integraoligist

That fixed it, thanks! For whatever reason, all of our sites updated to 2.5.9 and they showed that it was the newest version and didn’t give updating to 3.1.5 as an option. We had to export the settings on each site, uninstall the plugin, install it again with 3.1.5 and import the settings. Now it’s all operational.

Thanks again!

Ok so in Cloudflare > Firewall > Tools >
-“Enter an IP range”: 69.46.36.0/27
-Whitelist
-All websites in account (i have multiple sites in this account)
> Add

But when I hit Add, an error pops up “Only an IP4 range of /16 or /24 is allowed for IP access rules”

So do I just enter each IP individually, as in:
69.46.36.0
69.46.36.1
69.46.36.2
69.46.36.3
and so on until I hit .32 ?

Thanks!

Thanks for the extensive write-up J!

We changed over to A2 almost a year ago now from Gigapros (their servers were super slow and we always had email blacklist issues with their servers which of course they said nothing was ever wrong with them). A couple of months after the migration to A2, is when this hacking issue seems to have started on the sites. But no problems with the email blacklist issues at all. So basically I need to use Gigapros to host the sites, and A2 to host the email. Ridiculous.

I copied some of your (J’s) message and sent it over to A2 last night to see if they had anything else to say on the matter. This is their response:

—–
Thank you for following up with us. We apologize for the confusion and thank you for your patience.

Let me start off by explaining “.well-known”. This directory is actually automatically generated by cPanel and is not evidence that the account or site has been compromised. This directory is used to help cPanel use AutoSSL to generate the free Let’s Encrypt SSL certificates for your domains, and it will automatically appear in the document root of every domain you have configured in cPanel.

With that said, the domain you sent does appear to be compromised. When scanning the account with our basic malware scanner, we were not able to detect any malware on the account. However, this does not mean that the account has not been compromised. We’ve searched cPanel and FTP logs, but could not find any traces of the files in that directory being uploaded using the account password. The only cPanel logs that contain that directory are from December of last year, and January 11th this year. Both of which are from the same (my IP) IP address and neither of the logs show any content being uploaded. Our oldest available FTP log is from January 13th, 2019.

We did notice that the WordPress site found in the public_html directory is heavily compromised. Please note that in many cases, a compromise like this one includes some sort of web shell that gives the hacker or malicious script the ability to upload files to the server. This means if even one of your domains is compromised, it has the ability to affect all others on the account as well. Since our tools are not able to detect those malicious files, but we were able to find them by hand, we highly suggest reaching out to a security expert to have the sites professionally scanned, cleaned, and secured. If you do not know who to reach out to, we do offer a service through Sucuri. I’ve provided links below on how to move forward.

MALWARE REMOVAL & PROTECTION
https://www.a2hosting.com/malware-protection

How to secure a hacked site
https://www.a2hosting.com/kb/security/securing-a-hacked-site

WordPress security
https://www.a2hosting.com/kb/security/application-security/wordpress-security

Despite our Malware scanner not detecting malware, you can see injected code in both “/public_html/wp-config.php” and “public_html/index.php”. Near the top of the files, you can see something that says “include”, which is a common sign of a compromise. In addition to this, both the files have their permissions set to 755 instead of 644, which is also a common sign of an infection.
—–

The issue I have with them saying that the main sites index.php and wp-config.php files are compromised, is that this site was just wiped out completely and installed totally fresh on Jan 11th of this year along with ALL of the sub domain sites. So this all being a brand new install, how can their excuse of a “shell” causing the issue even be logical, seeing as it’s the same issues over the past year?

Time to find a new host AGAIN apparently. Anyone have suggestions of a quality host?

Thanks again all for the help!

For the WP sites, yes I had Wordfence, WP Security, iThemes and a couple others… even scanned the sites with Sucuri and another one I can’t remember right now.

However, I just checked a domain that I removed the site completely and the folder was empty for the past few weeks. I look in there today and there is 14 files and a .well-known folder with even more files in it.

Here is the sitelink

These are the same type of files all the WP sites are getting. So this being an completely empty folder, this is apparently not a WP issue.

I re-cleaned all the WP sites with files like these about a week ago, so far they have not come back yet, but they will, they always do.

I only have 1 cPanel login and 1 FTP setup through it, I changed the password a few times but it never helped. I also changed all the WP sites passwords before too, nothing has stopped these files.

How could these files be put onto the server?

Thanks again!

Ideas?

Just tried changing the htaccess… didn’t help it.

Other thoughts?

Thanks all for helping!

Sure can: site link