What to do when I got an email 'Malicious Attempt to Access Your Hosting Account is Detected'

This article provides you with general tips and steps to follow in case you received the following email message:

“Dear Hosting Account 'cPanel_username' Owner,

This is an automated alert to inform you that we have detected a malicious attempt to access your account via http or ftp on our server 'hostname_of_the_server'. Our security systems have blocked the upload of malicious file to the server and put it to the quarantine. Your website is safe now, but it is important you undertake the following precautions.

1. Immediately scan your PC for viruses and malware. We recommend the anti-virus programs which free editions are available for most operating systems for this purpose.

2. Make sure that you use strong, hard-to-guess passwords on your account and applications. Do not use the same password for different applications. To remember more difficult passwords, we recommend you use the password managers such as LastPass or RoboForm.

3. Update all third party scripts to the latest versions (e.g. Joomla, WordPress, Magento or any other CMS). Remove every script, gadget, feature, function, and code snippet which has poor security vulnerability report.

4. Use .htaccess or cPanel > Deny IP to block the hacker's HTTP access to your site. If you identified the hacker's IP address, one site where you can look it up to get more information about this IP is http://whois.domaintools.com/ .

5. Change your cPanel/ftp passwords.

We have put the following content into quarantine as we believe it contains viruses or other malicious code. If you feel this has been in error and your file is false-positive (innocent), please submit a ticket to us at https://support.namecheap.com/index.php?/Tickets/Submit or contact the Live Help at http://www.namecheap.com/support/livesupport.aspx and we will be happy to assist:

'[PHP Obfuscation Exploit [P0395]]': /home/cPanel_username/public_html/Songs/wp-content/themes/.cache.php
'[PHP Obfuscation Exploit [P0395]]': /home/cPanel_username/public_html/wp-content/themes/.cache.php
'[PHP Obfuscation Exploit [P0395]]': /home/cPanel_username/public_html/wp-content/themes/.cache.php
'[PHP Obfuscation Exploit [P0395]]': /home/cPanel_username/public_html/wp-content/themes/.cache.php
'[PHP Obfuscation Exploit [P0395]]': /home/cPanel_username/public_html/wp-content/themes/.cache.php”

Follow these instructions to make the needed changes in your account:

Scan your PC for viruses and malware

Scan your hosting account with Virus Scanner

Update your CMS along with all the modules/plugins

Have a fresh backup of your files

Scan your PC for viruses and malware

The first thing to check is whether your personal computer contains any malware that might have triggered the warning email message. Make sure that you scan your local computer and clean up any malicious software. Any free antivirus software like Avast Free Antivirus or Dr.Web Cureit! utility, can be used for this purpose.

Scan your hosting account with Virus Scanner

It is also highly recommended to use different scanning means for your hosting web space for malicious software. First of all, you can use an built-in cPanel virus scanner. In order to do it, log into cPanel >> click on the Virus Scanner icon under the Advanced tab:

Once there, choose the Scan Entire Home Directory option and click the Scan Now button:

Also, you can use some free online scanners such as this one.

It is better to combine these two ways of checking your account for viruses. In order to prevent having viruses and malware on your account it is recommended to use themes and plugins only from trusted providers.

Additionally, we would recommend to contact our Support Team so we can check your hosting account by means of internal scanners and tools in order to ensure it is clean and secure. Our support representatives will also be able to provide you with a detailed scan report so you can examine it later.

Below you can find an example of a scan report provided by our Support Team:

----------- SCAN REPORT -----------
TimeStamp: Date
(/usr/sbin/cxs --nobayes --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 50000 --html --ignore /etc/cxs/cxs.ignore --options mMOLfSGchexdnwZDRu --qoptions Mv --report /home/cPanel_username/scanreport-support-date-h12m.txt --sizemax 500000 --ssl --summary --sversionscan --timemax 30 --user support --virusscan --xtra /etc/cxs/cxs.xtra)

Scanning /home/cPanel_username:

# Symlink to [/usr/local/apache/domlogs/support]

# ClamAV detected virus = [Eicar-Test-Signature]

----------- SCAN SUMMARY -----------
Scanned directories: 171
Scanned files: 13996
Ignored items: 33
Suspicious matches: 2
Viruses found: 1
Fingerprint matches: 0
Data scanned: 218.37 MB
Scan time/item: 0.008 sec
Scan time: 107.945 sec

NOTE: Pay attention to the parts of the scan report highlighted in red. These are the lines to examine in case there is malware in your hosting account.

Considering the Suspicious Matches part from the report, it is important to take into account that items marked as suspicious should not be treated as viruses in this case. Our scanning system uses its own wide-range database of so-called 'shady' file types and file names. So the 'Suspicious Matches' part means that the listed files/folders should be checked additionally to ensure they are safe and there is no malicious code inside.

Update your passwords

As a precautionary measure, it is highly recommended to update passwords of all the services related to your hosting package as well. Such services include:

Check how to reset the cPanel password here.

As an improved security measure, it is recommended to set up 2FA for the cPanel account.

If you use Reseller Hosting with us, you can initiate a password reset for your main cPanel account, and your WHM password will be updated automatically as well.

To reset the root password for a VPS server, refer to the following tutorial.

Changing the cPanel account password will also update the password for your main FTP account. However, it is necessary to make sure that passwords for all additional FTP accounts are updated as well. In order to change the password for an additional FTP account, you need to do the following:

  • Log into your cPanel account and navigate to the FTP Accounts menu under the Files section.
  • Scroll down to the FTP Accounts section, paste a new password  and click on the Change Password button next to the corresponding FTP account.

You can find some useful tutorials on how to update Admin passwords for Wordpress, Joomla, Prestashop and WHMCS as examples below:

How to reset WordPress Admin password
How to reset Joomla Admin password
How to reset Prestashop Admin password
How to reset WHMCS Admin password

Make sure that you use strong passwords with special characters in order to avoid unauthorized access to your hosting web space in the future. We recommend to use Password Generators like this one in order to create a complicated, long and reliable password.

For more information on complicated passwords, visit the following link.

The next step is making sure that passwords for all the existing databases are updated and secure as well. This can be done from cPanel > MySQL Databases menu easily.

  • Log into your cPanel account and navigate to the MySQL Databases menu.
  • Scroll down the window and locate a list of MySQL Usernames under the Current Users section.
  • Click on the Change Password button next to the user.

  • Next, indicate the new password and click on the Change Password button.
NOTE: It is important to update configuration files of your scripts with new database passwords in order to avoid downtime of your websites. The directory where the configuration file is located depends on a CMS/script you are using. For example, the WordPress configuration file is called wp-config.php and is generally located in the root folder of the script: /your_wp_installation/wp-config.php.

If your contact email address under Namecheap Account is associated with a domain name that is hosted with us and uses our hosting email service, it may be a good idea to update the email account password as well in order to avoid unauthorized access to your cPanel. This can be done in a few steps from within your cPanel account as well.
  • Log into your cPanel account and navigate to the Email Accounts menu.

  • Click on the Manage button next to the email account as shown below.

  • Choose a desired password and click on the Change Password button.

Update your CMS along with all the modules/plugins

The next measure is to make sure you are running the most recent version of a CMS and modules/plugins installed for it. It is important to keep your software up-to-date as the newest version contains various security implementations and fixes that helps to avoid security breaches.

In case your CMS was installed using our Softaculous script installer, it is possible to update it in a few clicks right from the Softaculous interface, check the following tutorial for more details.

If you are using one of CMS scripts available in Softaculous, but initial installation was performed in a different way, you can import the installation to Softaculous in order to update it easily then. For more details on how to import installation into Softaculous, check the following tutorial.

If your website is based on a custom and manually developed script, it is recommended to contact a web developer in order to implement additional security features.

Have a fresh backup of your files

Once all the measures are taken, make sure to create an up-to-date backup of your files. This can be easily done by means of an in-built backup tool in cPanel. For more details, feel free to check the following tutorial. You may also wish to configure automatic backup creation in cPanel.

That's it!

                      Need any help? Contact our HelpDesk

40615 times

Need help? We're always here for you.