Whole account actively being hacked, each site one by one for two months, webhost keeps blaming my security
I have a reseller account with a webhosting company and told them about a persistent backdoor in February, two months later and now all the websites have been hacked. For a long time I have had a problem with the php version being rolled back to an ancient one but my questions about how this happened are dodged.
I am the sole user and owner, have Cloudflare set up so that I am the only one who can sign in but it is happening at the server level. I also have tons of rules blocking countries, ips, bots, etc.
Last week an API was created from an Indian IP and the host is like 'oh shucks.' After that they used the information gained on the back end to breach my GSC and Cloudflare.
I believe the hacker changed the contactemail because now I can't even login to the client portal (after being sent a link to login with last night) and the security question answer was changed.
The host placed an SQL file at the root of my account in the midst of all this which seems like deliberate sabotage.
As I was browsing files in the CPanel one 'view' prompted an automatic download and a 'fake cpanel' showed up briefly. Their response was 'what do you want me to do about that?'
The gaslighting is extraordinary as they are blaming my security on a new M4 that passed malwarebytes and Etre security checks with long randomised passwords that have been changed 8 million times. And I only work from home on the only whitelisted IP, but that doesn't help since it is not happening throuhg Cpanel.
My twenty year old business is being destroyed right now and I can't even get in to back up.
I informed them that another site was being hacked last night and the support response was 'it looks fine' even though i informed them that a bunch of new plugins were added and the old themes reappeared and sent screenshots.
Other support tickets are 20 pages long lecturing me about security. They are blaiming me for outdated plugins i did not add.
This is the first time ever in the history of my account that this has happened. No one else uses my devices. They have passwords just to login.
Suggestions? I know I should move to a new host, they are trying to leverage this to upsell me to a VPS instead of fixing the problem.
I think maybe support was phished or something because when I talked to them and told them I was actively being hacked they also said 'check my security.' and totally dismissed it. The only security weakness on my side is that I don't use 2f because i don't have a phone service (outside the US people use Whatsapp.)
But this is at server level is it not? Could it be that an Indian guy I hired briefly in 2015 (who broke my site at the time) left a backdoor?
That is the only other person in the history of my online life who had access to only one website (briefly) I have changed hosting services twice since then.
This is a complete nightmare. Any ideas about what is going on? Why is the host so insistent it is my issue when new database tables are being created and old user accounts that were deleted are reappearing in Myphpadmin? Any known exploits I don't know about? Ideas?
Thanks so much — I am freaking out here.