Why have I received a Security Notice and why has my account been suspended?

Security Notice emails have a subject line of: Krystal Hosting <> Security Notice [username] on [server name]

Krystal servers scan all files that are uploaded in real time and server-wide scans are conducted on a regular basis. If we detect a large scale malware attack in your account then your account may be automatically suspended.

This guide has details on how to read and understand the contents of the Security Notice email and report. It also has details of how to unsuspend your account your self from within your Krystal Client Area - but you should only do this once you understand the issue and are able to fix it. If the issue remains unresolved your account will be suspended again.

We have a separate guide to help you get started with removing malware - but if you're not confident, you'll likely need to seek the assistance of a developer who can help you clean your site.

Why do we suspend your account?

People often ask us why we suspend accounts before contacting our customer. We don't do it to annoy you - but because:

  • it protects against further damage to your website - the longer they have access, the more likely it is they will install more, harder to detect, backdoors
  • it protects against severe loss of search engine ranking for your website due to an SEO poisoning attack
  • it protects against your website being blacklisted by google and other search engines
  • it protects your email against unauthorised access (once your website is compromised, an attacker may be able to gain access to your email messages)
  • it protects our server against being abused as part of a botnet (a remotely controlled cyber-missile!)

We try to explain it like this - if you owned a shop, and there had been robbers and bandits in there, you would not want to risk your reputation (and a law suit) by allowing the public back in until you were sure things were safe!

How to read the reports

The Security Notice email will normally include a list of affected files at the bottom, or as an attachment if the list is very large. Each line of the report will detail a problem or suspect file in this order

Alert Level, Month, Date, Time, Server, [ Filename ], Description

Examples:

Warning - Jan 28 05:00:07 artemis ['/home/binky/public_html/shop/code.php'] - (decoded file [depth: 1]) Regular expression match = [decode regex: 1]

Critical - Jan 28 07:04:20 artemis ['/home/binky/public_html/tmp/images/jdhu.php'] - Suspicious Image File [PHP Script]

Legacy Script - Jan 28 23:07:59 artemis ['/home/binky/public_html/smf/index.php'] - Script version check [OLD] [SMF v1.1.18 < v2.0.5]

The above examples show the THREE types of match you may be notified of.

Legacy Script

Our software checks a broad range of popular web applications to see if the installed version is the latest available. It is reasonably accurate and provides a useful reminder to update the software your website uses to reduce the risk of it being exploited. The files listed are NOT MALWARE - they are just scripts that you should consider updating. If you did not design your website, or are unsure whether you should update your files or not then you should seek assistance from an experienced web developer. Remember, before updating anything, always download a full backup of your website files and databases in case something goes wrong during the update.

If you do not wish to receive Security Notice emails solely because of Legacy Script warnings, then place an empty file called nolegacy.scan in the root (top level) of your home directory.

Warning

These are issues we have found that are worth investigating, but are often false positives. Our system is not confident enough to suspend your account, but a code fragment or technique has been found that is commonly used in malware - You should ALWAYS check these files out to make sure they are OK.

Critical

These are files that are almost certainly infected or entirely malicious, and positively match a known Virus or Malware fingerprint exactly. We take immediate action based on the following rules:

  • Non-script files (e.g. image files). Hackers often hide malware inside seemingly innocuous files like images. This makes them easier to upload because some websites don't check the ensure that image files are valid before accepting them. The file is CHMOD 000 to prevent public access.
  • Script files (e.g. php, perl etc). Such files can usually be directly accessed by the public, and usually offer direct control of your website to unauthorised users. This puts your data and that of your customers in danger. The directory containing the infected file is CHMOD 000 to prevent public access.

What should I do?

If you are a web developer, you can use the list of affected files provided to go and check the files in your home directory against known good sources. False positives rarely occur, but they do happen. If your account is suspended, you can login to your Krystal Client Area and use our Malware Manager tool to unsuspend your account.

It is critical that if you do unsuspend your account you fully resolve the issues - if malware remains your account will simply be suspended again during the next scan of your account.

If you do not understand the security report, do not understand the scripting language your site is based on, or you had someone else develop your website for you, then we strongly recommend you seek assistance from a developer in dealing with this issue. We will be happy to work with whoever you authorise to deal with the issue to get your site unsuspended so they can get you up and running again as quickly as possible.

Unsuspending your account

  1. Login to your Krystal Client Area
  2. Across the top of the screen you will see a banner alerting you to the fact that one or more of your accounts has been suspended for Malware.
    Click on Resolve >>
  3. You'll be taken to the Malware assistant screen, where you can see any suspended accounts.
    You should only unsuspend an account if you are confident you can remove the malware successfully.

    If you unsuspend a site and the malware remains, or the site is re-infected due to an incomplete fix then the site will be suspended again during the next scan.

    Click the green Unsuspend button to continue.
  4. You'll see a notice - if you are ready, click Yes, I'm Ready and your site will be unsuspended - this includes restoring file permissions so you can access the infected files to remove/clean/replace them.
  5. The number of times you can self-unsuspend is limited. After which you'd need to log a support ticket to have your site reviewed. We would likely recommend you seek to work with a developer at this point to correctly resolve the problem.


How did we do?


© Krystal Hosting Ltd 2003–2019