Go Phish

26 Oct

My site ended up unexpectedly being shut down for a couple of hours yesterday, so I do apologize if anyone tried to read anything that I have here and was unable to do so.  Needless to say, it was quite a wild ride! 

It all started a couple of weeks ago, when I started receiving some feedback from my friends and readers that my site was showing up on their antivirus software as possibly having malicious content, specifically a Trojan.  I have only been self hosted for a few short months, so I don’t know too much on the subject or the inner workings of things.  I ran a full scan on my computer, which turned up nothing and then I called BlueHost, who hosts my website and asked what they could do about this.  The man from technical support ran a scan on his end, also found nothing malicious on my page and told me that if I could provide evidence of these alerts or of the malicious software that BlueHost could investigate further. 

I put out the call for people to send me some screenshots of what the man asked for and a very dear friend sent me an e-mail the other day with exactly what I needed.  I immediately shipped that off to BlueHost and awaited their response.  Near the end of my work day, I received two e-mails from BlueHost, one telling me that they had found a large amount of malware in my site and had created a folder with all of the information about it in there.  The second e-mail was from the Terms of Service department, telling me that a third party sent them a complaint about the malware on my site and that they determined that I was phishing, which is a violation of the Terms of Service.  Because of this infraction, they were going to deactivate my site and give me 15 days to contact them and get the matter resolved, or else they would potentially delete anything that they are hosting of mine. 

I called the Terms of Service department and they basically blamed everything on me.  They denied any responsibility for the malware getting through and told me that it is my job to monitor my site and make sure that it remains free of such things.  They denied any knowledge of promises that were made to investigate or clean up the site further and were unsure why someone in their technical support department would make such claims.  I was given the name of two third party companies that would be happy to help me clean up my site and help keep it clean, all of course for a low monthly fee.  Needless to say, I was pissed.  I didn’t know any of this.  I assumed that by paying them to host my site, that they were also going to keep it safe.  There was never any indication that they did not automatically provide this service to me and this was the first time I had ever been offered the services of other companies to do such things.  It never came up until now.  

Terms of Service wrapped up the call by stating that they would be happy to reactivate my site, if I could show them that the site was free of all malware and other potentially suspicious software and they would wait to hear my response on this.  I didn’t know where to begin.  One of my friends offered his assistance with this and we sat on Vent together and figured out what to do.  I gave him the information that would allow him to access my control panel through BlueHost, to see what he could do.  Mind you, I wouldn’t suggest you do this for just anyone, but these were desperate times and I really felt I could trust him.  As he is working on cleaning up my site, he was surprised to discover that nearly a dozen phishing sites or companies had basically taken up residence on my server.  Some of them were masquerading as tax companies or well known banking institutions.  It was an impressive feat and certainly not something done by amateurs. 

After he felt like he had cleared everything malicious out, I called BlueHost to see if my site met with their approval and if my blog could be reactivated.  The man on the line said I still had three pieces of malware remaining that they would like to see removed.  Let me get this right – they can tell me where the malware is and what it is, but they can’t remove it?  How does that work?  Again, it’s not their job.  Or at least that’s the way they see things.  So, I dragged my friend back on Vent and he removed the last three pieces of malware, to BlueHost’s satisfaction.  Minutes later, my site was reactivated and everything appeared to be back to normal.

I walked away from this experience feeling paranoid and confused.  How on earth did this happen?  I have always prided myself on being smart about my web surfing and my online shenanigans.  I don’t open attachments I’m not sure of.  I don’t give out my password to strangers.  I use authenticators.  I run virus scans often.  I don’t unscreen comments that look suspicious.  I don’t download porn from sites that I don’t trust and that aren’t secure.  I would like to think I’m a smart person, in that regards.  I also don’t know how to prevent this from happening again.  I really assumed that I would be safe, that my host would keep me safe.  That didn’t happen.  My friend and several others offered me hosting on their spaces and I’m seriously considering taking them up on this.  I don’t need massive amounts of storage or numerous e-mail addresses.  I just want to feel safe.  I want to know that I can have a site up and running that’s not going to negatively affect those who try to read it or that will negatively affect me.  I didn’t even know something like this was possible. 

So I’m trying not to give this too much thought and move on.  I’m still trying to determine where I’m going to end up, come 4.3.  I haven’t had any luck finding any runs in my current guild or group that are looking for healers or that would have me back (after the whole “me refusing to go discipline” fiasco), so I’m having to take my business elsewhere.  I had one guild interview last night that I thought went well and I have had a few offers from others, too.  I really want to make sure I do it right this time and that I find a group that I enjoy first and that I can progress with second.  Before, it was the other way around and I realize that maybe that wasn’t the best way to go about things.  I have learned that and I’m still learning other things, too.  I just need to find the right group that is willing to learn with me and possibly even teach me a few things, too.


9 Responses to “Go Phish”

  1. zelmaru October 26, 2011 at 9:48 am #

    Ok… something similar happened to me a few weeks ago. Apparently there was a security hole in my theme. However, in that case, my host simply deleted the offending file.

    A few months ago, I had a large number of hits trying to attack the “back end” of the site, putting me WAY OVER my bandwidth allotment (500 errors everywhere). The solution I found (this might help you) is to go into the back end of the site (through the host’s interface, not the wordpress login interface) and password protect the “wp-admin” folder. That way, when I go to login to the back end of wordpress, I have to FIRST put in the folder protection username and password and THEN the username and password for logging into wordpress. I’ve found that doing this cuts down on the jerks trying to haxxor my site.

    • Oestrus October 26, 2011 at 10:02 am #


      Right. I think I’ll just have Jadissa look at your wonderful explanation, Zel. He was the one who helped me out yesterday and he can probably understand what it is you’re trying to explain to me here. Thanks for taking the time to spell it out for me and I’ll let you know if it helps!

  2. Trocar (@TrocarRogue) October 26, 2011 at 2:52 pm #

    Could also have been that you need to CHMOD files/folders properly?

    More info on file permissions: http://codex.wordpress.org/Changing_File_Permissions

    (From: http://goo.gl/DFJ6u )
    .htaccess ==> 644
    /public_html/ ==> 755
    /wp-content/ ==> 755 or less
    /wp-content/uploads ==> 755 or less
    /wp-admin/ ==> 755 or less

    • Oestrus October 26, 2011 at 3:25 pm #

      Hi Trocar,

      Like I said, I don’t know very much about all this stuff. I can certainly forward this information to Jadissa, who was nice enough to help me and who did most of the work to get my site back up and running.

      Thanks for the suggestion!

  3. Apple October 26, 2011 at 8:12 pm #

    I’ll offer hosting, too, if you want to get away from your host – I had a similar problem with a security hole in my theme or something, and Dreamhost emailed me about it as soon as they noticed it – they didn’t delete it in case it wasn’t actually malware, but they told me where it was and what file it was, and it was very helpful.

    Anyway, I have unlimited hosting, which means you don’t have to worry about how much space/bandwidth you use, and I’d get you set up nice and purty. I mean, obvs you probably have more tech-savvy people offering you space, but I thought I’d put the offer through, too. ❤

    They sound like dicks, I'm glad you got things sorted for now.

  4. Jadissa October 28, 2011 at 8:18 am #

    Just dropping a comment here to make sure it’s working properly on the new site. Hopefully we’ve got this mostly up and running!

  5. Rigtze November 4, 2011 at 6:25 am #

    Heya, just letting you know that I still get messages that the site has malicious content. Can send you a screenshot if you want?

    • Oestrus November 4, 2011 at 6:31 am #

      Sure! Send it to oestrus@elitistjerks.com

    • Jadissa November 4, 2011 at 9:11 am #

      Hey, just wanted to let you know you’re fine and there’s no virus/malware 🙂 I’m O’s webhost, and I checked the site again today and it’s clean. I took a look at the screenshot you sent over, and the messages you saw were images that Oestrus used for her Go Phish post and that also appeared in the top gallery area. They’re very convincing!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: