My site hacked with a Paypal phishing scam set up on it.

  • Could someone please give me some advice.

    My site has been hacked. I have been arguing with my host for two full days via email and they are driving me crazy. They are sending me stock response after stock response (they clearly only speak very basic english, and are not comprehending anything I’m asking). They keep telling me they have scanned it and deleted one file and now it’s fine.. 50 or so emails from them later over two days and I can’t get a single coherent answer to my questions other than stock responses to change my password. They keep telling me it’s fixed (it’s not), then saying have a good day and they’re glad they could help me (WTF?!!!). Then each time it’s followed up with them starting a new support thread saying “hey, your site has been comprimised”, etc, suspending my account and the whole process starts again …. ugh. Yes, it’s as frustrating as it sounds.

    OK, to the question… in the public_html folder there is a folder that I have never seen before called ‘webapps’. It’s full of folders with files for banking and paypal scams. (Login.phps, spoof bank sites, images, logos, etc, etc.. my host keeps insisting the’ve got rid of everything that was put in my account by the hacker, because their scan says so.). Should that webapps folder be there for any legitimate reason, or can I make this simple and just ask them to delete the entire folder? (They’ve changed permissions on some of the folders in there, so I can’t remove them myself.)

    I have never seen the ‘webapps’ folder before, it’s not in any of my site backups. I don’t have any ecommerce or anything set up on my site. It’s just a simple wordpress installation with basic plugins (Akismet, Broken Link Checker, Content Protector, Jetpack, WP-Footnotes, Twidget, and WP-Cleanup).

    Can anyone who knows what they’re talking about (more than me, and exponentially more than the nitwits on the support desk who are making me crazy), tell me if deleting the entire webapps folder sounds like the right course of action? Or is it required for something that I am not aware of?

    Apologies for the rant, trying to be thorough, before I go completely postal. Please send help. ??

    Cheers,
    Sam

Viewing 7 replies - 16 through 22 (of 22 total)

  • Haha, you’re so optimistic about the level of comprehension I’ve been getting from them, no I haven’t got anything detailing how, or methods of uploading yet. When this happened a few years ago, they were telling me a specific file i was asking about had not been uploaded, ever, no record of it. So I’m not holding my breath. I agree that they are trying to fob me off, haha. It’s been a wonderfully frustrating experience, particularly one week into giving up smoking… that has made it my trial by fire. ??

    OK! That is interesting, they have changed permissions on about half the folders inside webapps so that I can’t affect them, since I’ve been discussing it with them, and pointing out what is inside them. But I just tried renaming the parent ‘webbap’ folder and it worked, that was surprising… at the very least I presume that should mean I can have a play around and see if that has broken anything for me. Does that sound logical to you??

    It’s close to 2AM, and I’ve had all I can stand of doing this for tonight, but I will continue persevering with it tomorrow, thankyou for all your advice and feedback! It’s been great to get some sensible, coherent advice, the first time in two days, so cheers! ??

    if we assume that the webapps folder is strictly linked to the hacker’s scripts, then it should be perfectly safe to rename it. WP by default won’t be using it, so , if anything on the site does fall down because it can’t access something in webapps, then it suggests that you have another compromised file.

    they have changed permissions on about half the folders inside webapps

    That is strange. If it’s related to your hosting, why not just tell you and ask you to stay away from it? If not, why not just delete it? I wonder if they are still trying to figure out how the hacker got in…?

    It’s been a wonderfully frustrating experience, particularly one week into giving up smoking… that has made it my trial by fire

    Oh my! That certainly is bad timing! If it helps, I can thoroughly recommend vaping instead. ??

    A quick play testing functionality on my site, and all appears fine with that folder renamed. It really seems to me that all the changes are specific to that webapps folder, the only exception is that one file in the Akismet folder, it’s also the only file that showed up on their scans as malicious.

    I’ve been emailing back and forward with them for two days, and the last one I basically said: actually go to the webapps folder, look at the #@&HR!&! folders and files I’m pointing out to you and tell me again that it is all fixed?!

    I haven’t heard back in several hours now, so I’ll see what response I get next when I wake up. If it’s to change my passwords, I may bloody explode! Haha.

    OK, thanks again for all the feedback/advice, I’ll follow this thread up with any updates.

    Cheers,
    Sam

    Continually and repeatedly telling me everything was fine, while I’m fighting them tooth and nail for days to make them see a giant phishing scam set up right in front of their noses, and I’m supposed to believe that they can actually tell if any of the other domains on the server are compromised. They couldn’t even tell that one site was when I was screaming it from the rooftops. With the final blow of once again trying to shift blame back to me, and getting in the last digs about me having taken steps like updating plugins, which I’ve told them every single time they have said that, that ive done no such thing as i was all up to date before I was hacked. What a joke. Lol.

    “Thank you for the continued patience. We are extremely sorry for the trouble caused here.

    I have done a detailed check in this case and found that, instead of removing a culprit folder we have made so many confusions. I have discussed with the concerned techs regarding this and taken necessary actions.

    Now, I have removed the culprit folder “webapps” from the account and made sure that there is no other suspicious files on your domain. To find the logs of file upload, I have gone through Apache, FTP, cpanel and domlogs but we couldn’t get any trace for that. To maintain the disk space, we have already set up log rotation on the server so that the old log will be automatically cropped if it found that the allocated space is filled. Due to this, the logs during that time are cropped from the server and that is why we couldn’t get any logs of corresponding file upload.

    As of now, your account is secured since you have taken preventive measures like password reset, plugin update etc. Also I have made a complete server audit to make sure that all the security measures are functioning well. I could find that the issue didn’t occur in any other domains residing on the same server so that I would like to point out that you have to make sure that your machine is virus free. There may be a possibility of the entering of the virus while accessing cpanel or FTP from a local PC. Anyway, now your domain is working fine without any issue.”

    </rant>

    ??

    It just occured to me, is it possible to tell how the phishing sites were uploaded to my server by my own site logs? There is a lot of stuff in there on the first of April to do with the files, but it’s beyond me to interpret… ??

    Your server should have log files that you can use. But it sounds like your website host is a waste of space – time to move to a new host and start with a fresh install of the latest version of wordpress and rebuild your database from clean backups.

Viewing 7 replies - 16 through 22 (of 22 total)
  • The topic ‘My site hacked with a Paypal phishing scam set up on it.’ is closed to new replies.