Why have I received a Security Notice and why has my account been suspended
This article was posted in: Getting Started
You may receive an email where the subject line begins : Krystal Hosting <> Security Notice [username] on [server name]
Krystal servers scan all files that are uploaded in real time, but also server-wide scans are conducted on a regular basis. If we detect a large scale malware attack in your account then your account may be automatically suspended.
Why do we suspend your account?
People often ask us why we suspend accounts before contacting our customer. We don't do it to annoy you - but because:
- it protects against further damage to your website - the longer they have access, the more likely it is they will install more, harder to detect, backdoors
- it protects against severe loss of search engine ranking for your website due to an SEO poisoning attack
- it protects against your website being blacklisted by google and other search engines
- it protects your email against unauthorised access (once your website is compromised, an attacker may be able to gain access to your email messages)
- it protects our server against being abused as part of a botnet (a remotely controlled cyber-missile!)
We try to explain it like this - if you owned a shop, and there had been robbers and bandits in there, you would not want to risk your reputation (and a law suit) by allowing the public back in until you were sure things were safe!
How to read the reports
The Security Notice email will normally include a list of affected files at the bottom, or as an attachment if the list is very large. Each line of the report will detail a problem or suspect file in this order
Alert Level, Month, Date, Time, Server, [ Filename ], Description
Warning - Jan 28 05:00:07 artemis ['/home/binky/public_html/shop/code.php'] - (decoded file [depth: 1]) Regular expression match = [decode regex: 1]
Critical - Jan 28 07:04:20 artemis ['/home/binky/public_html/tmp/images/jdhu.php'] - Suspicious Image File [PHP Script]
Legacy Script - Jan 28 23:07:59 artemis ['/home/binky/public_html/smf/index.php'] - Script version check [OLD] [SMF v1.1.18 < v2.0.5]
The above three examples show the THREE types of match you may be notified of.
Legacy Script : Our software checks a broad range of popular web applications to see if the installed version is the latest available. It is reasonably accurate and provides a useful reminder to update the software your website uses to reduce the risk of it being exploited. The files listed are NOT MALWARE - they are just scripts that you should consider updating. If you did not design your website, or are unsure whether you should update your files or not then you should seek assistance from an experienced web developer. Remember, before updating anything, always download a full backup of your website files and databases in case something goes wrong during the update.
If you do not wish to receive Security Notice emails solely because of Legacy Script warnings, then place an empty file called nolegacy.scan in the root (top level) of your home directory.
Warning : These are issues we have found that are worth investigating, but are often false positives. Our system is not confident enough to suspend your account, but a code fragment or technique has been found that is commonly used in malware - You should ALWAYS check these files out to make sure they are OK.
Critial : These are files that are almost certainly infected or entirely malicious, and positively match a known Virus or Malware fingerprint exactly. We take immediate action based on the following rules:
- Non-script files (e.g. image files). Hackers often hide malware inside seemingly innocuous files like images. This makes them easier to upload because some websites don't check the ensure that image files are valid before accepting them. The file is CHMOD 000 to prevent public access.
- Script files (e.g. php, perl etc). Such files can usually be directly accessed by the public, and usually offer direct control of your website to unauthorised users. This puts your data and that of your customers in danger. The directory containing the infected file is CHMOD 000 to prevent public access.
See https://krystal.co.uk/client/knowledgebase/80/What-file-and-directory-permissions-should-I-use-for-my-web-files.html for more information.
What should I do?
If you are a web developer, then you can use the list of affected files provided to go and check the files in your home directory against known good sources. False positives rarely occur, but they do happen. If your account is suspended, then you will have to contact us first to get your account unsuspended. This also gives one of our agents the chance to have a quick look at the nature of the problem and offer some advice if appropriate.
If you do not understand the security report, do not understand the scripting language your site is based on, or you had someone else develop your website for you, then we strongly recommend you seek their assistance in dealing with this issue. We will be happy to work with whoever you authorise to deal with the issue to get you up and running as soon as possible.