One of our customers recently received an email from their hosting provider. The hosting provider stated the hosting account had malicious website files. The customer forwarded it to us:

Dear CUSTOMER,

During a routine scan, the security team at HOSTING_PROVIDER
discovered infected files in your “customer name” account.
Typically, these security vulnerabilities are due to the presence of
an outdated application or script in your account.

You can view a list of the infected files in the /stats directory of your
account, in a file named ‘websitescan.txt.’ You can find more
information on how to access this file, interpret its contents, and
remove infected files in the article below:

http://www.HOSTING_PROVIDER/knowledgebase/beta/article.bml?ArticleID=437

Please make sure to check any file backup(s) you have for a clean copy
of the infected files.  If you have clean copies, you can upload those. If
not, once you get the infected files cleaned or removed, we recommend
you keep regular backups of your website going forward

However, If you don’t feel comfortable removing the infected files yourself,
or would like to talk to a security expert, we recommend that you contact
our preferred partner, SECURITY_VENDOR. You can find out about their security
solutions at https://www.HOSTING_PROVIDER/product/SECURITY_VENDOR, or call them directly at 1-(toll-free number).

Finally, to learn more about how to keep your site safe, visit the article below:
http://www.HOSTING_PROVIDER/knowledgebase/beta/article.bml?ArticleID=2324#Nugget_5264.

Sincerely,
The HOSTING_PROVIDER Team

 

We rescanned the files to see if our monitoring may have missed something.

 

Our scans and file analysis came back with no malicious website files found. We know that most hosting providers do not purposely deactivate websites without identifying something, so we investigated further.

 

We opened the file they mentioned in their email to the customer: websitescan.txt.

 

Inside we found 4 files that had been identified to have have the Win.Trojan.Toa-5370166-0 FOUND. All 4 files were updraft backups in .zip format.

 

We downloaded them and rescanned the files from the backups.

 

Still nothing.

 

Could we be wrong?

 

Nope.

 

Further investigation found numerous other online comments about this same “infection”. Not all of them were about malicious website files. Some were local computer scans that found the same “infection”.

 

We found nothing online that could provide further information about this infection. We notified the customer and they in-turn notified the hosting provider and the account was reactivated.

 

This is the downside to relying on signatures to identify malicious website files. Especially if those signatures are provided to you. You’re relying on someone else verifying that the signatures only match malicious website files.

 

Luckily for this customer, we were able to provide proof so the hosting provider would reactivate the account.

 

Have you had any issues with hosting providers and false positives? Send me an email and let me know…traef@wewatchyourwebsite.com

 

You should read about the methods we use to positively identify malicious website files: https://wewatchyourwebsite.com/our-methods-for-finding-and-removing-website-malware/

 

Thank you.