Security Notice emails have a subject line of BBJT Hosting <> Security Notice [username]
BBJT servers scan all files that are uploaded in real-time and server-wide scans are conducted on a regular basis. If we detect a large scale malware attack in your account then your account may be automatically suspended.
This guide has details on how to read and understand the contents of the Security Notice email and report.
We have a separate guide to help you get started with removing malware (link opens in a new window) - but if you're not confident, you'll likely need to seek the assistance of a developer who can help you clean your site.
Why do we suspend your account?
People often ask us why we suspend accounts before contacting our customer. We don't do it to annoy you - but because:
- it protects against further damage to your website - the longer they have access, the more likely it is they will install more, harder to detect, backdoors
- it protects against severe loss of search engine ranking for your website due to an SEO poisoning attack
- it protects against your website being blacklisted by Google and other search engines
- it protects your email against unauthorised access (once your website is compromised, an attacker may be able to gain access to your email messages)
- it protects our server against being abused as part of a botnet (a remotely controlled cyber-missile!)
We try to explain it like this - if you owned a shop, and there had been robbers and bandits in there, you would not want to risk your reputation (and a lawsuit) by allowing the public back in until you were sure things were safe!
How to read the reports
The Security Notice email will normally include a list of affected files at the bottom, or as an attachment if the list is very large. Each line of the report will detail a problem or suspect file in this order
Alert Level, Month, Date, Time, Server, [ Filename ], Description
Examples of the three types of match you may be notified of - Warning, Critical and Legacy Script.
Warning - Jan 28 05:00:07 artemis ['/home/binky/public_html/shop/code.php'] - (decoded file [depth: 1]) Regular expression match = [decode regex: 1]
Critical - Jan 28 07:04:20 artemis ['/home/binky/public_html/tmp/images/jdhu.php'] - Suspicious Image File [PHP Script]
Legacy Script - Jan 28 23:07:59 artemis ['/home/binky/public_html/smf/index.php'] - Script version check [OLD] [SMF v1.1.18 < v2.0.5]
Legacy Script
Our software checks a broad range of popular web applications to see if the installed version is the latest available. It is reasonably accurate and provides a useful reminder to update the software your website uses to reduce the risk of it being exploited. The files listed are NOT MALWARE - they are just scripts that you should consider updating. If you did not design your website or are unsure whether you should update your files or not then you should seek assistance from an experienced web developer. Remember, before updating anything, always download a full backup of your website files and databases in case something goes wrong during the update - you'll be able to roll back to the previous version.
nolegacy.scan in the root (top level) of your home directory.Warning
These are issues we have found that are worth investigating but are often false positives. Our system is not confident enough to suspend your account, but a code fragment or technique has been found that is commonly used in malware - You should ALWAYS check these files out to make sure they are OK.
Critical
These are files that are almost certainly infected or entirely malicious and positively match a known Virus or Malware fingerprint exactly. We take immediate action based on the following rules:
- Non-script files (e.g. image files). Hackers often hide malware inside seemingly innocuous files like images. This makes them easier to upload because some websites don't check and ensure that image files are valid before accepting them. The file is
CHMOD 000to prevent public access. - Script files (e.g. PHP, Perl etc). Such files can usually be directly accessed by the public, and usually offer direct control of your website to unauthorised users. This puts your data and that of your customers in danger. The directory containing the infected file is
CHMOD 000to prevent public access.
What should I do?
If you are a web developer, you can use the list of affected files provided to go and check the files in your home directory against known good sources. False positives rarely occur, but they do happen. If your account is suspended, you can raise a support request in your BBJT Client Area to unsuspend your account.
If you do not understand the security report, do not understand the scripting language your site is based on, or you had someone else develop your website for you, then we strongly recommend you seek assistance from a developer in dealing with this issue. We will be happy to work with whoever you authorise to deal with the issue to get your site unsuspended so they can get you up and running again as quickly as possible.
Unsuspending your account
- Login to your BBJT Client Area
- Go to Tickets across the top then Open Ticket (Open New Ticket)
- Complete and submit a ticket and then BBJT will unsuspend your account.
