My Multisite Suspended By Provider Due To Malware

Hi there,

I've got a 2-yr old multisite which recently got suspended by my hosting provider due to malware.

While I have limited access to my account, I check that there are indeed quite a handful of unfamiliar files with malware-spamming-like codings.

I've a strong cPanel password (a combo of numbers/alphas) and somehow I feel that the server breached of security is not on my side. The hacker could have access to my directories via server's root or something. Anyway, bad news for me is that my side if flagged and now with limited access.

The only backup the provider archive was on a date after the spam/malware was reported. That implies that even if they reload/flashback to the "latest" backup, malwares would still be there. Is it a norm that hosting providers only keep one copy of your sites??

What are the ways I can do now to reinstate my site to clear it from malware?

Most importantly, how can I prevent this from happening again?

Help.

William

  • Timothy Bowers

    Hey William.

    Most importantly, how can I prevent this from happening again?

    Ensure you always use trusted sources, be careful of the themes and even plugins you use:

    https://premium.wpmudev.org/blog/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

    Ensure your WordPress site and all plugins/themes are always up to date.

    Use a reputable host who takes security serious. Just because malware is on your site, doesn't mean it was done through your site although most probably it was.

    Check for old themes or plugins using timthumb, there was a security issue with that last year. Any code using older scripts could also be an issue.

    And I know you don't want to hear this but keep regular backups.

    The Refresh.

    Here is what I would do, make a list of all themes and plugins.

    Then delete all files on your server keeping wp-config.php and any uploaded media like images and videos.

    Check the wp-config file to ensure nothing put in there.

    If keeping any media carefully scan those and check there is nothing there which shouldn't be.

    Then upload a fresh set of WordPress, all themes and plugins.

    You might also like to check over the DB.

    Hope this helps.

  • William

    Hi Timothy,

    Thank you for your reply.

    In fact, I've just got BackupBuddy lately but the mentioned multisite got suspended days before I scheduled to set up the backup process, with wishful thinking on my part that my hosting provider should have their backups ... but alas, they only overwrite the old single backup ... isn't that useless - keeping only one copy of backup; overwriting the old backup?

    I've scanned the downloaded public_html backup to my local desktop but it seems that the "infected rate" is rather serious - it's seems hard for me to do any cleaning without breaking parts of the site.

    I was thinking if it's cleaner by creating an entirely new multisite installation and migrating over the old sites? Just wondering what will be the best way to resolve this.

    Best Regards,
    Will

  • Timothy Bowers

    but alas, they only overwrite the old single backup ... isn't that useless - keeping only one copy of backup; overwriting the old backup?

    It can be.

    Usually though unless you pay something extra for a backup the host won't accept any responsibility and will place that with you. Not helpful I know but in a lot of instances the host can turn around and say they have no backups for you.

    I was thinking if it's cleaner by creating an entirely new multisite installation and migrating over the old sites? Just wondering what will be the best way to resolve this.

    I honestly think that removing all the files and using a fresh set would be the best way. You then only keep and check the wp-config file along with media uploads. If the uploads are badly infected somehow then drop them unless you have the time to go through them all.

    Its possible they put something in the DB but usually from what I've seen in the past these malware ones are about getting computers infected and creating phising sites rather than doing anything with your data.

    Take care.

  • Mark Wallace

    Hi Tim!
    Just a quick question; you know how i am trying to learn about databases and such. In this type of situation "William's"; could a person download their site to a folder on their PC and run antivirus; removing all the malware, then upload it back to their server? Thanks Tim. Happy Revolution Day! 4th of July! lol

    @William. I know free is nice. But man it can really cost in the long-run. I use a separate PC to test out downloaded software before installing it on my work horse. I am not sure how this could be done with servers yet, but it is always a good idea to read about plugins and themes especially the user reviews, which mean sometimes you, may need to wait a few months for others to test it out.

  • Timothy Bowers

    Hey @MTB1701

    Just a quick question; you know how i am trying to learn about databases and such. In this type of situation "William's"; could a person download their site to a folder on their PC and run antivirus; removing all the malware, then upload it back to their server? Thanks Tim. Happy Revolution Day! 4th of July! lol

    That is possible but here is an issue I had with one of my own clients recently. They kept getting reports of malware and viruses from AVG.

    I wasn't seeing any of that on my Macs and Sucuri or similar also could not see them. Asked a couple of others to test in their software with no results.

    http://sucuri.net/

    I kept asking for reports/screens so I could see but information was lacking. So I did the process described in my post above.

    I scanned the db manually (small site) and check media which also seemed good.

    They then checked again once I was done and all was fine. Reports stopped as well.

    But sure you can try in a local environment and see what comes up.

    Take care.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.