Cpanel Malware attack

[huzaifa1818]

I am experiencing issues with my Godaddy shared hosting as my cpanel has been infected with malware. As a result, all my websites are currently down. Upon contacting Godaddy support, they informed me that I will need to acquire malware protection to resolve this issue. The malware has created numerous .htaccess files in all the directories, thus preventing the sites' URLs from opening. Unfortunately, there is no included malware protection in the cpanel. I am seeking assistance to address this matter.
This is the content for .htaccess files


<FilesMatch ".(py|exe|phtml|php|PHP|Php|PHp|pHp|pHP|phP|PhP|php5|suspected)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(index.php|credits.php|customize.php|edit-comments.php|edit-tags.php|edit.php|checkbox.php|export.php|input.php|link.php|load-scripts.php|load-styles.php|dropdown.php|menu.php|nav-menus.php|network.php|options-discussion.php|options-general.php|options-permalink.php|options-privacy.php|options-reading.php|options-writing.php|plugins.php|post-new.php|post.php|privacy.php|profile.php|site-health.php|term.php|text.php|themes.php|tools.php|update-core.php|user-edit.php|user-new.php|users.php|wp-links.php|wp-login.php|wp-signup.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

 

[ffeingol]

Is your site using software like WordPress (if so, what software)?

 

[SimpleSonic]

If your host doesn’t use proactive malware protection at the server level, you are going to have ongoing issues with malware infecting your sites.

You can use security plugins in WordPress, but the protection will not be as good as server-level protection.

Moving on to a reputable host that includes malware protection with Imunify360 or BitNinja or something similar will help you avoid these types of issues.

 

[sparek-3]

No amount of malware scanning - at any level - is going to help if you are:

Using weak password

Using outdated or abandoned scripts/plugins/themes/components/extensions

Downloading software on your computer or device that is laced with malware or keyloggers - that then go and capture your passwords or retrieves them from password vaults on the computer/device.

I can't say for certain why the OP was compromised, but my experience tells me that a mind boggling number of compromises I have seen are tracked back to either some type of password compromise or a security hole in a script or component that the user installed.

For passwords, I always suggest strong passwords and that you store them in something safe. I've never been a fan of browser's password vaults. If you are visiting a website that you have to log into and the login form is prefilled with your login information... then that information is being stored some where on your computer/device and probably not in the most secure fashion. Using a cloud based password manager also has the disadvantage in that you may not know when that information has been compromised. I prefer a local encrypted password manager - like Keepass - where you have to enter a master password in order to unlock that password manager. The less work you have to do obtain your password to enter a website... the easier it is for malware to also obtain those passwords.

Keeping your scripts and all of the added components up to date is important. Those updates usually (but I suppose not always) fix security holes. Using reputable scripts and components is also key. WordPress is reputable. But a "Bob's EZ Post Maker" plugin that was last updated in 2012 really isn't reputable. Just because a plugin or theme exists that does whats you want, doesn't mean it's properly coded. When did the developer last release an update to the plugin/theme? How many users are using the plugin/theme? What is the rating of the plugin/theme? These are all questions that factor into the reputation of a script/plugin/theme.

 

[SimpleSonic]

No amount of malware scanning - at any level - is going to help if you are:

Using weak password

Using outdated or abandoned scripts/plugins/themes/components/extensions

Downloading software on your computer or device that is laced with malware or keyloggers - that then go and capture your passwords or retrieves them from password vaults on the computer/device.

I can't say for certain why the OP was compromised, but my experience tells me that a mind boggling number of compromises I have seen are tracked back to either some type of password compromise or a security hole in a script or component that the user installed.

For passwords, I always suggest strong passwords and that you store them in something safe. I've never been a fan of browser's password vaults. If you are visiting a website that you have to log into and the login form is prefilled with your login information... then that information is being stored some where on your computer/device and probably not in the most secure fashion. Using a cloud based password manager also has the disadvantage in that you may not know when that information has been compromised. I prefer a local encrypted password manager - like Keepass - where you have to enter a master password in order to unlock that password manager. The less work you have to do obtain your password to enter a website... the easier it is for malware to also obtain those passwords.

Keeping your scripts and all of the added components up to date is important. Those updates usually (but I suppose not always) fix security holes. Using reputable scripts and components is also key. WordPress is reputable. But a "Bob's EZ Post Maker" plugin that was last updated in 2012 really isn't reputable. Just because a plugin or theme exists that does whats you want, doesn't mean it's properly coded. When did the developer last release an update to the plugin/theme? How many users are using the plugin/theme? What is the rating of the plugin/theme? These are all questions that factor into the reputation of a script/plugin/theme.

Everything you mentioned is exactly what using a proactive solution like Imunify360 is for.

 

[sparek-3]

I didn't know Imunify360 stopped users from installing non-reputable plugins or themes.

I also didn't know that Imunify360 kept all devices of a website administrators clean of any malware or keyloggers.

 

[SimpleSonic]

I didn't know Imunify360 stopped users from installing non-reputable plugins or themes.

I also didn't know that Imunify360 kept all devices of a website administrators clean of any malware or keyloggers.

Imunify360 provides proactive protection for both.

 

[cPRex]

I agree with the other users that it does seem like an odd response. Malware protection won't help you after the issue has already happened, so you'd need to work with a systems administrator to clean the account and ensure things are working well.

 

[huzaifa1818]

If your host doesn’t use proactive malware protection at the server level, you are going to have ongoing issues with malware infecting your sites.

You can use security plugins in WordPress, but the protection will not be as good as server-level protection.

Moving on to a reputable host that includes malware protection with Imunify360 or BitNinja or something similar will help you avoid these types of issues.

I tried using Defender as a security plugin, but unfortunately, it did not help. My WordPress site, along with another WordPress site and a Zencart site, were all compromised. As a result, I have decided to move to a new host that provides malware protection. Before making the move, I attempted to remove all the malware code and files from the server. However, I am uncertain whether any infected files remain on the server. If I transfer all the files to the new server, will the new server prevent any infected files from creating or running malware and remove any infected code?

 

[huzaifa1818]

Is your site using software like WordPress (if so, what software)?

Yes there were two WordPress sites and 1 Zencart site.

 

[JoseDieguez]

i would recommend you to follow this:

1- Switch Host, to any Host of your choice with Cpanel and Imunify360-Cpguard-Bitninja.
1.1 Update Wordpress and MySQL password.
2- Check your Wordpress version (wp-includes/version.php), and download from wordpress.org the same version.
3- Delete everything except wp-content folder and wp-config.php from your account
4- Upload clean wordpress, except wp-content and wp-config.php
5- Now you can check or hire someone to manually check your wp-config.php file and your wp-content directory. This is a lot less of work than checking an entire wordpress site.

As always, the step 0 is to make a backup before following any of my or other recommendations.
In case something goes wrong, you should restore your backup.

 

[ffeingol]

If you are running WordPress, I'd suggest that you look at and install WordFence. There is an option in WordFence to scan your site against the WordPress repository and it will note any modified files. You can also turn on options to compare plugins and themes against WordPress.org. If you want to let it, WordFence can repair (download a fresh copy) of modified files or delete malicious ones.

This does not replace good security (keeping things updated etc.) but it may get your site back up.

 

[SimpleSonic]

I tried using Defender as a security plugin, but unfortunately, it did not help. My WordPress site, along with another WordPress site and a Zencart site, were all compromised. As a result, I have decided to move to a new host that provides malware protection. Before making the move, I attempted to remove all the malware code and files from the server. However, I am uncertain whether any infected files remain on the server. If I transfer all the files to the new server, will the new server prevent any infected files from creating or running malware and remove any infected code?

If your new host uses something like Imunify360 then it will clean the data as it is uploaded to their servers.

 

[retechpro]

I am experiencing issues with my Godaddy shared hosting as my cpanel has been infected with malware. As a result, all my websites are currently down. Upon contacting Godaddy support, they informed me that I will need to acquire malware protection to resolve this issue. The malware has created numerous .htaccess files in all the directories, thus preventing the sites' URLs from opening. Unfortunately, there is no included malware protection in the cpanel. I am seeking assistance to address this matter.
This is the content for .htaccess files


<FilesMatch ".(py|exe|phtml|php|PHP|Php|PHp|pHp|pHP|phP|PhP|php5|suspected)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(index.php|credits.php|customize.php|edit-comments.php|edit-tags.php|edit.php|checkbox.php|export.php|input.php|link.php|load-scripts.php|load-styles.php|dropdown.php|menu.php|nav-menus.php|network.php|options-discussion.php|options-general.php|options-permalink.php|options-privacy.php|options-reading.php|options-writing.php|plugins.php|post-new.php|post.php|privacy.php|profile.php|site-health.php|term.php|text.php|themes.php|tools.php|update-core.php|user-edit.php|user-new.php|users.php|wp-links.php|wp-login.php|wp-signup.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

Recently My client faced the same issue. He was using namecheap. He was using reseller and his all cpanels effected with malware.
After moving to our host,Imunify360 didn’t detect the htaccess file.

I scan with wordfence it detect the every htaccess file but don’t think it is malware. The code output prevent to execute the php code.

 

[sparek-3]

An ounce of prevention is worth a pound of cure.

By the time WordFence or Immunify have found something - it's already happened. And there's no way for those softwares to detect every 0-day or 0-hour threat.

That's why I preach what I preach: Solid password security and keeping things up-to-date and reputable. If you're doing that, then it's going to stop A LOT of these issues.