Are you familiar with the following problem and whether it was ever resolved?

Michael




>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Subject : Anti-virus scan reports: Your 1&1 webspace is currently under attack [Ticket AB86812377]
Date : 07/15/2014 02:15 PM
Contract :


Your contract number:
Your customer ID:
Our reference: [Ticket AB86812377]
Note: Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1.

Dear Michael Essien,

This is an urgent message concerning your 1&1 account.

A few minutes ago, our anti-virus scanner reported that a malicious file has
been uploaded to your 1&1 webspace.

Name of the file: ~/busysocialcom/protect.php

To protect you from dangerous hacker attacks, our anti-virus scanner checks
every file that is uploaded or modified. If a file exhibits malicious patterns,
it is automatically disabled.

This detection will continue to run after this message in order to disable any
other malicious file.

******************************************************************************
Important: The attack is still running. Your websites are at risk.

As long as you do not take the suitable measures to stop the attack, the
attackers will continue to access your webspace and may sooner or later harm
your websites.

The intrusion point is one of your passwords or a vulnerability in the software
that you have installed.
******************************************************************************

To ward off this attack and restore the security of your site and data, please
proceed as follows:

******************************************************************************
1. Change Your Passwords
******************************************************************************
If the intrusion point was one of your passwords, you will stop the attack quite
simply: Change that password and disable the access for the hackers.

We recommend you to change the following passwords:
- 1&1 FTP
- Admin-Password of your Joomla!, Wordpress and other content management
software

******************************************************************************
2. Update Your Software
******************************************************************************
In case the the hackers entered via a security breach in your software, you need
to update that software. Newer versions eliminate known security breaches and
protect you against further attacks.

TIP: Did you install various software modules? Hackers often place the first
malicious files in the directory with the security breach. The the malicious
file ~/busysocialcom/protect.php might therefor give you an indication on which
software you need to update.

You will find the latest versions of Joomla! and Wordpress on:
- Joomla!: www.joomla.org/download.html
- Wordpress: wordpress.org/download/

******************************************************************************
3. Rename the "admin" User
******************************************************************************
Does your content management software use the user name "admin" for the user
with administration rights?

Then simply change this user name. This being the by far most effective
protection against hacker attacks that target the administration password.

******************************************************************************

If you have any questions, simply reply to this e-mail quoting our reference
[Ticket AB86812377] in your message.

We appreciate your cooperation and look forward continuing to improve the
security of your 1&1 account.

Kind regards,

Abuse Team

--
Abuse Department
1&1 Internet Inc.





Subject : Anti-virus scan reports: Your 1&1 webspace is currently under attack [Ticket ]
Date : 09/10/2014 03:08 PM
Contract :

Your contract number:
Your customer ID:
Our reference: [Ticket AB88117192]
Note: Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1.

Dear Michael Essien,

This is an urgent message concerning your 1&1 account.

A few minutes ago, our anti-virus scanner reported that a malicious file has
been uploaded to your 1&1 webspace.

Name of the file: ~/busysocialcom/images/x.htm

To protect you from dangerous hacker attacks, our anti-virus scanner checks
every file that is uploaded or modified. If a file exhibits malicious patterns,
it is automatically disabled.

This detection will continue to run after this message in order to disable any
other malicious file.

******************************************************************************
Important: The attack is still running. Your websites are at risk.

As long as you do not take the suitable measures to stop the attack, the
attackers will continue to access your webspace and may sooner or later harm
your websites.

The intrusion point is one of your passwords or a vulnerability in the software
that you have installed.
******************************************************************************

To ward off this attack and restore the security of your site and data, please
proceed as follows:

******************************************************************************
1. Change Your Passwords
******************************************************************************
If the intrusion point was one of your passwords, you will stop the attack quite
simply: Change that password and disable the access for the hackers.

We recommend you to change the following passwords:
- 1&1 FTP
- Admin-Password of your Joomla!, Wordpress and other content management
software

******************************************************************************
2. Update Your Software
******************************************************************************
In case the the hackers entered via a security breach in your software, you need
to update that software. Newer versions eliminate known security breaches and
protect you against further attacks.

TIP: Did you install various software modules? Hackers often place the first
malicious files in the directory with the security breach. The the malicious
file ~/busysocialcom/images/x.htm might therefor give you an indication on which
software you need to update.

You will find the latest versions of Joomla! and Wordpress on:
- Joomla!: www.joomla.org/download.html
- Wordpress: wordpress.org/download/

******************************************************************************
3. Rename the "admin" User
******************************************************************************
Does your content management software use the user name "admin" for the user
with administration rights?

Then simply change this user name. This being the by far most effective
protection against hacker attacks that target the administration password.

******************************************************************************

If you have any questions, simply reply to this e-mail quoting our reference
[Ticket AB88117192] in your message.

We appreciate your cooperation and look forward continuing to improve the
security of your 1&1 account.

Kind regards,

Abuse Team

--
Abuse Department
1&1 Internet Inc.







Subject : Anti-virus scan reports: Your 1&1 webspace is currently under attack [Ticket AB87751041]
Date : 09/03/2014 06:49 AM
Contract :

Your contract number:
Your customer ID:
Our reference: [Ticket AB87751041]
Note: Your personal 1&1 contract number and your name certify that this e-mail was sent by 1&1.

Dear Michael Essien,

This is an urgent message concerning your 1&1 account.

A few minutes ago, our anti-virus scanner reported that a malicious file has
been uploaded to your 1&1 webspace.

Name of the file: ~/busysocialcom/protect.php

To protect you from dangerous hacker attacks, our anti-virus scanner checks
every file that is uploaded or modified. If a file exhibits malicious patterns,
it is automatically disabled.

This detection will continue to run after this message in order to disable any
other malicious file.

******************************************************************************
Important: The attack is still running. Your websites are at risk.

As long as you do not take the suitable measures to stop the attack, the
attackers will continue to access your webspace and may sooner or later harm
your websites.

The intrusion point is one of your passwords or a vulnerability in the software
that you have installed.
******************************************************************************

To ward off this attack and restore the security of your site and data, please
proceed as follows:

******************************************************************************
1. Change Your Passwords
******************************************************************************
If the intrusion point was one of your passwords, you will stop the attack quite
simply: Change that password and disable the access for the hackers.

We recommend you to change the following passwords:
- 1&1 FTP
- Admin-Password of your Joomla!, Wordpress and other content management
software

******************************************************************************
2. Update Your Software
******************************************************************************
In case the the hackers entered via a security breach in your software, you need
to update that software. Newer versions eliminate known security breaches and
protect you against further attacks.

TIP: Did you install various software modules? Hackers often place the first
malicious files in the directory with the security breach. The the malicious
file ~/busysocialcom/protect.php might therefor give you an indication on which
software you need to update.

You will find the latest versions of Joomla! and Wordpress on:
- Joomla!: www.joomla.org/download.html
- Wordpress: wordpress.org/download/

******************************************************************************
3. Rename the "admin" User
******************************************************************************
Does your content management software use the user name "admin" for the user
with administration rights?

Then simply change this user name. This being the by far most effective
protection against hacker attacks that target the administration password.

******************************************************************************

If you have any questions, simply reply to this e-mail quoting our reference
[Ticket AB87751041] in your message.

We appreciate your cooperation and look forward continuing to improve the
security of your 1&1 account.

Kind regards,

Abuse Team

--
Abuse Department
1&1 Internet Inc.

Hi Michael,

I answered this in your other post, these are not Jomsocial files. I would recommend you discuss this with a server administrator or your developer. These files are not related to jomsocial

Paul,
I am not sure why you find the need to use the tone you just used but so long as I spend money on your firm, I will keep asking questions about answers that are not clear. When you answered the me in the other post, you had not seen this report because I could not locate it at the time.

Now, I don't see where in 1and1's email that they suggest that those files are related to Jomsocial.

The report is suggesting that those hacks were possible as a result of a weakness in your software.

You are asking me to discuss this with my server administrator, who is obviously the same person giving me this report; effectively, his perspective or opinion.

You should probably escalate my ticket to someone who may know more and thereby, help me with my problem, not brush me off.
I don't appreciate that.

I would appreciate if your company would take some time, consider the date of the report and let me know if you had any bug fixes which probably covered such a vulnerability or for all you know the vulnerability still exists.

You may also give me specific questions to ask the server administrator that may help bring the truth to light but just asking me to "go to hell" won't be accepted by me.

Thank you.
Michael Essien

Hi Michael,

I just read the info you sent us and is not possible to determine how your site was hacked. My question is, do you think it could be through JomSocial? If yes, why you think that?

In general when hacks like this happens the server admin has access to server logs that he could read to find the vulnerability. The report they sent you is an automatic email but it doesn't inform anything about the vulnerability. If your pc is infected maybe you, using your FTP infected the server too by uploading hidden files. Or maybe you're using other extension that could have a bug. If you're using a shared account maybe the hacker attacked one of the account hosted in that server to have access to your account. So, as you can see there are many different posibilities. What Paul suggested is correct, your server admin sent you a report that shows your account has viruses but he could send you the info they have in their server log.

In any case, asume that it's related to JomSocial is incorrect but if you need to contact our technical support you shouldn't use Pre-Sales Questions forums.

Best regards,