a guest Jul 22nd, 2019 130 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- Dear Chwayita,
- A hacker uploaded malicious content to your website rechargeafrica.co.za. Websites are usually compromised to enable spam mailing, phishing or the spread of viruses. These types of abuse often result in blacklisting of servers, causing mail delivery failures for all domains hosted on the server. Along with the disruption of services caused by blacklisting, spam/phishing abuse and virus infections are extremely damaging to the reputation of all parties involved. It is for these reasons that Hetzner takes abuse extremely seriously. Hetzner reserves the right to suspend or terminate, without warning, any account that violates our Acceptable Use Policy whether the abuse was intentional or not. More information on our Spam Abuse Policy is available at:
- Due to the above, we have been forced to take the following actions to stop further abuse originating from your domain:
- -- the website content has been removed and is available in a folder called ‘compromised_website-20190521’. The content can be downloaded from the home directory of the account via FTP. This will enable you/your developer to download, clean and secure the website before uploading it again. Please remove the index.php holding page now present when re-uploading the website. Please note that this folder will be automatically removed from the server after 60 days.
- -- the FTP password of the account has been changed. In order to retrieve the password, you will need to reset the password via the FTP Users tool in konsoleH.
- As this matter relates to your website content and the maintenance thereof, further investigation as performed by Hetzner today and further assistance in the matter falls outside of the scope of our services. You (or your web developer) will need to perform the necessary maintenance on the website content to improve the security of the website and to remove any vulnerabilities and infected content. If you do not have the necessary expertise and require the assistance of a web developer we can provide you with our web developer’s referral list on request.
- Below, please find technical information that may prove helpful during the investigation and clean-up process. Please provide this information to your web developer if applicable. All web (HTTP) logs for this domain are available in the ‘www_logs’ folder within the domain’s home folder (FTP root). These logs contain information of the visits to your website and may contain evidence about how the domain was compromised. If you are making use of a Content Management System (CMS) such as WordPress or Joomla, please see our security recommendations in the following Help Centre article: https://hetzner.co.za/help-centre/website/how-do-i-secure-my-website-against-hackers/
- Please ensure that your website is properly secured before it is activated again. Although you may restore your website content via our Restore Backup tool in konsoleH to a previous version, this version may also already be vulnerable or infected. This is therefore not recommended as a resolution to the problem, but can be used as part of a strategy to repair the security vulnerabilities. It is important to note that only removing the malicious content listed below will not resolve the problem and will not prevent future abuse. The following are generally recommended steps be taken as part of the repair process:
- -- All passwords relating to the website should be changed (including MySQL database and CMS login credentials).
- -- If there were any administrator users or members created by the hackers, they should be removed. This will only be applicable if your website makes use of an administrator control panel. Examples include WordPress, Joomla, Drupal.
- -- Ensure that all website administrators are making use of up-to-date anti-malware software on computers used to administer the website.
- A malware scan performed on the website content found the following infections:
- /usr/www/users/rechajjghg/wp-includes/css/dist/block-library/miniv48.php: Win.Trojan.Hide-1 FOUND
- The following content is suspect:
RAW Paste Data