000webhost phishing

000webhost.com Terms of service violation: Phishing, scam, warez, hacking

Lately there are quite a few 000webhost.com users reporting their accounts as suspended because of hosting scam or hacking scripts. Me being sceptic had a closer look at some of the accounts in question to find that the accounts got suspended in error. Let me explain why:

000webhost.com tries to prevent users from hosting scam/phishing/hacking scripts by running a script across their servers that scans for malware (i won’t go into too much detail here about what exactly it scans for, don’t want to make it easier for people to avoid being detected). That script occasionally flags files as false positives, likely because of the keywords/code it scans for. If a pattern matches the script considers the file to be in violation of their terms and it proceeds to suspend the account automatically.

The usual entry in the member area would look something like

Account someaccount.com has been suspended by TonyScanner (Terms of service violation: Phishing, scam, warez, hacking. Details: php.h.HackScript-15 | /home/a*******//public_html/wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php.)

In this example the “TonyScanner” flagged the file wp-content/plugins/w3-total-cache/lib/Nusoap/nusoap.php as dodgy. I checked the account and compared the file in question with the “original” file from a fresh W3 Total Cache download from wordpress.org in Araxis Merge. What did i find? Nothing….the files were identical, no changes were made to the file. This means the “TonyScanner” has flagged it as false positive and suspended the account. As W3TC is a pretty popular WordPress plugin i expect to see more tickets about suspended accounts because of /w3-total-cache/lib/Nusoap/nusoap.php being flagges as phishing/hacking/scam script.

What to do about this?

Well, in case your account got suspended because of a false positive i am afraid there is little you can do. Even if you open a ticket and explain the entire story and make them aware of the file being reported in error they won’t unsuspend your account but send you the standard answer “Account can only be unsuspended when upgraded”. I will post the false positive issue on their helpdesk blog to make them aware of the scanner reporting perfectly legit files as potentially dangerous but again…i don’t think the script that scans the servers will be changed.

So…if your account got suspended then you’ll have to do with it and either move on to a different host or create a new account and do not use the plugin/script that got you suspended.

Be the first to comment

Leave a Reply

Your email address will not be published.

I confirm