Hostgator Blocked My Outbound Port 80/443 because of ckeditor.js

[anupam_luv]

My Outbound Port 80/443 is Blocked hostgator because of virus in ckeditor.js ... because it all my sites are down (until I remove these files from the server)

I think the files which it is asking me to delete are very crucial for my Vbulletin forums to work ...
I am very sure that antivirus is falsely showing it as virus bec I have replaced it with original/new files but it is still showing them as Virus ...

Im using these Vbulletin forums for many years I cannot delete these files ...

The files are :

public_html/fitnessmatter.com/forum/clientscript/ckeditor/ckeditor.js

public_html/dstreetdirect.com/clientscript/ckeditor/ckeditor.js

Now hostgator is asking me to remove this file from the server .... is it safe to remove them ...

[RichieBoy67]

No, your site needs them but they are probably altered. Download them and look to see what as added.

if your site is hacked just removing those files is not going to fix things.

[Dave]

forum/clientscript/ckeditor/ckeditor.js is not a virus.
This is your moment to move to a host that isn't a sellout.

[RichieBoy67]

It could be hacked though. I agree though that hostgator of no so good for vbulletin.

[anupam_luv]

I did remove the file and replaced it with a new file download ... and re-scanned ... it again reported it as virus....

I raised a ticket regarding the issue and hostgator replied with the following response. ...

-----------------------------------------
From server logs, I could see that port 80/443 is blocked for the user xxxxxxx. This could be a reason for the issue you have reported earlier.

We have an automated scanning cron which disables port 80/443 of a user, when the user account has malicious file(s). Also, it disables all such file(s) with immutable attribute and null permission to avoid further infection. Check the scan results given below:
=======
Infected files: 2

/home/xxxxxxx/public_html/dstreetdirect.com/clientscript/ckeditor/ckeditor.js
/home/xxxxxxx/public_html/fitnessmatter.com/forum/clientscript/ckeditor/ckeditor.js
=======

As of now, I have reverted immutable attributes and null permission set on above file(s) so that you can modify those files(s).

Please note that, simply deleting/replacing infected file(s) will not be a permanent solution. If any of those file is used by your website theme/plugin/CMS then removing those file(s) may cause downtime to your websites.

Hence, I suggest you to double check your website contents like CMS, themes, plugins and make sure that they are up-to-date. Further, scan and re-upload above mentioned file(s) and get back to us.

Once your account is cleaned, we will activate port 80/443 for the user xxxxxxxxxx.

This will help you to avoid similar issues in future.

------------------------------------------

After that I repeated same steps .... Scanned > Quarantined > Re-uploaded new file > Scanned Again .... and again found same files as virus... Deadlock!!!

[ForceHSS]

With Hostgator I don't have a problem with them as a host. You need to ask your host to check logs to see how the virus was uploaded, but I am sure he got into your admin panel and changed a few things so you need to check the logs in there and revert any templates he changed also check Plugins & Products/Plugin Manager see if he has added any plugins

[RichieBoy67]

As they said in the email removing and replacing the file will not fix the issue if the site is indeed hacked.

--------------- Added [DATE]1455063275[/DATE] at [TIME]1455063275[/TIME] ---------------

Also, is Google reporting your site had malware? Check webmaster tools.

[anupam_luv]

On 9th Feb evening I got the following message (they almost admitted tht it could be a false +ve)

-------------------------
We apologies fro the delay in our response.

We could understand your concern and we are checking this issue widely with our abuse and security wing.

We need to check whether this is a False positive signature then we will remove the signature.

Please be patient we will get back to you once the issue is fixed.
Thank You
--------------------------------

But even after many reminders/updates they are still saying that we are working on it....
Now I cant take it anymore, I removed/quarantined the file ckeditor.js ... so that at least Port is unlocked ... at least other sites shouldn't suffer because of it......

--------------- Added [DATE]1455201780[/DATE] at [TIME]1455201780[/TIME] ---------------

The problem is rectified now by Hostgator....

------------------------------
The Outgoing Port 80 for your account has been unblocked and you should not face any issues accessing your websites.

The False Positive issue has also been rectified and genuine files should not be blocked now in the virus scan.

Kindly check and verify the same.

Let us know in case you have any further queries.

Regards,
Joyson L

-----------------------------------------------------

Reuploaded the files .... having no issues for now....

ckeditor.js file is for Quick Edit or Quick Reply ... without it we have to use "Advanced" method to post the replies.....

[Skyrider]

https://www.virustotal.com/en/url/bc...is/1455274700/
https://www.virustotal.com/en/url/42...is/1455274737/

You can ignore the Yandex Safebrowsing report on the second URL. I've checked both .js files with a text difference and it's exactly a duplicate. The file is clean.. I have no idea what hostgator is talkin about.. it's false positive whatever they are using.

But seeing the website is accessible, I can assume they already opened up the ports again for you.