Bluehost suspended my account today. They say my account is sending Nigerian scams. I called twice and chatted once about this situation asked how it is determined that my account is sending this content. They said someone complained and the IP was traced back to my account.

Well I don't know much but seems to me there is a record of at least where this all started. They say no...that eh malicious files could be anywhere on my site. I ask for the email to be forwarded to me and that apparently isn't an option.

I asked for help in finding the malicious script. They offered to delete my entire site... which contains several domains.

Questions

Can someone just complain and say they received a Nigerian spam and get someone else tossed? What kind of proof do they need to remove the site and if they can't tell me what the problem is, why are they taking someone's word for it?

This is very frustrating -I need to go through thousands of files and data entries... and no I haven't backed up recently... how dumb is that?

If the hackers are using a vulnerability on my website, how can I prove to bluehost it is fixed if there are no files changed? I've been through the access logs to no avail.

Any help or advice would be appreciated.

well, as a hosting company, bluehost support must take action.
Suggest you take the support suggestion to delete files and reuploading.
Change your login details, ftp, cpanel, even mysql connection login.. and make sure its a strong password.

Can someone just complain and say they received a Nigerian spam and get someone else tossed? What kind of proof do they need to remove the site and if they can't tell me what the problem is, why are they taking someone's word for it?
No, they should need proof, specifically an email with headers that trace all the way back to your account. They are telling you what the problem is - that your account is sending Nigerian scam emails, but they can't tell you what script on your site is sending them, because it is impossible to tell.


This is very frustrating -I need to go through thousands of files and data entries... and no I haven't backed up recently... how dumb is that?

Yeah, it sucks, but it is your responsibility to keep your scripts up to date and vulnerability-free. First, prioritize. Update all your 3rd-party scripts to the latest versions. Then, narrow down scripts that use the mail() function or involve sending email in any way. Something that just deals with MySQL databases likely isn't going to be the cause of the spam. ;) Take a look at your log files to see if there is anything weird going on. Also change the passwords for your email accounts. You could easily be exploited through your SMTP server.


If the hackers are using a vulnerability on my website, how can I prove to bluehost it is fixed if there are no files changed? I've been through the access logs to no avail.

Any help or advice would be appreciated.
Well, if you haven't changed anything, then the vulnerability is still there. :rolleyes:. Once you find the culprit or fix it, point it out to Bluehost. :) If you can show them that you fixed it they will obviously be happy to continue to let you use your account.

Also, this thread will probably be closed. :)

Also, this thread will probably be closed. :)No, not really. This is a user who needs help. If others can offer help, and if the original poster is willing to take some advice, this can be the kind of thread that this forum is here for.

If it just turns into a "BH is being mean to me" thread, on the other hand.... ;)

Thanks very much for your responses. I really appreciate the assistance. Still no idea of where the problem is.


If it just turns into a "BH is being mean to me" thread, on the other hand....

No BH has been ok to me. There was one time when my entire box was down for a long time due to DOS and I couldn't get any updates but overall they've been fine. Whenever I've called or emailed they've been helpful.

I just don't like the vagary of this situation.


No, they should need proof, specifically an email with headers that trace all the way back to your account. They are telling you what the problem is - that your account is sending Nigerian scam emails, but they can't tell you what script on your site is sending them, because it is impossible to tell.

I requested that email in my chat. Is there some reason why I wouldn't be able to obtain it?


Yeah, it sucks, but it is your responsibility to keep your scripts up to date and vulnerability-free.
All of my scripts are up to date, in fact I just did an update on a forum 2 days ago that caused usability issues and I was working on resolving those... minor things like message preview not working. We've had some strange visitors on the forum as of late that have started the membership process but didn't follow through.


Then, narrow down scripts that use the mail() function or involve sending email in any way. Something that just deals with MySQL databases likely isn't going to be the cause of the spam. Take a look at your log files to see if there is anything weird going on.

Thanks VERY MUCH for giving me some idea of where to start. I did look over the logs to no avail. Would these scripts include a forum feature that sends mail to users when a thread is updated? Would it also include a forum feature where you can send a thread to someone else with your own comments?

Possible openings are:
The ability to submit a article for the website (which sends a notice to the admin)
the contact forms in various places
The open realty program
The coppermine galleries that allow an ecard to be sent. I have made it impossible for people to comment on photos in the galleries due to links to undesirable sites

I still have questions.
Please excuse my total stupidity when it comes to hackers.

I've checked my access logs and apparently after the site was shut down to "normal" users, I still have logs of visits to the forum. How can this be? Some but not all appear to be spiders.

BH said they received a complaint and tracked it to MY IP.
I have gone to IP neighbors and put in my IP
http://www.myipneighbors.com/
I receive 552 results for my IP
so if they are using my IP as the determiner, shouldn't ALL of those sites be taken down.

How do they specifically trace it to my account?

I receive the Nigerian emails or the like about 30 times a week. Could I feasibly take one of those emails and adjust the IP in the header and send it to someone's host, couldn't I?

I am not understanding the process of how they have determined this. My first conversation with support - he simply said my site was phishing and to find the script. Then I called back to ask more questions he didn't have anymore help. (same person - nice guy) Then when I contacted them by chat they said... no it isn't phishing, it is a Nigerian email traced to your IP. The phone support did give me a date - June 6th but no more details. Why wasn't my site taken down until June 8th if they had this info on June 6?

One of my website forum members was worried that recent fliers he distributed at our local streetscape event on Saturday might have advertised too much and attracted a hacker. My site is a community site for our area. I also host for a local non profit free of charge... pay the domain myself. I found out about the problem from someone who was looking for directions to a concert last night at a church. Sorry to go into it ...irrelevant. I am so upset.

That the problem relates to email is a good clue.

I don't believe that BH has a global text search tool installed for us to use, and you never know where a snippet may have been inserted into your code to launch those emails. So ... if you haven't updated stuff yet, look first to the last modified dates on your files. Then look through them to see what's in them.

Definitely check your log files ... and do it continuously ... as part of your webmaster duties. I have been looking simply at my last visited details and twice now I have seen intrusion attempts where the hacker enters URLs probing for certain stuff in my webroot, including chat scripts, xml_rpc, awstats.pl, etc. These are clues as to where vulnerabilities lie. If you log these attempts, you know 1) where the vulnerabilities are and 2) if something happens, how they might have gotten into your site.

So how do you fix vulnerabilities when the code was not written by you, but was downloaded for use in your site? The easiest way is to change the names of those files that hackers look for. Make them not so easy to find. Bury them in sub directories and make sure you change code that uses them so that the code uses the new name. I would test this out on a staging server until you're sure you have them all correctly modified. If you allow users to upload stuff, there's another vulnerability that you won't easily be able to detect. Certain file formats can hide viruses.

I recall asking BH once if there was any anti-virus working on the system and the answer was no.

So, for those out there reading, I would love to have an answer to that ... how does one protect their site against malicious uploads ... where your site depends on uploads for its functionality and service?

Brian L. Donat

I requested that email in my chat. Is there some reason why I wouldn't be able to obtain it?
I don't know, you would have to ask them.


Thanks VERY MUCH for giving me some idea of where to start. I did look over the logs to no avail. Would these scripts include a forum feature that sends mail to users when a thread is updated? Would it also include a forum feature where you can send a thread to someone else with your own comments?

Possible openings are:
The ability to submit a article for the website (which sends a notice to the admin)
the contact forms in various places
The open realty program
The coppermine galleries that allow an ecard to be sent. I have made it impossible for people to comment on photos in the galleries due to links to undesirable sites

Yes. Anything that deals with mail could theoretically be exploited through a security hole to send anything to anyone. The most likely of those listed are the contact forms and the ecard script, although again it could be any of them. :)


I've checked my access logs and apparently after the site was shut down to "normal" users, I still have logs of visits to the forum. How can this be? Some but not all appear to be spiders.
I don't know. Are you sure they aren't your visits?



BH said they received a complaint and tracked it to MY IP.
I have gone to IP neighbors and put in my IP
http://www.myipneighbors.com/
I receive 552 results for my IP
so if they are using my IP as the determiner, shouldn't ALL of those sites be taken down.

How do they specifically trace it to my account?
They've tracked it to more than your IP. Every email sent from Bluehost contains headers that trace it to your specific account. For example, here is an email I just sent from my account using the mail function:


Received: (qmail 18459 invoked by uid 0); 9 Jun 2008 18:03:13 -0000
Received: from unknown (HELO box413.bluehost.com) (69.89.31.213)
by outboundproxy2.bluehost.com with SMTP; 9 Jun 2008 18:03:13 -0000
Received: from localhost ([127.0.0.1] helo=box413.bluehost.com)
by box413.bluehost.com with esmtp (Exim 4.68)
(envelope-from <medtrend@box413.bluehost.com>)
id 1K5li4-0000Oa-P8
for eriksrocks@mailinator.com; Mon, 09 Jun 2008 12:03:12 -0600
Date: Mon, 09 Jun 2008 12:03:12 -0600
To: eriksrocks@mailinator.com
Subject: Set headers..
MIME-Version: 1.0
From: JAMES@EXAMPLE.COM
X-Mailer: PHP/5.2.6
X-Identified-User: {2746:box413.bluehost.com:medtrend:medtrendgroup.c om} {sentby:program running on server}
DomainKey-Status: no signature

Hey what are we doing this weekend?

I pointed out the areas in bold and the specific username in red. In this case my account username is medtrend and my main domain is medtrendgroup.com . The headers are automatically added to every email sent out from your domain, and this is how they trace it back. :)



I receive the Nigerian emails or the like about 30 times a week. Could I feasibly take one of those emails and adjust the IP in the header and send it to someone's host, couldn't I?
Nope, not really. The IP headers can't be modified, as they are added by the server every step along the way. A spammer could send an email through an "Open Relay." In this case it wouldn't be traceable back to the original sender, but it would not appear to come from your account.



Why wasn't my site taken down until June 8th if they had this info on June 6?


Probably just to give you some time. ;)

Thank you for your support. It is greatly appreciated.

I called again and another support person said he was not supposed to tell me the problem and he was only being "nice." He said that if I updated or removed 3 fantastico installs and called back that they would reinstate my account.

I hardly ever used the fantastico installs.

I removed 2 and tried to update one which I do use. The version offered by BH was not the most recent security update for that script... I had to dump my data, remove it and install it manually since I could not bring it up to date through fantastico. If BH provides the fantastico scripts, why on earth would he say he was not allowed to tell me that the issue was probably related to those scripts.

In regard to the email headers. How does a person forward an email to an abuse department without having access to edit the header? You just pasted a header into this thread.

Couldn't someone feasibly take a legitimate email from my domain and paste in some scam and send it to the host or does it have to be sent in a certain manner?


Received: (qmail 18459 invoked by uid 0); 9 Jun 2008 18:03:13 -0000
Received: from unknown (HELO box413.bluehost.com) (69.89.31.213)
by outboundproxy2.bluehost.com with SMTP; 9 Jun 2008 18:03:13 -0000
Received: from localhost ([127.0.0.1] helo=box413.bluehost.com)
by box413.bluehost.com with esmtp (Exim 4.68)
(envelope-from <medtrend@box413.bluehost.com>)
id 1K5li4-0000Oa-P8
for eriksrocks@mailinator.com; Mon, 09 Jun 2008 12:03:12 -0600
Date: Mon, 09 Jun 2008 12:03:12 -0600
To: eriksrocks@mailinator.com
Subject: Set headers..
MIME-Version: 1.0
From: JAMES@EXAMPLE.COM
X-Mailer: PHP/5.2.6
X-Identified-User: {2746:box413.bluehost.com:medtrend:medtrendgroup.c om} {sentby:program running on server}
DomainKey-Status: no signature

Scam email pasted in...
I will give you a million dollars if you handle some transactions for me.
blah blah blah



I am back online. The abuse department said my site could be taken off again without notice if there are any more complaints.

Originally Posted by aurora View Post
I've checked my access logs and apparently after the site was shut down to "normal" users, I still have logs of visits to the forum. How can this be? Some but not all appear to be spiders.

I don't know. Are you sure they aren't your visits?



Actually one was yahoo and the other was not my IP. The abuse department explained that they visitors probably encountered a "not found." But that is not what my log said. It said they were browsing messages on a simple machines forum.

Couldn't someone feasibly take a legitimate email from my domain and paste in some scam and send it to the host or does it have to be sent in a certain manner?


No because all of the Receive: headers are created when the email is sent and as it goes along it's internet journey to it's destination, so it is impossible to copy them or forge them.


Received: (qmail 18459 invoked by uid 0); 9 Jun 2008 18:03:13 -0000
Received: from unknown (HELO box413.bluehost.com) (69.89.31.213)
by outboundproxy2.bluehost.com with SMTP; 9 Jun 2008 18:03:13 -0000
Received: from localhost ([127.0.0.1] helo=box413.bluehost.com)
by box413.bluehost.com with esmtp (Exim 4.68)
(envelope-from <medtrend@box413.bluehost.com>)
id 1K5li4-0000Oa-P8
for eriksrocks@mailinator.com; Mon, 09 Jun 2008 12:03:12 -0600

You could paste in a spam email and forge the rest of the headers, but the received headers would not be the same - they would show the email coming from a scammer's server and not yours.

Hope that makes sense. :)

The version offered by BH was not the most recent security update for that script... I had to dump my data, remove it and install it manually since I could not bring it up to date through fantastico. If BH provides the fantastico scripts, why on earth would he say he was not allowed to tell me that the issue was probably related to those scripts.


BlueHost doesn't provide the Fantastico copies of the scripts - they are provided by Fantastico. All BlueHost provide is a link to Fantrastico and that will be disappearing as soon as BlueHost finish making sure that SimpleScripts works properly. SimpleScripts is similar to Fantastico except that SimpleScripts was actually created by BlueHost to solve the problem that Fantastico never install security patches quickly enough and services installed via Fantastico end up almost always being prone to various exploits. Rather than just removing Fantastico, BlueHost decided to create their own replacement and to even offer that to other hosting providers as a better alternative to Fantastico.

The site owner is always responsible for the scripts that they run on the hosting which is one of he many reasons why it is usually better to do a manual install rather than relying on someone else such as Fantastico or SimpleScripts to do it for you.

You could paste in a spam email and forge the rest of the headers, but the received headers would not be the same - they would show the email coming from a scammer's server and not yours.

Hope that makes sense.

no it doesn't, but I'm dense.

How does one send an email to an abuse department.
Is it forwarded or attached?

The site owner is always responsible for the scripts that they run on the hosting which is one of he many reasons why it is usually better to do a manual install rather than relying on someone else such as Fantastico or SimpleScripts to do it for you.


I realize that, but for the support person to say he wasn't SUPPOSED to tell me that fantastico was the reason they ditched my account?

hmmmmmm

no it doesn't, but I'm dense.

How does one send an email to an abuse department.
Is it forwarded or attached?

Okay, I understand now what I didn't before. Yes, someone could theoretically send an email to the abuse department like:


Hey, I got this spammy email and I think it's coming from a website hosted by you. Here is the email that I got:

Received: (qmail 18459 invoked by uid 0); 9 Jun 2008 18:03:13 -0000
Received: from unknown (HELO box413.bluehost.com) (69.89.31.213)
by outboundproxy2.bluehost.com with SMTP; 9 Jun 2008 18:03:13 -0000
Received: from localhost ([127.0.0.1] helo=box413.bluehost.com)
by box413.bluehost.com with esmtp (Exim 4.68)
(envelope-from <medtrend@box413.bluehost.com>)
id 1K5li4-0000Oa-P8
for eriksrocks@mailinator.com; Mon, 09 Jun 2008 12:03:12 -0600
Date: Mon, 09 Jun 2008 12:03:12 -0600
To: eriksrocks@mailinator.com
Subject: Set headers..
MIME-Version: 1.0
From: JAMES@EXAMPLE.COM
X-Mailer: PHP/5.2.6
X-Identified-User: {2746:box413.bluehost.com:medtrend:medtrendgroup.c om} {sentbyrogram running on server}
DomainKey-Status: no signature

Then they paste in scam text here, even though all of the headers and the rest of the email were legitimate from your domain.

I see what you're getting at, sorry I didn't understand before. You are right - they could send an email to the abuse department complaining and then paste in some scam message with headers from a legitimate email. :)

They could not, however, send an email directly to anyone that contains a spam message and appears to come from your domain. The only way they could fake the message is if they pasted it in the contents of an email and then sent that new email to someone, like in the example above. :)

Hope that clears things up. As far as sending the email to the abuse department, I suppose it could be either forwarded or attached. :)

I see what you're getting at, sorry I didn't understand before. You are right - they could send an email to the abuse department complaining and then paste in some scam message with headers from a legitimate email.

Thanks for clearing that up for me. I asked the abuse department the same question ... if someone could take a legit email and paste in a scam message. I also requested a copy of the message ... so far no word. I'm sure they are busy with other garbage clean up. I realize they can't take any complaint lightly. I want to see if the date coincides with an email that went out to local chamber of commerce members about a community event.

Don't various trojans invade address books and send themselves out "from" those addresses? Probably not a case of adjusted headers though?

I can see why BH wants to phase out fantastico.

I got that Nigerian scam letter for the first time a long time ago. Someone has really been milking that thing.

A few years ago I heard a report that the government of Nigeria was concerned that the only thing most people in the world have ever heard about the nation of Nigeria is that scam. If it were my little country I would be urgently concerned. Yet they apparently aren't concerned enough.

This thread is kind of a scary saga. :eek: I understand that since BlueHost serves such a large number of sites, they will naturally attract abusers and that they must deal with them effectively to avoid getting all of our IP addresses black-listed. But this just leaves me hoping they are thorough in their investigations so the innocent don't get canned.

I sure do wish the inventors of the SMTP protocol had taken human nature into account and made it more difficult for evildoers to hide.

I understand that they need to take every complaint seriously. And it might have been due to a script vulnerability, which may or may not have been fixed. There are no hard feelings except with the way it was handled.

The irritation was that they said they seemed unsure of what the problem was.

The first support person said I had a phishing website on my account and I would be able to find it by looking for suspicious new files. At that time I had no control panel or FTP either and they had to activate both for me in order for me to look for the problem

The chat support person said it was not a phishing site but a Nigerian email was sent from my account.

The third support person told me that he was only being nice and was not supposed to tell me that if I updated the fantastico scripts and called back they would remove the block. If he wouldn't have told me I would still be offline.

When I called back the abuse department said to check my website for suspicious files via FTP sorting by "date modified" which I had already done. They could give me no idea of what the problem was.

In all this I had the feeling that the left hand didn't know what the right hand was doing. It bothered me when he said he was just being nice.

I'm happy to be back online but am holding my breath that it could go offline again.

I feel that blue host is an excellent host and they did what they did to protect their reputation and their customers... but on the other hand they didn't agree about why they did it! LOL

Thanks again for all of the help and advice. It is greatly appreciated.

While I can understand why BH support staff doesn't want to get into the business of cleaning up users' sites, I am a little troubled when the line they give you is, "We know what the problem is, but it's a big secret." :rolleyes:

I am a little troubled when the line they give you is, "We know what the problem is, but it's a big secret." :rolleyes:

Yeah. :eek: It's weird when they give you three different answers, and one tells you that he's only "being nice" and isn't really supposed to tell you the cause at all. :rolleyes:

If they know the cause of the problem and they don't tell you so that you know what to fix then they are contributing to the problem. Hopefully this was just a one off and not part of some policy.

Well it happened again.

The abuse department is out on the weekends but the site gets suspended on the weekends.

All of my scripts are up to date.

They will tell me nothing. They never answered my emailed question about someone being able to spoof a scam email. I am currently moving all configuration files out of the public_html folder which is where they are installed by default even BY BLUEHOST. I can't test it though unless I can go online.

Is anyone else here getting suspended on a regular basis with no explanation?