SiteLock is Now Trying to Scam People Out of $70 to $100 a Month Due to Non-Malicious Files Created by cPanel

From our years of experience dealing with the cleanup of hacked websites the first thing legitimate providers would want to do when contacted is to make sure that the website that they are being contacted about is in fact hacked, as we have found that people experiencing just about any problem with a website can jump to the conclusion that it was caused by the website being infected with malware or otherwise hacked. Much of the security industry isn’t what we would call legitimate and the company that seems to be the farthest from legitimate is SiteLock, which has a well earned reputation for scamming people. Part of how they can stay in business despite that reputation is that they have “partnerships” with web hosts where the web host pushes their services and SiteLock in term provides them a large commission for services they can sell through that. That type of relationship is often to the disadvantage of customers of the web hosts, as a situation we were just consulted on shows.

Recently one of SiteLock’s partners, HostMonster, deactivated one of their customer’s websites due to claimed malware on the website. When the customer contacted the support department they were transferred to SiteLock and told the only way to get the website back up was to pay to pay them $70 to $100 a month (charged annually). In reality the web host only requires that the website be cleaned for them to reactivate it. In this case though the situation is much worse since there wasn’t any malware on it.

All of the files that were claimed to be malicious had names similar to .wysiwygPro_preview_edcf331f0ffc35r4b482f1d15a887w3b.php and had contents similar to this:

<?php
if ($_GET['randomId'] != "Qd8f8yQpZe0JyipHkqUDWIwUrHqUixgfdQfEvwy1fU29Q0V_3kf_mw01oJmeF_g6") {
    echo "Access Denied";
    exit();
}
 
// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);
 
?>

Those are legitimate files created by an HTML editor that has come with the cPanel control panel offered by the web host. They are not malicious. The code in them is potentially susceptible to reflected cross-site scripting (XSS) due to outputting user input without escaping it, but someone would have to know both the apparently randomized name of the file and the apparently randomized additional value checked for that to even come in to play.

Based on the identifier given for them, “SL-PHP-JSINCLUDE-cu.UNOFFICIAL FOUND”, it appears that SiteLock is causing them to be falsely flagged as malicious.

Based on our years of seeing what SiteLock is up to, it seem possible that the incorrect flagging here is caused by SiteLock’s incompetence instead of actual malice, but in either case this is scam, since if they can’t correctly handle identifying malicious files then they shouldn’t be offering the services they are.

When we were contacted about the situation the first thing we did was to ask about the evidence provided by the web host to support the shutting down of the website and once we saw that, we were able to explain what was going on and help get this resolved for free instead of scamming money out of someone who was already attempted to be scammed.

Get a Free Consultation From Us

If you are have been contacted by SiteLock or a SiteLock partnered web host claiming your website is hacked, feel free to contact us to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock or the web host is providing to back up their claim.

If your web host is pushing you to use SiteLock you should be aware of a number of items before making any decisions and you should know that we can provide you with a better alternative for cleaning up the website for less money.