Delete this account

Thanks for the suggestions.

I understand and know how to prevent getting emails with spam/filters/etc. But I’m surprised that it’s considered acceptable to get three a day for months on end. I don’t believe there is a real person out there trying to reset their password three times a day for months. Essentially, the process is being abused somehow, and it should be fixed on WordPress’s end. There is no legitimate reason for someone to endlessly request password resets three times a day, so why allow it on the back end? Why not actually fix it?

Thanks for the suggestion mate, looks like I’m going to have to; because I can’t think of any other way around it. Just annoying to have to do that, and I use gmail so that adds to the algorhythm for all mail from WordPress to be marked as spam for everyone else with gmail. So far from ideal, but cheers anyway.

Ahhh, that makes a lot of sense, cheers mate. I hadn’t thought of that scenario… But surely no one legimitate requests a password reset every 6-8 hours for months on end?

I gather I can’t change my user name? Or search www.remarpro.com by username to contact them? Admittedly I only use the forums occasionally, but its very helpful when I can, eg if I spoof my email I wouldn’t have known there was a response to this question … All because some numpty can’t get their logins right… Lol.

It just occured to me, is it possible to tell how the phishing sites were uploaded to my server by my own site logs? There is a lot of stuff in there on the first of April to do with the files, but it’s beyond me to interpret… ??

</rant>

??

Continually and repeatedly telling me everything was fine, while I’m fighting them tooth and nail for days to make them see a giant phishing scam set up right in front of their noses, and I’m supposed to believe that they can actually tell if any of the other domains on the server are compromised. They couldn’t even tell that one site was when I was screaming it from the rooftops. With the final blow of once again trying to shift blame back to me, and getting in the last digs about me having taken steps like updating plugins, which I’ve told them every single time they have said that, that ive done no such thing as i was all up to date before I was hacked. What a joke. Lol.

“Thank you for the continued patience. We are extremely sorry for the trouble caused here.

I have done a detailed check in this case and found that, instead of removing a culprit folder we have made so many confusions. I have discussed with the concerned techs regarding this and taken necessary actions.

Now, I have removed the culprit folder “webapps” from the account and made sure that there is no other suspicious files on your domain. To find the logs of file upload, I have gone through Apache, FTP, cpanel and domlogs but we couldn’t get any trace for that. To maintain the disk space, we have already set up log rotation on the server so that the old log will be automatically cropped if it found that the allocated space is filled. Due to this, the logs during that time are cropped from the server and that is why we couldn’t get any logs of corresponding file upload.

As of now, your account is secured since you have taken preventive measures like password reset, plugin update etc. Also I have made a complete server audit to make sure that all the security measures are functioning well. I could find that the issue didn’t occur in any other domains residing on the same server so that I would like to point out that you have to make sure that your machine is virus free. There may be a possibility of the entering of the virus while accessing cpanel or FTP from a local PC. Anyway, now your domain is working fine without any issue.”

A quick play testing functionality on my site, and all appears fine with that folder renamed. It really seems to me that all the changes are specific to that webapps folder, the only exception is that one file in the Akismet folder, it’s also the only file that showed up on their scans as malicious.

I’ve been emailing back and forward with them for two days, and the last one I basically said: actually go to the webapps folder, look at the #@&HR!&! folders and files I’m pointing out to you and tell me again that it is all fixed?!

I haven’t heard back in several hours now, so I’ll see what response I get next when I wake up. If it’s to change my passwords, I may bloody explode! Haha.

OK, thanks again for all the feedback/advice, I’ll follow this thread up with any updates.

Cheers,
Sam

Haha, you’re so optimistic about the level of comprehension I’ve been getting from them, no I haven’t got anything detailing how, or methods of uploading yet. When this happened a few years ago, they were telling me a specific file i was asking about had not been uploaded, ever, no record of it. So I’m not holding my breath. I agree that they are trying to fob me off, haha. It’s been a wonderfully frustrating experience, particularly one week into giving up smoking… that has made it my trial by fire. ??

OK! That is interesting, they have changed permissions on about half the folders inside webapps so that I can’t affect them, since I’ve been discussing it with them, and pointing out what is inside them. But I just tried renaming the parent ‘webbap’ folder and it worked, that was surprising… at the very least I presume that should mean I can have a play around and see if that has broken anything for me. Does that sound logical to you??

It’s close to 2AM, and I’ve had all I can stand of doing this for tonight, but I will continue persevering with it tomorrow, thankyou for all your advice and feedback! It’s been great to get some sensible, coherent advice, the first time in two days, so cheers! ??

Yes, it is a shared host/server.

No, I haven’t asked how many are on there, I’ve been stuggling to get even basic responses beyond the “we have scanned your account and now it’s all fine”.

Interesting to hear you say that even deleting the webapps folder (on the presumption that all my woes are contained in it) may not help me out in the long run. From everything I can see, that folder is the only thing that has been touched/altered/changed … but that is def food for thought, thankyou.

They did send me this, as the log for the IP they’ve banned that uploaded the prl.pl, but I’ve had to fight them all the way to get them to see that all the stuff in webapps is evil, so I don’t have any logs for that yet, but this is the prl.pl part:

“root@jellybean [/home/******/public_html]# grep prl.pl /usr/local/apache/domlogs/******/******.net | grep POST | head -1
41.129.104.176 – – [01/Apr/2014:05:27:40 -0400] “POST /wp-content/plugins/akismet/prl.pl HTTP/1.1” 200 24800 “https://******.net/wp-content/plugins/akismet/prl.pl&#8221; “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0”
root@jellybean [/home/******/public_html]#

Yes, manually deleting them in ftp, except my ht.access, wp-config, favicon, etc, and wp-content folder is how I do it. It’s 1am and I’ve been doing this all day, so I may not be expressing myself at my absolute best.

Of the three options, I don’t believe it’s a wordpress plugin, or my computer, to be frank I think it’s the server/host that’s to blame. It has happened once before a couple of years ago, and I don’t recall the exact details, but I was told at the time that the type of hack I had only required one WP installation on the particular server to be compromised and that could be used to infect/spread/whatever the right term is, to other installations on the same server.

From everything I’ve read, I believe I have covered most of what I can think of, I’m really just trying to figure out if I can try bash a request through the english barrier to delete the webapps folder, or if that is going to screw me.

Haha, I just read your response while I was typing, and I agree I also think it’s the server/host. lol (but not lol ?? )

Sorry, what I meant by that, was that none of those plugins should be utilising anything that would be in ‘webapps’? Not that I thought the plugins were the cause.

They ran a maldet scan, and ‘public_html/wp-content/plugins/akismet/prl.pl’ was the file it keeps returning, which they have disabled. But they have not even mentioned the webapps folder to me. I have been harassing them about that. There is at least half a dozen folders in there and each one is full of what as far as i can tell would each make up a discrete phishing site. Full of files like paypal logos, paypal_verification.php, bank login pages, etc, etc… i’ve pointed it out about 10 times, and the response I keep getting is they’ve scanned it and it’s fine, and I need to use better passwords.

FYI I use passwords of a randomly generated string of 25 characters/letters/numbers/symbols, and a unique password for everything. I rock solid gaurantee weak password are not my problem. ??

I’ve installed a clean WordPress install over the top, all my plugins and WordPress were up to date before it was hacked. I’ve looked at file permissions, … I think I have most of what I’ve read in the first few links you posted already covered.

(Although some of them are up to 5 or 6 years old, so I presume they are still relevant??)

Yes, Email passwords, cPanel, WordPress Administrators, FTP …

Esmi, when you say it has nothing to do with WordPress, do you also mean it should have nothing to do with any of those listed plugins either?

p.s. according to the modified dates, the only files or folders that have been changed since it was hacked on the 1st April, is the contents of webapps. My ht.access file, all the other important stuff I can see has not been altered.