If you ever receive an email request with a takedown notice, it can be a little daunting. This guide will walk you through the process to secure the account and remove any content mentioned in the report.
Types of Reports
Right now, Reclaim mainly receives two types of takedown requests: phishing content or DMCA copyright reports. These requests come typically come from DigitalOcean or Netcraft. The report typically looks like this:
You'll see a URL that points to the location of the report, what content is copyrighted/compromised, and a link to the full incident. Be sure to read through the full report link for any back history.
Response and Mitigation
If you receive an email requesting a specific site to be taken down, here's what you can do to work to remove the content and further secure the site.
Taking Content/Site Offline
To take the site offline quickly, you can use one of two methods:
1) .htaccess Rules
First, the quickest way to take the particular site in question offline quickly is to user a Deny rule in the .htaccess.
Add the following rule to the .htaccess:
deny from all
allow from YOUR IP ADDRESS
The rule will block all traffic to the site but allow you to view the site specifically while you work. You can add additional lines for any collaborators as needed.
2) Suspend Account in WHMCS
If you need more time to work on the account to remove the content, you can suspend the account directly from WHMCS.
You'll be prompted to input a Reason for Suspension to confirm why the site is suspended. This will provide more information for any other admin working on the request as well.
Running a Scan with ImunifyAV
Once the site is taken offline for the report, you can start mitigation. You'll want to run a scan on the account on the server through WHM by searching ImunifyAV in the left-hand search bar:
Search for the user's cPanel username in the Users tab. Then you can click the button to scan the account.
The scan will run through each file on the account and flag any potentially malicious content. You'll see any flagged content in the History tab.
Take a look through the history section to identify any pattern as to where the site is compromised.
With the pattern identified, you can now remove the content. Within the account itself, navigate to the File Manager to remove the content.
Follow the file path listed in the Imunify Scan and delete the content. Make sure to delete it completely rather than send it to the trash.
Once all the content is removed, you will want to change passwords on the account. This includes the cPanel password and any application user passwords. You'll want to let the user know about this and work with them to remove any unused or unrecognized users.
Letting the User Know
Once you've cleaned up the site, you can begin to work with the account owner to secure the account. We recommend you email them directly or set up an in person meeting to go through what happened and what the next steps are.
Here is some language you can use in an email:
I wanted to reach out to let you know that we received a notification that your account, [DOMAIN NAME], had some malicious content hosted on it. I ran a malware scan on the account as a courtesy and located and removed the files that were infected.
From here, there are a few things you'll need to take care of on your end to ensure that the side continues to be secure. The first thing is to cycle out your passwords for all applications you have on your domain, the second is to remove any users from the sites that is not currently using the site (including any FTP users) and remove any unused plugins/themes.
Then from there, if your site has been listed as dangerous by Google, you'll need to confirm that the site is secure with Google, to remove the deceptive site warning. Google has great documentation about managing these warnings.
We do also recommend you use a third-party service like Sucuri to further protect your account if you are working with a WordPress site. If we do receive another request, we'll have to suspend the account.
Once you've worked with the user directly, keep an eye on the site over a short period of time to ensure the compromise does not return.
Now that you have the tools to work through take-down requests, you can take the above steps to help keep accounts on the server secure!