The question I’m facing is, if a large international group likeEndurance, allows one web hosting service to behave unethically, does that mean its other web hosting services are likely to be exhibit unethical behaviors as well?
Endurance International Group is home to iPage and BlueHost, as well as many other hosting services.
7/5/2015 ~ Because of serious problems with iPage from 7/1/2015 to 7/5/2015, I decided to migrate my five sites to BlueHost. I was happy as a clam until iPage called and their telephone I.D. popped up as Endurance. That’s also BlueHost‘s parent company.
How serious were the problems? In my estimation, very. iPage suspended my sites after I asked for a SiteLock refund of $59.99 for one of my sites that’s too small to warrant the expenditure. iPage made the interruption of service look as if it was the result of malicious files being detected on one of my sites. To me it looked as if iPage either called good files infected, or infected good files in order to effectively force me to buy SiteLock 911 in reprisal for removing SiteLock from one of my sites.
Time Line 1
06/30/2015 9:49 PM EDT ~ Me: Yes, I need to have it refunded. (support ticket)
07/01/2015 4:53 AM EDT ~ iPage: I have canceled SiteLock Fix (support ticket)
7/01/2015 9:15 AM MT ~ iPage emailed me:
Hello, Our server monitors have noticed that your account files are hacked so we have suspended all your websites. The scan report is available in /stats/infected.txt of your account web directory. I suggest you to delete the hacked files and re upload clean files from your local backup. Once the clean files are uploaded then get back to us so that we can enable your account back. Please reset your account/FTP password to strong value. Also, upgrade the application, theme and plugins to its latest version. I could see that you have SiteLock plan SiteLock-for-WP enabled for the domain health-boundaries.com . I would recommend you to purchase a SiteLock of '911+Prevent' plan which scans as well as removes the malware from your website files and submit the domain which is pointing to the home directory of your account to the SiteLock of purchased 'Prevent' plan. So that, the SiteLock scan the complete web directory of your account and remove the malware from your website files. You can upgrade the plan at https://www.ipage.com/controlpanel/SiteLock/SiteLock.bml . Please call (800) 608-0919 if you would like to speak with one of our SiteLock support representatives. However, when I checked the hacked files list mentioned in /stats/infected.txt file, all the files were in zip and gz format. SiteLock will not remove the hacked contents from zipped files. You will have to unzip the files and then enable the SiteLock Prevent+911 plan for the domain . Also, please refer the following knowledgebase article to know about avoiding hackers attack in future: http://www.ipage.com/knowledgebase/beta/article.bml?ArticleID=2324 . Sincerely, Anupama H Senior Technical Specialist
So, my $59.99 refund wasn’t going to be enough to pay for SiteLock to fix the hacked files.
On the other hand, looking at it from SiteLock’s point of view, the refund was a step toward asking for more money to fix a problem it looked like I created by having SiteLockremoved. Thing is, to me it seemed suspicious that the problem and cost appeared in such close proximity to me asking for SiteLock to be removed and money refunded.
I called iPage where a tech put me in contact with Jenna Swift, a security consultant withSiteLock. Jenna said, not surprisingly, that I should buy the SiteLock 911 and have the malicious files removed professionally. She made a show of describing how difficult this would be for me.
I asked her to email me a list of the exact files that were infected. When the list arrived I saw that the infected files were all in my main site which still had SiteLock. I pointed this out to iPage techs who replied that there are levels of protection and the protection I had was not sufficient for the threats. Several iPage techs said WordPress has a lot of vulnerabilities.
Further, the “malicious” files identified in the email were each labeled, “NoSuspend.NotifyOnly-19.UNOFFICIAL FOUND”. When I saw that, I told iPage that my sites should not have been suspended. Shortly thereafter iPage made my sites available. Happiness. It was all over and I was grateful.
Articles on web security
WordPress Under Attack As Double Zero-Day Trouble Lands ~ Read more.
The Forbes Hack and How Your Visitors are Targets Too ~ Read more
DDoS Attacks Continue To Rise ~ Read more.
Hacking: Why Any Business Can Be At Risk And How To Prevent It ~ Read more.
I changed all my passwords and made them more tricky. I removed “Admin” as a user of my sites. I read security plugin reviews and chose to install Wordfence, which has excellent reviews.
Wordfence scanned each site as I installed it. Happiness. Then, alerts began to arrive. Someone in the Netherlands was trying to sign into one of my sites as Admin. Wordfencestopped the intruder after 20 tries but several email alerts followed. The would be intruder’s persistent caused me to limit login tries to 5 and to increase the lock out time.
Accounts suspended again
July 3, 2015 I woke up curious to see if the Netherlands hacker had made more attempts. To my surprise, my sites were suspended.
When I asked followers on Twitter if they could see my site, they said they could. That made it clear that my experience of my website was being targeted, which would be the way to make me buy SiteLock 911. When I told an iPage tech that my followers on Twittercould see my site, he scoffed and said they weren’t really seeing it, they were seeing cached images. Be that as it may, Google continued to keep track of visitors with no interruption.
Time Line 2
7/1/2015 Grow your Vitamins is Not Found.
7/1/2015 Grow your Vitamins is in trash, I remove each page and publish.
7/1/2015 Grow your Vitamins media file is completely gone
7/1/2015 install WordFence on each site, set options and scan.
7/1/2015 6:25 PM MT WordFence notification: User locked out from signing in
7/1/2015 6:28 PM MT WordFence notification: User locked out from signing in
7/1/2015 7:07 PM MT WordFence notification: User locked out from signing in
7/1/2015 10:26 PM MT WordFence notification: User locked out from signing in
7/1/2015 11:43 PM MT WordFence notification: User locked out from signing in
7/1/2015 11:44 PM MT WordFence notification: User locked out from signing in
7/1/2015 7:07 PM MT WordFence notification: User locked out from signing in
7/2/2015 6:57 PM MT Great iPage tech restores Grow your Vitamins
7/3/2015 Turn on computer, sites “Temporarily Unavailable”
7/3/2015 Immediately call iPage
7/3/2015 9:06 AM MT iPage email “I have scanned the files within the account and found no traces of malicious content.”
7/3/2015 sites restored, but not all functionality
7/4/2015 5:16 AM MT iPage email “we have suspended your account so your websites are showing “Unavailable”
7/4/2015 11:17 AM EDT iPage notifies me re activity on support ticket 14252247, (activity is now removed)
7/4 2015 PM talk with BlueHost sales rep. his email is @endurance.com
7/4/2015 9:48 PM MT BlueHost emails me that Order is Complete
7/5/2015 12:20 PM MT Michael C of Endurance, per Caller ID, says he’s calling from iPage
On 7/4/2015, iPage said it had found 12 malicious files. Show me, I said. When an email with the file names arrived, Joe, the tech, helped me remove each “malicious” file and said he would have my site removed from suspension. That said within a couple hours each of my sites partially worked, but not entirely. Another tech had me clear my cache and the browser cache, which I think really may be the same. Still my main site would not work and kept saying “TEMPORARILY UNAVAILABLE.”
Nevertheless, I was happy that Wordfence wasn’t warning me about ongoing intruder attempts, right up until I discovered that there were no warnings because my Wordfencehad been disabled. Yes, iPage had labeled the Wordfence security certificate “malicious” and had me remove it with the help of Joe, the iPage tech. Calling Wordfence “malicious” accounted for 7 of the 12 so called malicious files.
The sequence of events made m wonder if the Netherlands would-be hacker was associated with SiteLock, helping SiteLock convince me I needed to buy more SiteLock.
This is the first WordFence alerts re the Netherlands intruder:
A user with IP address 18.104.22.168 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: 'looking-good.org' User IP: 22.214.171.124 User hostname: 126.96.36.199 User location: Groningen, Netherlands
The Netherlands person changed IP addresses three times, then began trying to log in as Administrator, rather than Admin. After I increased the lock out time in WordFence the intruder appears to have given up. See Time Line 2, above.
iPage later admitted that it had false positives when it scanned my files. However, each of those admissions has been removed from my Support Files:
Support Ticket #14252247
07/03/2015 9:25 AM EDT Ticket Created
07/05/2015 2:54 PM EDT Ticket Merged
Support Ticket #14256255
07/04/2015 8:19 PM EDT Ticket Created
07/04/2015 9:18 PM EDT Ticket Merged
07/05/2015 12:30 PM EDT Karen Kline contacted iPage
07/05/2015 12:31 PM EDT Karen Kline contacted iPage
7/6/2015 ~ When I called iPage WP Essential support asking for help to see my support files, I was told that they had been moved to “private”.
There is a support file that has iPage responses from Sam Gallen, iPage Manager, but they are all written to make iPage look good.
I surmise that my support files were hidden by iPage around the time this email was sent to me:
I suspect the operative words are in the subject line: “Threatening Legal Action”.
Apparently Michael C. was feeling guilty and jumped to the conclusion legal action would be foreseeable. I did not say anything about taking legal action. What I said was that it was highly disruptive to have iPagesuspend my account and make me spend so much time getting it working when I was supposed to be preparing for a meeting the my lawyer’s assistant. The meeting was in reference to mediation with Wells Fargo. Michael C. did not ask me to clarify, however, he simply assumed I would take legal action againstiPage for the apparent fraud.
It turns out that the hosting companies I am most familiar with are all part of the Endurance International Group.
But, in addition to these hosting companies which I know either from experience or from reading reviews, there are sites which list over 60 web hosting companies they say are owned by Endurance. I don’t have time to check the accuracy, so I’m not including either the link or the list. You can Google for it, if you are interested.
Other fake security scams ~ Read more.
7/14/2015 ~ Today all 5 of my sites have serious errors, to include missing or incomplete sidebars and a near total lack of Google ads, which I had hoped would help me keep my home.
The error message at the top of my Admin pages says the same thing for each site, with the exception that the name of the site changes:
2270 Jul 1 20:55 050_start.php -rw-r–r– 1 4296883 15000 7470 Jul 1 20:55 100_head.php -rw-r–r– 1 4296883 15000 5235 Jul 1 20:55 300_comments.php -rw-r–r– 1 4296883 15000 39488 Jul 1 20:55 400_css_settings.php -rw-r–r– 1 4296883 15000 2266 Jul 1 20:55 450_css_files.php -rw-r–r– 1 4296883 15000 15056 Jul 1 20:55 600_main_templates.php -rw-r–r– 1 4296883 15000 22940 Jul 1 20:55 650_sub_templates.php -rw-r–r– 1 4296883 15000 2375 Jul 1 20:55 900_export_import.php -rw-r–r– 1 4296883 15000 1278 Jul 1 20:55 950_admin_settings.php -rw-r–r– 1 4296883 15000 4333 Jul 1 20:55 help.php
Warning: Invalid argument supplied for foreach() in/home/healt411/public_html/off-grid-insights.com/wp-content/themes/montezuma/includes/admin.php on line 754
Warning: Invalid argument supplied for foreach() in/home/healt411/public_html/off-grid-insights.com/wp-content/themes/montezuma/includes/admin.php on line 794
Warning: Invalid argument supplied for foreach() in/home/healt411/public_html/off-grid-insights.com/wp-content/themes/montezuma/includes/admin.php on line 810
Warning: Invalid argument supplied for foreach() in/home/healt411/public_html/off-grid-insights.com/wp-content/themes/montezuma/includes/admin.php on line 708
Warning: Invalid argument supplied for foreach() in/home/healt411/public_html/off-grid-insights.com/wp-content/themes/montezuma/includes/admin.php on line 871
Up until iPage suspended my accounts and made me remove files, to include my WordFence Security Certificates, I had never seen the phrase “wp-content” before.
Here is a copy of the email iPage sent saying they didn’t actually find anything malicious in my files:
I have scanned the files within the account and found no traces of malicious content. If you do notice illegitimate content within the account we suggest removing all files and reinstating a backup copy from your end. Furthermore, we suggest you change all passwords within the account (including mailboxes) and scan any local computers for malware.
There were several SEO-SPAM files though. these files, while not necessarily Malicious can harm your domain’s search engine ranking and should be addressed.
/dbBackups/wrd_lfk4ol7edk_Jul01.sql: EIG.LinkSpam.NoSuspend.NotifyOnly-19.UNOFFICIAL FOUND
/health-boundaries/dbbackup3-6-14/health-boundaries.sql.zip: EIG.LinkSpam.NoSuspend.NotifyOnly-19.UNOFFICIAL FOUND
/health-boundaries/wp-content/updraft/backup_2014-03-08-1027_Health_Boundaries_eb88f3b9ea39-db.gz: EIG.LinkSpam.NoSuspend.NotifyOnly-19.UNOFFICIAL FOUND
/health-boundaries/wp-content/updraft/backup_2014-02-28-0702_Health_Boundaries_3ac841fc2d4e-db.gz: SiteLock-HTML-SEOSPAM-ave.UNOFFICIAL FOUND
/barbed-wire-justice/wp-content/updraft/backup_2015-07-01-2021_Barbed_Wire_Justice_91a00e6cfe7c-db.gz: EIG.LinkSpam.NoSuspend.NotifyOnly-19.UNOFFICIAL FOUND
Thank you for your attention to this issue. I have revoked the suspension on your account. If you are still unable to access your web files, please try clearing your browser’s cache, and try again.
Now that your account is active again, it might be a good time to review your applications to make sure they are up to date. This goes for plugins and themes as well.