GoDaddy хостинг и проблем с malicious files

parlla

New Member
Здр,
имам проблем с хостинга ми в Годеди. Получих мейл че имам буби. Моля за съвет.
Това е мейла:
Код:
Support Staff Response
Dear Sir/Madam,

Regarding your hosting account *****.com:

The *****.com web site has been found to be compromised which is a violation of section 3 "Your Obligations" of Go Daddy's Web Hosting and Virtual Dedicated Hosting Service Agreement.

The relevant passage of this agreement has been provided below: 

"You may not use Go Daddy's servers and Your web site as a source, intermediary, reply to address, or destination address for mail bombs, Internet packet flooding, packet corruption, denial of service, or other abusive activities. Server hacking or other perpetration of security breaches is prohibited and Go Daddy reserves the right to remove sites containing information about hacking or links to such information."

Go Daddy's "Web Hosting and Virtual Dedicated Hosting Service Agreement" is located at the following URL: https://www.godaddy.com/agreements/showdoc.aspx?pageid=HOSTING_SA

This situation has resulted in a potential security threat to Go Daddy's network and the security we provide to other customers. It appears that this abusive action may have been the result of your server becoming compromised and ultimately exploited by a third party. Upon detection of this problem Go Daddy's Security Operations Center requested that Go Daddy's Advanced Hosting Team alert you of this action in the hope that you can resolve the issue.

*** IMPORTANT ***

Due to the serious nature of this malicious action, your site is scheduled to be suspended if you do not take immediate action. This suspension will take place on April 16, 2012 and will occur if either a repeat occurrence of the abuse is, at any time, detected OR you fail to reply to this message.

****************

Go Daddy's security team has collected the following information to assist you in troubleshooting this issue:

The  site was compromised on or before 15MAR2012 via the Wordpress admin backend.  The attacker was able to upload a malicious file that was used to inject over 5556 files with malicious content.  Due to the amount of files that are injected we did not perform a cleanup and we have disabled the html directory to prevent external access to the malicious content.  Please advise the customer to restore their site from clean backups or perform a full clean up of their site, they will also need to reset all of their web application passwords. 
 

This matter can be closed by simply responding to this notice with the following:

1. A statement that you have reviewed and agree to abide by the terms of the "Web Hosting and Virtual Dedicated Hosting Service Agreement," and
2. A statement that you have removed any malicious content residing on your web site, and
3. A statement that you agree to secure your web site in such a way as to ensure that there is not a re-occurrence of this issue in the future.

After we receive your reply with these statements we consider the matter resolved and continue to monitor the situation. (We reserve the right to suspend the site again if a repeat occurrence of this security violation is discovered.)
 
От: GoDaddy хостинг и проблем с malicious files

1. Проверяваш си компютъра
2. Сменяш всички пароли на хоста
3. Сменяш паролата на админа в WP
4. Изтриваш всички коментари, в т.ч и в кофата
5. Деактивираш всички активирани или ъпдейтнати плугини през последния месец
6. По-възможност и ако не е важно деактивираш всички плугини
7. http://sitecheck.sucuri.net/scanner/

Предполагам, че ще ти покаже част заразените файлове.
Отваряш файла и търсиш нещо от типа:
Trojan.png

Може и да различно като запис. Отваряш файла и триеш кода.
Първоначално се насочи към файлове, които са показани от
sitecheck.sucuri.net

Възможно е подобен код да има в много файлове и директории.
sitecheck.sucuri.net или който и да е подобен сервиз не показват всичко.
 
От: GoDaddy хостинг и проблем с malicious files

БЛАГОДАРЯ!!! Надявах се да има някакъв автоматичен метод. Пробвах с това но не става.
 

Горе