My web site was hacked for the second time

A few months ago someone who visited my Sparkle web site sent me an email and warned me that there seemed to be some phishing material added to it. The next day my hosting service contacted me with news that some malicious files had been added to my site. They supplied me with a new upload password and deleted the malicious files. I uploaded my updated web site and then everything was back to normal.

Then yesterday, a friend visited my web site and found that Google had posted a red “defective site ahead” banner which blocked my web site from opening.

I contacted my hosting service this morning. They deleted the malicious files again. They said, "We have run a malware scan in your account and removed the infected files. Please see the files we have handled. There were 4 files altogether, 3 ended with php, and one with phtml. I didn’t know whether it was a good idea or not to post the full name of the malicious files.

They gave me instructions on what to do next. They said that I should
“submit a request to re-review your site with Google” by using Google Web Master Tools. I hope that I’ll be able to figure out how to do that.

But before that they said that I needed to, "Kindly remember, the delist request should be done only after confirming that your account is clean. I would suggest downloading your account files to your local machine and going through them manually. Once confirmed everything is clean, please re-upload it to the server.

I don’t know how to go “through them manually” to confirm that my account files are clean. But I would guess that my Sparkle web site files on my computer are probably fine, since the hacking seemed to have happened after I had uploaded my site. Is my understanding correct?

My hosting service also suggested that if I updated my site more often, that it would help protect my site from hacking.

Finally, my hosting service says - “After this Google will review your website manually and, Once they will make sure that it doesn’t host or distribute any type of Malware, they will remove the identification from search results and it will re-index. It will take almost 4 days to 2 weeks for the process completion.”

Any suggestions or confirmation from the Sparkle community?

I’m sure @duncan will have more to say about this but for me it is disturbing if it has been the case!

I’m aware that the more script sits in a website the more hackable it becomes. The ultimate scripted platform is WordPress and they lead the charge in being hacked daily.

The other thing is that you haven’t given us a link to your hacked website?
Is it a controversial website? Have you got third-party embedded scripts?

I have been using Sparkle for nearly three years now and we, nor our clients have experienced any hack issues over that time…

This happened to me once and not with Sparkle.
It’s not Sparkle. It’s your webserver. It has poor security.
My advice? Get a new server ASAP!

Hey @RyanT, that’s concerning, but most likely not a Sparkle issue.

How are you publishing your site? If you’re not publishing using an encrypted connection (so FTP with TLS or SFTP) I strong suggest you switch to an encrypted connection. If you combine that with weak wifi security, someone could sniff the FTP password and use it. This is regardless of whether you are using Sparkle’s built-in publishing or an external FTP app.

If your web host has weak attack mitigation, someone might still try and succeed in brute-force guessing your FTP password, meaning they try all possible password combinations until they eventually guess it. So pick say a 30 random character password so that it’s essentially impossible even trying to guess many passwords a second (though a web host with some form of attack mitigation would limit the number of attempts after a bit).

Finally, assuming you only have your Sparkle site and nothing else, I also suggest using an FTP app such as cyberduck/filezilla/transmit and removing all files on the server that are visible on your domain – so say where the home page index.html is, all the files and folders next to it. Then republish your site from Sparkle. This removes any previous hack that might still be a way in for hackers.

Hope this helps.

Yes I concur that the fault lies solely with your webhost. This is the very reason I now rent a virtual server so I can have as much control over security as possible. You are most likely on a shared server with bare minimal security. I had the very same issue pre-sparkle. I understand that running your own server requires a little knowledge but if out of your comfort range you should definitely try and find a reputable host.

Hello.

Is just a guess: you were not using wordpress before and still have fragments in the webspace that allow access?

Do it as Duncan suggested: Do a major cleanup and republish everything.

Mr. F.

To Sparkle community

Thanks to Duncan and everyone who offered comments. In case it helps others, I’ll try to respond to all of them.

The good news is that when I woke up this morning, the red Google page banner warning of a “Deceptive Site Ahead” had disappeared and my web site loaded up in the normal way. I had received an email from my hosting company last night, that they had removed the “malicious files” from my web site.

But I don’t know how Google noticed so quickly. As of last night, I still wasn’t yet able to figure out how to “verify ownership” of my domain using Google’s “Webmaster Tools.” Google’s web site said that I needed to do that before they would manually re-review my site and remove the warning banner.

My web site is captainfiddle.com. It concerns my folk music business. I’ve had it for many years. I built the latest version of it using Sparkle. It is my only web site and is not controversial in any way.

I do have a few dozen Paypal buttons activated, if that is the definition of a “third party embedded script.” I have not added any other files or scripts.

I’ve never used wordpress.

I don’t know if I should give the name of my hosting company in this public space. By name, it is a company that I have used for many years. Its possible it is now owned by someone else.

I publish my web site using Sparkle’s built in FTP with TLS. My password for encryption is 15 characters long and looks very complex. It was supplied to me by my hosting company.

I do think that having my own server is beyond my experience level.

I don’t think that I have a problem with Wifi security. I live in a rural area, hundreds of feet away from the nearest other building(my friendly neighbor) and I do have security enabled on my router.

RyanT

Hi Ryan.

I assume that you have a google account. Here’s a video that explains 7 ways to verify the ownership:

Mr. F.

Delete the password your hosting company gave you and use one of yourself (I always let Apple made one for me) and save that new password. I have saved all my passwords in a spreadsheet, so I never can forget it.
I upload my website always with FileZilla and copy the website to another drive with SuperDuper! (I have more websites, so that is an easy job using SuperDuper!). Of course you can use another methode I you like.