The following conversation was literally copy/pasted from Bluehost's support.
I thought it was pretty interesting how they kept trying to upsell an unnecessary "security" service for $80/month for 20 minutes...
The malware in question is a script from Coinhive (I've linked an article as the main site doesn't seem to load) which I was testing out from a security point of view. Unfortunately their security scanner picked it up quickly and suspended the account, which is expected and good.
During the chat I didn't realise this was the problem though, I later saw it when I went to remove the malware and looked at the scanner log (which said it had found SL-CRYPTOMINER-eu.UNOFFICIAL FOUND) and immediately thought of Coinhive.
Hello my name is Brandon and I am a website security consultant with SiteLock
From what I have read your site has been hacked and you want to get it cleaned and back online as soon as possible. May I ask you a few questions to make sure I am recommending the best solution?
11:49 pm
Sure
11:51 pm
What is the best phone # to reach you? I can assist you quicker by phone
Are you still with me?
I can assist you with resolving the malware via chat if you prefer
Can you confirm the email address on file for security purposes? I can then assist you further.'
11:54 pm
Yeah let's do it via chat, it's a bit late here
11:55 pm
Thank you for that
Is your site a business site?
11:55 pm
This happened once before, I removed a bunch of files and cleaned up some old php and that pretty much it... Maybe the malware got in through an old Wordpress site I had here - I'll remove it if that's the case
They are personal sites
11:56 pm
The malware can get through via Wordpress and themes and plugins
Even when you keep the WordPress and themes and plugins up to date hackers can get into the most current versions too So the sites are personal sites? Are they monetized at all?
11:56 pm
No, I used to have adsense but it was removed a while ago
11:58 pm
So you used to use adsense too
Are you familiar with how malware works?
11:58 pm
Yes. I'm pretty sure the malware got it via the wordpress installs, the rest are some php sites I wrote some years ago but those don't really have anything easy for malware to be uploaded.
I'll remove the wordpress sites and any malware that your system may have detected, or you can remove it yourself if that's easier?
11:59 pm
Hackers design programs to target websites based on vulnerabilities in the coding. The malware is designed to come back to the domain name over and over and keep scanning for new ways to get in. Malware can also get into vulnerabilities in the PHP too
Also when your site gets hacked the malware downloads to the computers or phones of people who go to the site. Just by visiting the site the malware can then get on their computers or phones to track what they type and take their personal information. If you remove the WordPress sites then the other siutes can get hacked too
Does that clarify how the malware works and how it can affect people who go to the site?
0:00 am
Absolutely
0:00 am
How many domains do you have in the account?
0:01 am
4
0:02 am
How many of the 4 sites are you planning on keeping?
0:02 am
3 actually rendering something, the fourth is only used for email
1 of the sites (the wordpress installation) will be removed
leaving only 2 sites online
0:02 am
So you plan to keep 2 sites
0:02 am
They will be online only for a few more months, while I back them up and put up some notifications for the users
0:03 am
Who makes the financial decisions for the sites? I can then discuss the solution.
0:03 am
I do, just paid 3 more months of their hosting
0:03 am
The service to remove the malware and prevent it from coming back is the secure speed plan
We would guarantee removal of the malware in 4-6 hours and put a wall around the site to block hackers from coming back. We also locate and remove any malware that gets past the wall. Additionally we decrease the load time of the site to increase traffic and search rankings--people leave sites that load too slowly.
Does that clarify how the solution works?
0:04 am
Makes sense, although I don't need most of those features to be honest. The sites are already behind Cloudflare, which does some of that.
I'd rather just remove the malware and the wordpress installation.
0:05 am
I see you do have CloudFlare
It would be $80 per month for a 12 month agreement-- $40 per month per site
Let's do this: I can get you the agreement for $80 per month and we would just need to gather your billing information to get the malware removed in 4-6 hours and block the hackers from coming back.
0:06 am
Sorry but I'm not looking to permanently host these websites, I just want to back them up and have a few months to notify users that they will be closed down.
0:07 am
What email address is best to send the agreement to?
0:07 am
Last time there was malware (about 3 years ago give or take) we just removed it and updated wordpress, then there weren't any issues until now.
0:08 am
We have the option of a 6 month term-- 6 payments of $80 per month. Is that feasible? Unfortunately the malware will come back to the domain over and over unless you have a way to block it
Is that feasible?
0:09 am
There's absolutely no reason for the malware to come back if the buggy wordpress installation is removed.
0:10 am
The malware can get into PHP vulnerabilities over and over too
0:11 am
So you're saying that any php website hosted on Bluehost has to pay $80 per month per site on top of the hosting fee?
0:11 am
If you don't have security then the site will get hacked over and over again
0:12 am
There is no lack of security in the 2 custom php sites (both running for more than 10 years here on Bluehost with no issues), unless you have evidence of malware getting in that way.
I'm pretty sure the malware got in through the wordpress site, which was added a couple of years ago.
0:13 am
You don't want the sites to keep getting hacked over and over every day, do you?
0:14 am
I'm only interested in having these websites up for a few more months so that I can notify the users, I've just paid 3 additional months of my hosting plan so let's remove the malware, the wordpress site, and we'll be all good.
0:14 am
The shortest term we have for security is 6 months. It is a 6 month term to make sure it is in effect long enough to stop malware from coming back
Would that work for you?
Are you still with me?
0:18 am
I'm really not interested in purchasing additional plans for my hosting account. I understand the benefits but they aren't useful for my use case.
These are not business sites, I made a mistake leaving an unused Wordpress installation online, which I am now removing
0:18 am
I will get you to BlueHost for other options
Brandon left
Pratheeksha joined
Hello, Alejandro. My name is Pratheeksha and I am happy to assist you.
0:19 am
Hi Pratheeksha
0:19 am
I will assist in resolving the issue for you
If you have access to the primary email address on the account, I can send you the validation Token now and you can just provide Token on chat for validation.
0:20 am
Sure thanks
0:20 am
I have sent the token please provide that on chat
0:20 am
xxxxx As I mentioned to Brandon, I have a couple of personal sites and one old wordpress site on my Bluehost account. Unfortunately the wordpress install has been unused for a couple of years and malware seems to have gotten in through that.
I'm now removing the wordpress installation, then we can remove the malware if you haven't already.
0:22 am
Thank you for authenticating.
0:22 am
I have just removed the Wordpress site
0:23 am
Yes, please remove it and let me know
We can rescan the account to check if there is ay infected files, if no malware files are found we can reactivate the account
Should I rescan the account then to check if the malware files hve been deleted?
0:24 am
Sure please go ahead now
I just finished removing the previously identified virus, so it should be all good now
0:28 am
The account is being scanned now
Please be on hold for 4-5 minutes I will let you know the updates of it
If there is no infected files found then we will reactivate the account
0:29 am
Sure, thanks