Bluehost帐号被封停始末

昨天(26日)早上八点多的时候查到bluehost早上3:45发的邮件,称我的帐户里有文件含有恶意代码,已经替我更正。

晚上8:00,收到监控网站发来信息,bluehost上的网站不可用。

晚上8:27,bluehost邮件,称由于违反用户协议,帐户封停,要求15日内联系。网站提示,该账户被封停。

晚上9:20,livechat和ticket联系无果,前者是没有权限,后者是反应有点慢。遂打电话至美国bluehost办公室,得到承诺20分钟之内会有一份可疑文件的名单放到网站根目录。

晚上10:00出门接机,路上手机ftp客户端下载了文件,发现可疑文件只有supercache下的两个php文件。

早上10:00又收到一封email,是凌晨的时候发来,针对昨晚ticket的回复,里面提到某个文件夹整体需要删除。

早上10:15,删除钱两个文件后打电话到bluehost总部,确认该文件夹的确需要删除,删除后,电话里面得到确认,账户立刻恢复。

下午1:00,将被删除文件夹的备份打开,替换了所有被注入代码,总共为13个文件25处。遂重新上传。

下午2:00,突发奇想把所有文件下载,搜索了一遍,发现2225个文件当中发现1297处恶意代码。大惊,删除之,上传。

下午2:30,ticket给bluehost,询问如何能避免该情况。

bluehost的回复当中提到会引起被攻击的原因如下:

1. A vulnerable script or program you have installed
2. An insecure password you have set (either for the cPanel or an FTP
account)
3. An insecure PHP setting you are using on your account
4. Insecure file permissions you have set for your files
5. An insecurity on a computer you use to access your account (a virus or
other malware on a home or work computer)

为解决这些问题,要做到如下几点:

1. Go through the entire account and remove unfamiliar/unused files; repair
files that have been modified by the hacker.
2. Update all scripts/programs/plugins/themes on the account to the latest
versions.
3. Research any scripts/programs/plugins/themes you are using for known
security vulnerabilities; remove any with known, unresolved vulnerabilities.
4. Update your cPanel password, using a strong password (i.e. upper case
characters, lower case characters, numbers, symbols).
5. Remove unused FTP accounts.
6. Update the passwords on necessary FTP accounts to strong passwords (see above).
7. Update the passwords for any scripts/programs you are using to strong
passwords (see 4 above).
8. Remove all unknown cron jobs.
9. Secure the php configuration settings in your php.ini file.
10. Update the file permissions for files and folders on your account.
11. Secure your home computer by using an up-to-date anti-virus program; if
you already use an anti-virus program, download and try a different
anti-virus program, which may scan for different issues.

个人猜想,之前受到攻击原因有两个,一个是文件权限的问题,出于方便,很喜欢把文件夹临时设成777权限,事后忘记改回来;第二个是一些有跨站攻击嫌疑的工具,比如雅黑探针(阿里云的报告)。

到目前为止一切正常,到此为时14个小时的帐号封停才算结束。

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注

This site uses Akismet to reduce spam. Learn how your comment data is processed.