Sirs, we are based in UK.
We have a Bluehost hosting account in US.
Yesterday all of our hosted websites (about 20) disappeared and all of our email accounts stopped working.
Bluehost told us they thought we had been subject to a malicious script uploaded by a hacker. We have no idea how this happened.
Bluehost mentioned it was a Wachovia Hacking Script. We have spent past 24 hours trying to locate it and eliminate it.
Bluehost will not reinstate our account until we do this and can demonstrate that the files on our server are no longer compromised.
I need an expert that can find the offending script/s, delete them, and stop it happening again.
Ideally we need a freelancer that has done this before as time is critical.
Deleting the domains and files on our server is not an option.
I have copied and pasted my initial conversation with Bluehost below. Since then I have spoken with their abuse team and they have reinstated the websites but the email accounts remain frozen.
Please, only apply for this job if YOU ARE POSITIVE you can fix it. No time wasters please.
ndickson [1:47:02 PM]: Welcome to our real-time support chat. Please give me your main domain name and either your cpanel password or last the four digits of the credit card on file so I can look up your account information. Please be patient as I am often chatting with several different people. Thanks!
Nick Bradley [1:47:02 PM]: HELP! All of our email seems to have stopped and all our websites are saying that 'this account has been suspended!' - Whats going on!!!!! Thanks Nick
ndickson [1:47:13 PM]: let me take a look at that for you.
Nick Bradley [1:47:53 PM]: thank you
ndickson [1:48:12 PM]: Wachovia phishing emails being sent out by script running on the server. Must secure for reactivation.
Nick Bradley [1:48:35 PM]: Really? Nothing to do with us!
[1:48:43 PM]: Can you tell me which domain it is?
ndickson [1:48:53 PM]: I am looking up details now.
[1:55:51 PM]: I have to speak with another department, it should just be a moment longer.
[1:55:54 PM]: thank you for holding.
Nick Bradley [1:56:16 PM]: thanks mate... we are panicing over here
[1:56:37 PM]: the phone is ringing off the hook with compaints!
ndickson [1:57:54 PM]: ok
[2:04:56 PM]: well, it would appear that there isn't a webpage that is sending these off but a script that may have been uploaded.
ndickson [2:05:03 PM]: Although we host your website, we are unable to manage security of your content. We have multiple safeguards in place to prevent our servers from being hacked, including prevention against brute force attacks and tight security on user accounts. The actual vulnerabilities a hacker uses to gain access to your home directory or public_html folder are located in th scripts themselves. For this reason, we provide updates through SimpleScripts or Fantastico as they are made available, and also offer courtesy server backups and a backup utility in cPanel, which you can use to take partial or full snapshots of your account whenever you feel a need.
As to which script was exploited to allow access to your account, we would be uncertain what was used, as most exploits use standard pages in your account with unusually formed requests to inject their own content to your site. There are multiple resources online to help you identify the cause, and we would suggest starting with the authors of the software you are running, to see if there are known exploits or updates that the vendor is aware of.
Here is a security checklist that you can review which can greatly help secure your account sites:
1. Change the Admin Email on your account.
2. Change the Password on your account.
3. Change the Credit Card on file on you account.
4. Update and apply any patches, upgrades, or updates that the 3rd party vendor or web developer of your scripts may have available.
5. Fix any loose file permissions (this may be the most common exploit vulnerability)
6. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
7. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc.
If your scripts are infected, you may want to rollback to the last good snapshot backup of your account. If your backups are also infected, then you may want to consider having us reset your account to start afresh.
Nick Bradley [2:05:18 PM]: ok
[2:05:30 PM]: what do i do to rectify this
[2:05:38 PM]: whatever it takes we will do it now
ndickson [2:06:37 PM]: you can follow those steps above. I can also restore the site to a time before you had the problem.
[2:06:50 PM]: hmm, nevermind
Nick Bradley [2:06:54 PM]: yes please - that is a big help
ndickson [2:07:02 PM]: I see that we have no system backups.
Nick Bradley [2:07:14 PM]: please can you restore all the websites and all the emails
ndickson [2:07:44 PM]: sorry, the reason we have no backups for the account.
[2:08:07 PM]: you will just need to go through your files and go through the steps I recommended above.
Nick Bradley [2:08:21 PM]: there are zillions of files
[2:08:27 PM]: where do we start?
ndickson [2:08:32 PM]: If you like I can possibly get your account up and turn off outbound email until you can resolve the issue.
Nick Bradley [2:09:03 PM]: yes please
[2:09:18 PM]: i have a developer on stand by now to try and resolve it
ndickson [2:09:37 PM]: okay.
[2:09:41 PM]: let me get permission to do so.
Nick Bradley [2:09:48 PM]: many thanks
ndickson [2:14:34 PM]: they are tellling me no, you site is vulnerable to attack, please go through the list I gave you and secure your site. then we can bring you back online.
[2:14:40 PM]: sorry.
[2:14:42 PM]: I tried.
Nick Bradley [2:14:43 PM]: which site?
[2:14:53 PM]: we have about 20!
ndickson [2:18:33 PM]: Abuse wants you to contact them directly about it so they can tell you.
ndickson [2:18:37 PM]: You can contact our Abuse Team in three different ways:
1. You can email them
2. You can make a ticket to them [url removed, login to view]
3. You can telephone them here: Main Line: 888-401-4678 Outside the U.S: 801-765-9400
Nick Bradley [2:18:45 PM]: ok
ndickson [2:19:05 PM]: sorry for the trouble, bye for now