All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
UPDATED: NetCraft got my Shared account Suspended over a False Claim
HuntersPad
Member
Updated: Got my account back, What netcraft lists in the zip file is NOT in the zip file, which was last modified in 2022.
So either Netcraft is making a false claim, or somehow my cPanel account has been compromised. Still awaiting for the host to respond. Is there a known vulnerability that can cause zip file contents to be altered without access via FTP/cPanel currently? This occured on a well known popular provider here.
Basically was informed that Malware was talking back to the this cPanel's IP address... Well I'm not hosting special services, so how would that even be possible on a shared host.
From the way netcraft is talking is that not only was I hosting the infected file, The infected file was also TALKING back to the hosts server.
Comments
who informed you? How did you figure out it was altered?
Do you have access logs that show someone not yourself logging in?
Zip files can be altered by many things, including apps that add files to them (incremental backup for example)
I still have yet to know if it was actually altered. Still waiting on the host to respond.
I got an email From Netcraft themselfs, but looks like they also forwarded the same email to my host which then got it suspended.
Only thing I've gotten back from the host so far is "Your service has been suspended for this reason. To reinstate it, we must request the removal of the content mentioned above."
Well I would remove it and investigate but its suspended.. zero access.
Netcraft report is showing several jpg's as being a RAT.. The zipped file shouldn't have any jpg's in it. The zipped file only had one single file in it.
So this could be on the server side problem and nothing on my end since its a shared host right? assuming it was altered. This was only a simple HTML page, no scripts, nothing.
I had to google Netcraft:
Netcraft is an Internet services company based in London, England. The company provides cybercrime disruption services across a range of industries.Do you use netcraft or is it part of your host's mandatory plugins etc? I'm not very familiar with cpanel things that's why I'm asking all these questions, sorry.
Also can we see the very first email without sharing any personal info? I feel like there's something missing here
Never heard of them until today. So no clue on them, been using cPanel since 2005 never ran into this issue.
Do any of the emails contain a link to login? Any links that require you to input your logins?
Something seems fishy here
Hello,
You are currently hosting a site which is associated with an ongoing malware attack. The malware either communicates with, or is spread directly by following malicious links:
You may not have been aware of this attack, however, you are still responsible for removing it.
I dont think you can do anything but wait for explanation from yoru provider right? You can't login or sftp or anyting?
Just sit back and relax then, something is really fishy with this
It links directly to Netcrafts on website and shows there "results" and in which seems like the host took there report seriously.
Nope. I'm just concerned if the file was indeed altered. If it was I guess the backup from 6 months ago for all my sites are in order lol.
ZIP files don’t change on their own, it’s likely due to a compromised plugin, weak file permissions, or outdated software. If the file was “talking back,” it was probably unpacked and executed through a vulnerable script. Please its recommended to scan everything and wait for your host’s full report.
UPDATE: ZIP file is NOT altered.... Has a SINGLE file in it that should be in it. Netcraft says theres 5 different files in that zip which none that they list is in it.
If it's not private/sensitive data can you DM me the URL of the .zip in the Netcraft report? Won't open the data myself, just want to check something
Got this after disputing there claim.
"Hello,
It is possible that the site owner is changing the contents of the file, as we have fetched different files from the same URL over the past month."
What a joke.
Also checking AWstats, the ONLY file being accessed from that site that the one that should be there.
Usually, Netcraft provides the exact URL that's affected. If you're not sure what they're referring to, your hosting provider should be able to check the server logs and trace the issue. They can then take the necessary action if anything suspicious is found.
The ball is now in the hosting provider’s court. It’s their turn to check the server and take action based on the claim
The exact url that was "affected" wasn't affected by anything. The linked URL has NONE of the things listed the netcraft stated. Thats the problem.
NetCraft is a bullshit, I got similar incident on 2021.
Netcraft should stick to their web server surveys. They're not very good at the rest.
Netcraft at it again.. Now showing Im hosting completely different files... Also this time they got the server IP wrong... I guess now to block emails from them.
You got the url/zip file?
Yeah, last touched/edited in 2022. Only a single file in it as always. But netcraft keeps claiming various file names that don't exist. From Roblox, to add on files for euro truck simulator lol.
They also sent the abuse email to the provider again....
I edited the zip file in question and now it has a single empty text file with netcraft in the name. Lets see if they flag it as malware next month... lol
Plot twist: file is provided via mod_rewrite and/or PHP routing and it's changed on the fly on some params [like useragent, country/IP, POST form or even random time based] because website hacked.
Not the first time seeing that.
Is it? Who the fuck knows :-D
That would be interesting. Its not a wordpress site. Its single page basic .html site with a few images and a single zip file. And cPanel/shared hosting
I'll chime in here and say that we have received a few reports from netcraft in the past, and they have all been accurate.
It's certainly possible that netcraft is inaccurate here, and simply reported a false positive. But don't write them off just because the file seems untouched.
Remember, it's always possible someone accessed your cpanel account, or the ftp, or even the host's admin account, uploaded files for a malicious campaign, and then restored the original to go undetected for future campaigns.
File dates are not inherently reliable, you can set a files modified/created date to anything you want.
That does not really mean anything at the end of the day if the server itself will still process a .php file for example.
It's also possible steps have been taken like JabJab suggested to hide the intrusion and only serve the malicious file to certain end users.
Treat it like netcraft is right, even if they're wrong. At the end of the day it's better to lock everything down and verify, than to assume and be wrong.
Do you have an access log entry corresponding to Netcraft retrieving the zip, and does the file size in the log entry match the actual file size?
What are the odds of it happening on a completely different host? Different passwords, server, location, etc. Also the IP address that netcraft gave for this new report is not even the same country/datacenter as where its currently hosted. And not even the IP from where it was hosted before.
Netcraft are totally bonkers.. I'm not even joking... their reports are legitimate (sometimes), but more often than not... you can't help but send it to trash after reading.