Jump to content

What the hell just happened?


Recommended Posts

What the hell just happened?

A sunny christmas afternoon, family stuff is all done with, holiday noise is finally dying down, and me and my gf come home to our apartment.  Great, time to release the 2nd x-mas present to the forum, awesome.  So I sit down at my desk, go to log into the site, and... "Site Unavailable Contact Bluehost or, If You're The Site's Owner, Click Here for Details." ...  Fuck.  So I click.  "Site is temporarily locked due to Malware / Viruses.  Please contact Bluehost."  Motherfuckers.  On christmas no less.

Enter Bluehost chat support.  Basically goes like this:

Me:  "It seems our site is flagged for Malware, what happened?"

BH:  "We recommend using our trusted partner Sitelock to fix it! 
They'll scan all your files and remove all viruses!"

~That quick.  No questions, nothing.  Just pay Sitelock ~
Me:  Do you have the list of infected files and the IP addresses that have accessed those files?

BH:  No we do not have The IP addresses that have accessed the file, but here's a list of the infected files.

~ At this point I begin download a back up of all the sites files from 3 days before ~ 

Me:  Why can't I just replace the corrupted files with backups from a few days before, when we weren't infected?

BH:  We do not allow file restores on locked sites.

~ First off, what is that feature for, if not this?  None the less, somehow, the files are downloading, and I still have FTP (back door) access... ~

Me:  Ok I'll take a look, see what I can do, and if I do pay somebody it's going to be someone I trust that is not affiliated with bluehost.

End of chat session 1

So seeing as how the backup files seem to be downloading just fine, I make the announcement on Discord, that the fix should only take a few hours.  Finish downloading, and then upload the clean files to replace the old ones.  I have the list of broken files so it should be easy enough.  Then the download times out.  Yea... our site is pretty freakin huge, especially considering that we do host the work of a few special creators.  And so there goes the easy fix.  Now it looks like I'm actually going to have to pay somebody to do this, because manually removing malware from files is beyond my abilities. 


Google.  Within minutes, I'm finding articles upon blogposts of people having similar things happen to them through a variety of hosts.  Apparently Sitelock is coupled with a ton of major hosting companies, and a ton of people have written articles about their site being basically held hostage by Sitelock who then demands an enormous amount of money to clean the site, and then even more for a yearly security package.  "Shit, are we mid-scam right now?" I start thinking to myself.  Either way, scam or not, I'm going to have to pay somebody to fix this, and there is no way in hell I'm pressing charges or pursuing this at all if it IS Sitelock, so it doesn't really matter.  Outcomes the same.  But I did find this one guy who wrote a ton of blog posts detailing Sitelocks misadventures, and he does the fix for pretty cheap. 


So I contact chat support again, to ask what Sitelock charges.  Sales pitch for the monthly fees begins before the question is answered.  I tell them I don't trust Sitelock and that this whole thing smells wrong, and that there is a zero percent chance that I'm paying monthly fees.  I just want the thing fixed as quickly as possible.  That's all.  $300 for a 1 time fix is their going rate.  And more than that per year for ongoing "protection".  ...take a second to think about this.  Considering the fact that most people are just going to fold and pay this, how much money... anyway Nope.  The guy that writes about how messed up Sitelock's behavior is, charges half that.


Aaaand so I contact that guy.  White Fir Designs.  He's ready to go, says he can have it done in a few hours.  I also contacted this site, who never got back to me.  So I post another announcement on Discord updating everyone, and then I talked with Aлескей.  I figured if I'm going to pay someone to do this, HE's getting dibs on the job before anyone else, if he wants it.  (Granted this could be incredibly difficult, requiring great skill and well worth compensation.  And I'm prepared to pay someone anyway, so truth be told I should pay him if he's going to do it.)

So he decides to take a look at it, and see if it's something he can do.  I tell the White Fur guy that one of our staff's administrators is currently taking a look at it, but to please be prepared.  If he can't fix it, we need it done quickly.  He's ready to go, says it usually only takes him a couple hours.  Great.  I post another announcement on Discord saying Aлескей is giving it a shot, and if he can't do it, we got someone else lined up.

I come home from work last night at fuck all o'clock in the morning, -3 degrees outside, and... what's this? Hell to the Mutherfucking Yes!  Aлескей says the files should be good to go.  I immediately get on Bluehost's chat support, and have them scan the site.  And they come back with "The files are still infected.  We're generating another malware.txt file in your root directory with the details. ....shit.   I open up that file, and check this noise out:


Warning:  Files may have false positives.  Please review each file to make sure each file actually contains malware.  Please note that we are not a security company  The Content listed below may not be a complete list of malicious content on your account.  This is just what we have found that appears malicious.  These files appear to contain malicious code.  You will want to review the files and remove the injected code from important files and/or remove unused or invalid files.



...saga will be continued soon in this post...
going out to dinner and movie with gf, (new star wars, finally!)
Anyway, to be continued...

Enter Bluehost chat support, act 3.  I go back to Bluehost chat support, and tell them we had a professional coder clean the files, and also again that I don't trust sitelock.  I posted the content of the malware.txt file in the chat and asked: 

"We are not a security company" "Files may contain false positives" "these files appear to contain maiclious code" "You are ultimately responsible for all of your content". So if we're responsible for all of our content, some of which may or may not contain malicious code according to the guess of Not a security company, then what the hell is our site actually locked for?

"I'm sorry for the inconvenience. We'll scan the files." lol ok great.  I leave for work.  Come home and the site is back up... Ok, sweet!  But, nothing changed since the last time except I used the words "cleaned by professional coder" and "I don't trust sitelock".  And magically we passed their test.  Abra-ca-friggin-dabra?  So their first rescan wasn't done or done improperly  ...perhaps they scanned a cached or older version of the files or somehow?  I don't know.  But Aлескей fix worked, and we're back up and running, and that's what matters most.

I couldn't help but bother Aлескей at work to let him know his fixes fixed the site, and that we were back!  Joy!  Christmas is... srved.  And as awesome as he is, no charge, fix was easy enough.  Thank you kind sir.  Saved the day, and quick and free!  Aaaand we are back on our feet!  And life on the forum can resume as usual.  

Wherever that hack came from... idk.  Keep it mind that it very well could've been legit.  This narrative is just what I went through trying to deal with it over the last couple days without much time to process, between work and x-mas.  Although I am clearly not alone in my suspicions, they could still be misguided none the less.  But all the passwords have been changed, and me and  Aлескей are going to discuss it further soon, and see if we need to change any of our security measures.


 Soooo happy mugening guys!  Sorry x-mas didn't turn out to be quite as fun as we'd planned.  
We'll just unwrap all the presents on new-years instead :)



Link to comment
Share on other sites

Finished up the story in the first post.

And yea pretty much. 

Sitelock is like "Level 40 bork-storm!" 
          Forum paralyzed, and attempts to deal 300 damage to RMH

Алескей is like "Level 50 unbork!"
          Forum wakes up, and RMH takes no damage

Now we talk and try to figure out if that bork storm really did come from Sitelock, or if there could be someone else nearby. 

Link to comment
Share on other sites

  • 2 weeks later...

@IDGCaptainRussia Yes seriously.

@Ryon  For sure.  I kinda isolated a bit for a minute there, really, dealing with that double post bug.  Every time I would go to go on the forum, I just felt guilty.  Like my job is to fix and prevent that kind of stuff, so instead I would just go on youtube and watch db management tutorials, read articles, and try to figure out how to fix the thing.  But now that that's done, I'm starting to peek out of the cave again, and it's great to see a particular strange familiar face.  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...