. Caveat emptor. (How do you think he pays for the girls??)
-
I'm not seeing anything using malwarebytes and Panda while visiting site. They are continually trying to sell or have me upgrade something. I think it's more likely a scam for money, but by GoDaddy.
-
The files
html/komokaweather-ca/ec-icons_gif/14p60_noversion.php
html/komokaweather-ca/wsMetNoSA/lang/wsLanguage-de-local_infoold.php
May actually *be* malware .. there are no PHP icons in ec-icons, and the _infoold addition to wxLanguage-de-local.php looks suspicious. You should download those files, zip em up and send to me.. I can take a look.
Also send any Saratoga add-on files that were flagged. It's possible a miscreant inserted stuff in your site in those files.
-
Thanks Ken, sent PM.
Regards,
Paul
-
Good morning Paul,
To add to Ken's comments, those files should NOT be on your server and they are "normally" not in the download zip either. I just checked.
wsMetNoSA/lang/wsLanguage-de-local_infoold.php correct name => wsLanguage-de-local.txt
wsMetNoSA/lang/wsLanguage-en 2_ver1.php correct name => wsLanguage-en.txt
weather28/ewn_frc/js/highcharts.min.js
=> the folder ewn-frc/ is not used anymore, as Henkka continually enhances the ewn scripts, so they are run in an iframe now. You can delete the complete folder as they are not relevant for Canadian users.
=> I compared your weather28/..../highcharts.min.js file with the original distribution, they are identical, so this is a "false positive"
Question 1: can you please give the links to the other "3 more add on script" files? Those are not Saratoga ones, maybe Leuven?
Question 2:
The big question is: How do those files arrive at your sites? Someone is/was uploading those files.
You host multiple websites with different URL's, is only one site flagged or more then one?
If multiple sites are compromised, do you use multiple FTP ID/passwords, one for every site?
Or do you use 1 FTP ID/password for all sites?
Wim
-
I have gotten the same message from GoDaddy too.
Check those files carefully. There were some image files that had copies renamed with a .php extension
injected into my site also. I was flagged and had to remove them all. There were a few from GoDaddy
that weren't actually malware when they thought they were. How they keep getting put on my server
is a real head scratcher to me.
-
Paul can you please post the 9 links to MT pages?
-
Ken has given a suggestion which I am trying.
I am a little busy this morning with other things so will be later today before I can get back to @Jachym and @Wim.
Thank you all for your assistance.
Paul
-
I have a water company site hosted on a reseller Godaddy site, and received a similar email a few months ago, without the sales pitch.
They flagged some files that were indeed malware, as well as some legit ones. I copied off the bad ones for reference, and deleted them.
Anyone experienced this before, or is this a GoDaddy solicitation for their services?
Paul
-
The files
html/komokaweather-ca/ec-icons_gif/14p60_noversion.php
html/komokaweather-ca/wsMetNoSA/lang/wsLanguage-de-local_infoold.php
May actually *be* malware .. there are no PHP icons in ec-icons, and the _infoold addition to wxLanguage-de-local.php looks suspicious. You should download those files, zip em up and send to me.. I can take a look.
Also send any Saratoga add-on files that were flagged. It's possible a miscreant inserted stuff in your site in those files.
Yep.. those files are indeed malware - heavily obfuscated, but a remote PHP shell that can process HTTP request arguments into a PHP eval() statement, which causes their remotely-supplied code to be executed on your webserver. Make note of the date/time stamps on the files, then delete them. If you have Apache logs containing records from those timestamps, we could look back and see what other mischief has been done by them.
-
@Wim,
To add to Ken's comments, those files should NOT be on your server and they are "normally" not in the download zip either. I just checked.
wsMetNoSA/lang/wsLanguage-de-local_infoold.php correct name => wsLanguage-de-local.txt
wsMetNoSA/lang/wsLanguage-en 2_ver1.php correct name => wsLanguage-en.txt
I have deleted these.
weather28/ewn_frc/js/highcharts.min.js
=> the folder ewn-frc/ is not used anymore, as Henkka continually enhances the ewn scripts, so they are run in an iframe now. You can delete the complete folder as they are not relevant for Canadian users.
=> I compared your weather28/..../highcharts.min.js file with the original distribution, they are identical, so this is a "false positive"
I have deleted this.
Question 1: can you please give the links to the other "3 more add on script" files? Those are not Saratoga ones, maybe Leuven?
I have sent these to Ken for his review.
Question 2:
The big question is: How do those files arrive at your sites? Someone is/was uploading those files.
Not by me and don't know how. I have only given authority to one person to access my site and that was for a specific /folder about 2 years ago. This person is totally trustworthy.
You host multiple websites with different URL's, is only one site flagged or more then one?
komokaweather.com is my main hosting and the files GoDaddy listed were all in subfolders
/weather28 for Leuven (only the ewn_frc/js/highlights, and the others in an old weather2 version folder, which I have now deleted)
/komokaweather-ca for Saratoga (four files were listed, and I've sent these to Ken)
/pws for Brian's HomeWeather (17 files listed, but 13 were in old version folders that I have now deleted)
/j-template for Meteotemplate (10 files were listed)
/weather for Cumulus modified template ( seven files listed)
/wsMetNoSA for your older MetNo script ( one file listed, and now deleted as noted above)
/.errordocs ( one file listed - missing_bck_old.php, which I have now deleted)
With the exception of the /j-template and /pws the other files had a date stamp of several years ago.
If multiple sites are compromised, do you use multiple FTP ID/passwords, one for every site?
Or do you use 1 FTP ID/password for all sites?
I use one FTP ID and password only to my webserver.
Wim
@Jachym
can you please post the 9 links to MT pages?
I will send you an email.
Thank you all for your replies and very helpful suggestions and comments.
Paul
Edit,
I also have two additional domains in my hosting plan for a couple of local not for profit organizations that I maintain and there were no files from these folders on the GoDaddy listing.
Paul
-
I find that downloading you site as a backup can kill 2 birds an all that, 1 you have a backup and 2 you can set malware bytes
to scan the new backups, i host a few weather sites on my server and the backups are auto downloaded to 2 drives at home
where MB does its thing, this will eliminate any issues quickly, if something is found i will let the client know asap.
Periodically downloading your backup instead of leaving it in the hands of your host would pick this is long before now, plus, you
should never rely on your host for the safety of your data anyway
-
I've received 2 emails over the past 6 months from GoDaddy flagging malware. In the first one, I had something 8 files flagged. 6 were old and I removed them. One said my httaccess file was "infected". I did some research and took out some entries that weren't needed. Last one was my Fire Index page. I left that alone.
Months later, I get another email. Now it's totally different files. A few I deleted again as they weren't needed from a sub domain I have. But my original Fire Index file didn't show up this time even though I hadn't changed it.
After the first email, I did get a call. I got the impression they wanted to sell me something. I just told the guy I deleted all those files and he shut up. Never got a second call.
-
You may have a lurking malware script from an earlier successful compromise on your site, and that's how they got in again.
-
I got the same email last Thursday from godaddy. They flagged 16 files. After looking through them 13 were indeed malware. Also the htaccess file was compromised. I too got the sales pitch. All 13 files are deleted, and the htaccess file is restored. However on Google my index page is tagged with Viagra and another page with Cealis. I need the Google bot to recrawl the site. :-(
-
How are all these sites being compromised?
-
prob many scripts used and some are outdated