All Activity

Dear HelioHost Support, I am writing to report sustained and aggressive malicious activity targeting my website almhdy.sd. My site is a simple static page (only index.html), but the server is receiving a high volume of automated attack attempts, which may be consuming shared server resources. Executive Summary My server logs show a continuous stream of automated attacks from multiple IP addresses, primarily focused on finding and exploiting vulnerabilities in WordPress and other CMS platforms. While these attacks are failing (returning 404 errors), the volume is significant. Key Findings from Log Analysis 1. Sustained Reconnaissance & Exploitation Attempts: · My domain is being scanned by botnets for common web vulnerabilities. · Attackers are systematically probing for hundreds of different PHP shells, backdoors, and admin panels (e.g., shell.php, wp-filemanager.php, admin-ajax.php). 2. Primary Attacker IP Addresses: The most aggressive sources include: · 20.243.237.134 (Microsoft Azure) - Initial scanning wave · 4.217.198.31 (The Constant Company, LLC) - Massive, sustained attack with 200+ unique file requests · 20.222.117.51 (Microsoft Azure) - Continued high-volume attacks · 172.207.123.72 (OVH SAS) - WordPress-specific exploits · 2602:fa59:9:fb6::1 (Comcast) - Persistent probing 3. Types of Attacks Observed: · Web Shell Uploads: Attempts to access known malicious file managers. · WordPress Exploits: Targeting themes, plugins, and core files. · Information Disclosure: Attempts to access .env, .git/config, and wp-config.php files. · Directory Traversal: Attempts to browse restricted directories. Evidence of Impact · Resource Consumption: While the attacks are unsuccessful, the constant processing of these malicious requests consumes CPU cycles and bandwidth. · Nginx Errors: The logs show numerous nginx error messages like connect() failed (111: Connection refused) while connecting to upstream, which may be related to the high load or misconfiguration attempts from the attacks. · ModSecurity Activity: Your WAF (ModSecurity) is correctly blocking some requests (e.g., for .git/config), confirming the malicious nature of this traffic. My Configuration I would like to emphasize that my website is extremely simple and not vulnerable to these attacks. It consists of a single index.html file with no PHP, WordPress, or database backend. The attacks are therefore harmless to my content but are an unnecessary load on the server. Request for Assistance Could you please investigate this activity from your side? Specifically: 1. Is this level of malicious traffic affecting other users on the shared server? 2. Are there any server-wide firewall rules or rate-limiting policies that can be adjusted to mitigate such automated attacks? 3. Can you monitor or consider blocking the most aggressive IP addresses listed above at the network level? Thank you for your time and for providing a great hosting service. Best regards, almhdy24

Hi HelioHost team, I’m having trouble with my domain almhdy.sd on Johnny. Outgoing mail from support@almhdy.sd gets rejected by Gmail with: > 550-5.7.26 Unauthenticated email — SPF/DKIM failed. I also can’t edit DNS records for the domain, so I can’t add SPF or DKIM manually. Could you please enable DNS control for me, or add the correct SPF/DKIM on your side? Also, Dovecot keeps failing to reload with this error: > reload-or-restart service dovecot failed Please check or restart it if possible. Thanks a lot for your help, Elmahdi Abdullah

...duplicates of what? I only see two other threads made by you.

Please delete duplicates.

Domain added. it can take up to 2 hours to start working.

Hi there! Could you please add: Domain: parabrellaproductions.com User Name: phoeg Thank you very much!

Do you still need this database?

I've added those subdomains to your account for you. Please note that it may take up to 2 hours for the changes to take effect. If after a full 2 hours they don't work on your side, please make sure you clear your web browser cache: https://wiki.helionet.org/Clear_Your_Cache

It's suspended for multiple accounts. Same person as https://helionet.org/index/topic/66172-solved-hello-administrator-please-help-me-restore-my-account-thank-you/ You're only allowed to have one account.

Hello Administrator, this is my blog. Since its creation, I have followed all the rules and have not engaged in any violations. I don’t understand why it got suspended. Please review it again and help me reactivate the website. Thank you! my user name:wxik

Hello dear HelioHost Customer Support, I’m new to HelioHost and read that I need to request subdomains here. Could you please create the following two subdomains for me? I’m testing some applications during development. Hosting account username: ghannadanzina Subdomain name: shop Full domain: playereleven.helioho.st Hosting account username: ghannadanzina Subdomain name: shopapi Full domain: playereleven.helioho.st Thank you very much for your support and for the great service you provide!

I just did some research on this, and even ignoring the "Why?" aspect of this, the behavior of .phps (colorized source view) is apparently a function specifically provided by the mod_php module for apache. It's not a function of PHP itself. Since Plesk does not use the apache module, this isn't supported. Your best bet is going to be a solution like Krydos suggested: Write a PHP script that displays another script's contents. Once you have that, you can probably be creative with .htaccess rewrite rules to make calls for .phps files redirect to that script with the requested file as a parameter to emulate the behavior.

Your initial post was made in the Contact HelioNet section, which is not for HelioHost support requests. I've now moved this thread to the right section: HelioHost Customer Service which is routinely monitored by the volunteer staff. I didn't notice an error when I checked your site. I see you haven't replaced the default Plesk index page. Is there a specific URL that the 504s are happening on? If you're getting 504s on Johnny, I'd recommend checking your account error logs which may give more insight about what's happening. If there's something you don't understand in the logs, post it here and we can have a look and try to help.

Yeah, I don't really understand why you're even doing this. Why not make a PHP file that reads the contents of another .php, and displays the contents? That seems infinitely easier, and more secure. For instance, index_source.php could show the source of index.php.

https://wiki.helionet.org/504_Gateway_Timeout Please take some time to read the Wiki. Speaking from experience, it helps a lot.

Sorry was that “why” directed at me? Happy to share my motivation for inquiring about the fgci handler name. I have three goals: Teaching moment. Seeing the configs (and finding them) is what got me the experience I have today. Radical transparency. The conventional wisdom is “you can’t share your .htaccess files! It’s a security risk!” But I challenge that as vestigial superstition. Simplicity. I listed a couple alternatives in my original post, but there’s lots of ways to accomplish the goal of “seeing the php source” (which has no security risks. There’s no database connection, no other files are accessed, etc.) All of which feel more unnecessary than (hopefully) a single .htaccess line.

The account msbsurfi is being moved from Johnny to Tommy.

A payment has been made. Please check.

Fixed. We changed the price of Tommy from $1 to $2 in June, but sort of left the Johnny upgrades at $1 for a while since Johnny accounts are relatively difficult to get in the first place. You can read more about it here Changed.

r...4@gmail.com

Is it $2 or $1 for a already existing johnny account? In the upgrade page of dashboard I see $1 but the link is for $2.

Wolstech pointed out that the username dmcrac is a VPS, so the wiki I linked won't work for that. What email address would you like the VPS to have?

https://buy.stripe.com/6oU7sNcs6207fjP1udco009 https://wiki.helionet.org/FAQ#How_do_I_change_the_contact_email_address_on_my_account?

This support request is being escalated to our root admins.

Hello, I'd like to shift my personal heliohost account (Username : msbsurfi )to Tommy server for better experience. Since PayPal is not available in Bangladesh, I need a stripe link to pay. I also need to change the email address of another account (Username: dmcrac ) which currently is using my email address. Should I give the new email address here? Best Regards, MD Shifat Bin Siddique