Ashoat

Are you sure your certificate is valid? Where did you get it?

Okay, you've been granted a dedicated IP address.

Unfortunately, I can't find that DNS record in our system. Are you sure it's actually registered with HelioHost?

We do have documentation. See here.

Our two nameserver records have always pointed to different IP addresses. I already have admin@heliohost.org, but it used to forward to Gmail who now blocks us. Not sure what to do with it now...

I took a look at some files and it was basically people querying public records in an effort to find some secrets. Yeah, these folks did get access to shell. However, that's trivial to do using CGI. I'm still pretty sure that the hacked accounts just had bad permissions on important files.

Okay, I've restarted it. Let me know if it doesn't come back up sometime soon.

I've successfully isolated the problem to Mono (ASP.NET). Unfortunately, there's isn't a great way to debug exactly who is breaking Mono, so I'm stuck with no other option but to disable ASP.NET for now. I'll try to find a way to do better debugging, but if I don't it might be until December before we start Mono back up.

Closing.

Well I see it now. Thanks, but I think we'll keep our current logo...

Hey guys, Sorry about the recent downtime and slowdowns and lack of support this week. I've been really busy, but I'll try to triage stuff and take a look at the issues tomorrow night. Don't worry; I'm still around. Thanks, djbob

The files were chown'd by root. I went ahead and deleted them.

If the site was on the whole server then I think we'd be in more trouble than we are. HelioHost and HelioNet are still okay. My new theory: the attack targeted anybody whose "chmod" permissions were set incorrectly. Using CGI scripts you can easily access files anywhere on the hard drive, and if they have permissions to play around with them (ie. you set them to 777) then they can delete stuff. Same goes for a directory with 777 - files can be created in it. alteisen: the files you have there were chown'd by root. I deleted them. They were symlinked to the system's zone files, which is sort of useless considering that information is publicly broadcasted over our nameservers...

Please post here and I'll get to it as soon as the script is fixed.

Same as before... I can't see the raw links, even after a hard refresh. I'll try loading them once I'm at a different place.

I get a 404 when visiting that... Looks like some router somewhere is down? For quite a while, too...

Do you remember where the links were pointed to? What folders are they in?

I checked your account and I can't find any shell scripts. What is the "SSL service to their website"? How do you know they had access to your cPanel?

There was like a day-long downtime this weekend. Hopefully it won't happen again. I'm not sure why it's occurring. As for slowdowns... yeah, they happen. I do my best to keep them at a minimal level, but this isn't my full-time job.

Sorry this is taking a while guys, but the script I use for this has been deleted and I won't be able to reconstruct it until later.

I don't see any logo...

Sorry, but I'm not really willing to set a record at the root domain for this.

I blame cPanel... this shouldn't be possible. But anyways, is there any issue still occurring in this thread, or should I close it?

I blame cPanel... this shouldn't be possible. But anyways, is there any issue still occurring in this thread, or should I close it?

Closing due to inactivity.