Krydos

/home/hariscon/public_html/administrator/index.php also seems to be corrupted. See the backdoor on the top line or two? That's how they compromised your account. You should probably just delete it all and start over to make sure they don't just hack your account again immediately.

/home/hariscon/public_html/images/jdownloads/screenshots/imc.php.j: PHP.Hide FOUND /home/hariscon/public_html/images/jdownloads/screenshots/1x.php.j: PHP.Hide FOUND /home/hariscon/public_html/images/jdownloads/screenshots/2x.php.j: PHP.Hide FOUND /home/hariscon/public_html/images/jdownloads/screenshots/.212.php.j: PHP.Hide FOUND

Here are the three the spam reports we received for your account: We have received a complaint about your account. Please investigate and fix within 24 hours. Hurricane Electric Abuse Department support@he.net From scomp@aol.net Sat May 2 20:33:01 2015 Return-Path: <scomp@aol.net> X-Original-To: report@abuse.he.net Delivered-To: report@abuse.he.net Received: from smr-m3.mx.aol.com (smr-m3.mx.aol.com [64.12.109.87]) by abuse.he.net (Postfix) with ESMTPS id 627FF5401AA for <report@abuse.he.net>; Sat, 2 May 2015 20:33:01 -0700 (PDT) Received: from scmp-d010.mail.aol.com (scmp-d010.mail.aol.com [172.29.189.79]) by smr-m3.mx.aol.com (AOL Mail Bouncer) with ESMTP id A14A8380005F3 for <report@abuse.he.net>; Sat, 2 May 2015 23:33:00 -0400 (EDT) Received: from scomp@aol.net by scmp-d010.mail.aol.com; Sat, 02 May 2015 23:32:59 EDT To: report@abuse.he.net From: scomp@aol.net Date: Sat, 02 May 2015 23:32:59 EDT Subject: Email Feedback Report for IP 65.19.143.2 MIME-Version: 1.0 Content-Type: multipart/report; report-type=feedback-report; boundary="boundary-1138-29572-2659438-1787" X-AOL-INRLY: stevie.heliohost.org [65.19.143.2] scmp-d010 X-Loop: scomp --boundary-1138-29572-2659438-1787 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit This is an email abuse report for an email message with the message-id of 1f14005778129a23a5dd1557d6e5dd2e@graenfur.heliohost.org received from IP address 65.19.143.2 on Sat, 2 May 2015 20:48:10 -0400 (EDT) For information, please review the top portion of the following page: http://postmaster.aol.com/Postmaster.FeedbackLoop.php For information about AOL E-mail guidelines, please see http://postmaster.aol.com/Postmaster.Guidelines.php If you would like to cancel or change the configuration for your FBL please use the tool located at: http://postmaster.aol.com/SupportRequest.FBL.php --boundary-1138-29572-2659438-1787 Content-Disposition: inline Content-Type: message/feedback-report Feedback-Type: abuse User-Agent: AOL SComp Version: 0.1 Received-Date: Sat, 2 May 2015 20:48:10 -0400 (EDT) Source-IP: 65.19.143.2 Reported-Domain: stevie.heliohost.org Redacted-Address: redacted Redacted-Address: redacted@ --boundary-1138-29572-2659438-1787 Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <kelley_swanson@graenfur.heliohost.org> Received: from stevie.heliohost.org (stevie.heliohost.org [65.19.143.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaig-aam01.mx.aol.com (Internet Inbound) with ESMTPS id 66F2C70000089 for <redacted>; Sat, 2 May 2015 20:48:10 -0400 (EDT) Received: from graenfur by stevie.heliohost.org with local (Exim 4.80) (envelope-from <kelley_swanson@graenfur.heliohost.org>) id 1Yoi57-0007Kg-9L for redacted; Sat, 02 May 2015 17:48:04 -0700 To: redacted@aol.com Subject: hi Date: Sat, 2 May 2015 17:48:29 -0700 From: Kelley Swanson <kelley_swanson@graenfur.heliohost.org> Message-ID: <1f14005778129a23a5dd1557d6e5dd2e@graenfur.heliohost.org> X-Priority: 3 X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_1f14005778129a23a5dd1557d6e5dd2e" Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - stevie.heliohost.org X-AntiAbuse: Original Domain - aol.com X-AntiAbuse: Originator/Caller UID/GID - [18800 32003] / [47 12] X-AntiAbuse: Sender Address Domain - graenfur.heliohost.org X-Get-Message-Sender-Via: stevie.heliohost.org: authenticated_id: graenfur/from_h X-Source: /usr/bin/php X-Source-Args: /usr/bin/php /home1/graenfur/public_html/inbox/fonts/.include8.php X-Source-Dir: graenfur.heliohost.org:/public_html/inbox/fonts x-aol-global-disposition: G Authentication-Results: mx.aol.com; spf=none (aol.com: the domain graenfur.heliohost.org appears to have no SPF Record.) smtp.mailfrom=graenfur.heliohost.org; x-aol-sid: 3039ac1b13855545704a51b6 X-AOL-IP: 65.19.143.2 X-AOL-SPF: domain : graenfur.heliohost.org SPF : none --b1_1f14005778129a23a5dd1557d6e5dd2e Content-Type: text/plain; charset=us-ascii well hello cutie... if your down for it and avail we could meetup for fun?? AuhRA8dTNqo/nECQ21BXGks/3WbCk5NljwTMqelMTCg= --b1_1f14005778129a23a5dd1557d6e5dd2e Content-Type: text/html; charset=us-ascii <html> <body> well hello cutie... if your down for it and avail we could meetup for fun?? AuhRA8dTNqo/nECQ21BXGks/3WbCk5NljwTMqelMTCg= </body> </html> --b1_1f14005778129a23a5dd1557d6e5dd2e-- --boundary-1138-29572-2659438-1787-- We have received a complaint about your account. Please investigate and fix within 24 hours. Hurricane Electric Abuse Department support@he.net From scomp@aol.net Sat May 2 21:35:36 2015 Return-Path: <scomp@aol.net> X-Original-To: report@abuse.he.net Delivered-To: report@abuse.he.net Received: from smr-m1.mx.aol.com (smr-m1.mx.aol.com [64.12.109.92]) by abuse.he.net (Postfix) with ESMTPS id 5BCBD5401AA for <report@abuse.he.net>; Sat, 2 May 2015 21:35:36 -0700 (PDT) Received: from scmp-m009.mail.aol.com (scmp-m009.mail.aol.com [172.26.180.17]) by smr-m1.mx.aol.com (AOL Mail Bouncer) with ESMTP id 83C6138000231 for <report@abuse.he.net>; Sun, 3 May 2015 00:35:35 -0400 (EDT) Received: from scomp@aol.net by scmp-m009.mail.aol.com; Sun, 03 May 2015 00:35:34 EDT To: report@abuse.he.net From: scomp@aol.net Date: Sun, 03 May 2015 00:35:34 EDT Subject: Email Feedback Report for IP 65.19.143.2 MIME-Version: 1.0 Content-Type: multipart/report; report-type=feedback-report; boundary="boundary-1138-29572-2659438-6139" X-AOL-INRLY: stevie.heliohost.org [65.19.143.2] scmp-m009 X-Loop: scomp --boundary-1138-29572-2659438-6139 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit This is an email abuse report for an email message with the message-id of c001935fbc91c05c07e5c9c2fd71aff9@graenfur.heliohost.org received from IP address 65.19.143.2 on Sat, 2 May 2015 23:01:35 -0400 (EDT) For information, please review the top portion of the following page: http://postmaster.aol.com/Postmaster.FeedbackLoop.php For information about AOL E-mail guidelines, please see http://postmaster.aol.com/Postmaster.Guidelines.php If you would like to cancel or change the configuration for your FBL please use the tool located at: http://postmaster.aol.com/SupportRequest.FBL.php --boundary-1138-29572-2659438-6139 Content-Disposition: inline Content-Type: message/feedback-report Feedback-Type: abuse User-Agent: AOL SComp Version: 0.1 Received-Date: Sat, 2 May 2015 23:01:35 -0400 (EDT) Source-IP: 65.19.143.2 Reported-Domain: stevie.heliohost.org Redacted-Address: redacted Redacted-Address: redacted@ --boundary-1138-29572-2659438-6139 Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <allison_walker@graenfur.heliohost.org> Received: from stevie.heliohost.org (stevie.heliohost.org [65.19.143.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaig-mbd02.mx.aol.com (Internet Inbound) with ESMTPS id 5B2047000008D for <redacted>; Sat, 2 May 2015 23:01:35 -0400 (EDT) Received: from graenfur by stevie.heliohost.org with local (Exim 4.80) (envelope-from <allison_walker@graenfur.heliohost.org>) id 1YokAH-0000UE-2x for redacted; Sat, 02 May 2015 20:01:32 -0700 To: redacted@aol.com Subject: hi! Date: Sat, 2 May 2015 20:01:57 -0700 From: Allison Walker <allison_walker@graenfur.heliohost.org> Message-ID: <c001935fbc91c05c07e5c9c2fd71aff9@graenfur.heliohost.org> X-Priority: 3 X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_c001935fbc91c05c07e5c9c2fd71aff9" Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - stevie.heliohost.org X-AntiAbuse: Original Domain - aol.com X-AntiAbuse: Originator/Caller UID/GID - [18800 32003] / [47 12] X-AntiAbuse: Sender Address Domain - graenfur.heliohost.org X-Get-Message-Sender-Via: stevie.heliohost.org: authenticated_id: graenfur/from_h X-Source: /usr/bin/php X-Source-Args: /usr/bin/php /home1/graenfur/public_html/inbox/fonts/.include8.php X-Source-Dir: graenfur.heliohost.org:/public_html/inbox/fonts x-aol-global-disposition: G Authentication-Results: mx.aol.com; spf=none (aol.com: the domain graenfur.heliohost.org appears to have no SPF Record.) smtp.mailfrom=graenfur.heliohost.org; x-aol-sid: 3039ac1afc0255458f8e2c71 X-AOL-IP: 65.19.143.2 X-AOL-SPF: domain : graenfur.heliohost.org SPF : none --b1_c001935fbc91c05c07e5c9c2fd71aff9 Content-Type: text/plain; charset=us-ascii Hey cutie, I saw you on a dating site sometime last week, i got sum freakypix for you.. message my # real quick its 404.448.9616. Im just a 24 year old female. Im looking to meet new guys and maybe hookup. message me if u get a min please. --b1_c001935fbc91c05c07e5c9c2fd71aff9 Content-Type: text/html; charset=us-ascii <html> <body> Hey cutie, I saw you on a dating site sometime last week, i got sum freakypix for you.. message my # real quick its 404.448.9616. Im just a 24 year old female. Im looking to meet new guys and maybe hookup. message me if u get a min please. </html> </body> --b1_c001935fbc91c05c07e5c9c2fd71aff9-- --boundary-1138-29572-2659438-6139-- We have received a complaint about your account. Please investigate and fix within 24 hours. Hurricane Electric Abuse Department support@he.net From scomp@aol.net Sun May 3 03:36:15 2015 Return-Path: <scomp@aol.net> X-Original-To: report@abuse.he.net Delivered-To: report@abuse.he.net Received: from smr-m2.mx.aol.com (smr-m2.mx.aol.com [64.12.232.218]) by abuse.he.net (Postfix) with ESMTPS id A7D8F5401AA for <report@abuse.he.net>; Sun, 3 May 2015 03:36:03 -0700 (PDT) Received: from scmp-m008.mail.aol.com (scmp-m008.mail.aol.com [172.29.110.249]) by smr-m2.mx.aol.com (AOL Mail Bouncer) with ESMTP id 9A60B3800007A for <report@abuse.he.net>; Sun, 3 May 2015 06:35:55 -0400 (EDT) Received: from scomp@aol.net by scmp-m008.mail.aol.com; Sun, 03 May 2015 06:35:53 EDT To: report@abuse.he.net From: scomp@aol.net Date: Sun, 03 May 2015 06:35:53 EDT Subject: Email Feedback Report for IP 65.19.143.2 MIME-Version: 1.0 Content-Type: multipart/report; report-type=feedback-report; boundary="boundary-1138-29572-2659438-9899" X-AOL-INRLY: stevie.heliohost.org [65.19.143.2] scmp-m008 X-Loop: scomp --boundary-1138-29572-2659438-9899 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit This is an email abuse report for an email message with the message-id of 6a165a4c03d7aa7763e36efb59a0b272@graenfur.heliohost.org received from IP address 65.19.143.2 on Sat, 2 May 2015 21:09:50 -0400 (EDT) For information, please review the top portion of the following page: http://postmaster.aol.com/Postmaster.FeedbackLoop.php For information about AOL E-mail guidelines, please see http://postmaster.aol.com/Postmaster.Guidelines.php If you would like to cancel or change the configuration for your FBL please use the tool located at: http://postmaster.aol.com/SupportRequest.FBL.php --boundary-1138-29572-2659438-9899 Content-Disposition: inline Content-Type: message/feedback-report Feedback-Type: abuse User-Agent: AOL SComp Version: 0.1 Received-Date: Sat, 2 May 2015 21:09:50 -0400 (EDT) Source-IP: 65.19.143.2 Reported-Domain: stevie.heliohost.org Redacted-Address: redacted Redacted-Address: redacted@ --boundary-1138-29572-2659438-9899 Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <miriam_holland@graenfur.heliohost.org> Received: from stevie.heliohost.org (stevie.heliohost.org [65.19.143.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaig-aal03.mx.aol.com (Internet Inbound) with ESMTPS id B419770000087 for <redacted>; Sat, 2 May 2015 21:09:50 -0400 (EDT) Received: from graenfur by stevie.heliohost.org with local (Exim 4.80) (envelope-from <miriam_holland@graenfur.heliohost.org>) id 1YoiQ7-0006od-Pd for redacted; Sat, 02 May 2015 18:09:46 -0700 To: redacted@aol.com Subject: hey there Date: Sat, 2 May 2015 18:10:11 -0700 From: Miriam Holland <miriam_holland@graenfur.heliohost.org> Message-ID: <6a165a4c03d7aa7763e36efb59a0b272@graenfur.heliohost.org> X-Priority: 3 X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_6a165a4c03d7aa7763e36efb59a0b272" Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - stevie.heliohost.org X-AntiAbuse: Original Domain - aol.com X-AntiAbuse: Originator/Caller UID/GID - [18800 32003] / [47 12] X-AntiAbuse: Sender Address Domain - graenfur.heliohost.org X-Get-Message-Sender-Via: stevie.heliohost.org: authenticated_id: graenfur/from_h X-Source: /usr/bin/php X-Source-Args: /usr/bin/php /home1/graenfur/public_html/inbox/fonts/.include8.php X-Source-Dir: graenfur.heliohost.org:/public_html/inbox/fonts x-aol-global-disposition: G Authentication-Results: mx.aol.com; spf=none (aol.com: the domain graenfur.heliohost.org appears to have no SPF Record.) smtp.mailfrom=graenfur.heliohost.org; x-aol-sid: 3039ac1b14c35545755e729d X-AOL-IP: 65.19.143.2 X-AOL-SPF: domain : graenfur.heliohost.org SPF : none --b1_6a165a4c03d7aa7763e36efb59a0b272 Content-Type: text/plain; charset=us-ascii Hey handsom, I saw you on a dating site sometime last week, i got sum dirtypic 4 ya.. message my # real quick its +1~717~723~3934. Im just a 24 year old gal. Im looking to meet new people and maybe hookup. message me if you get a chance plz. --b1_6a165a4c03d7aa7763e36efb59a0b272 Content-Type: text/html; charset=us-ascii <html> <body> Hey handsom, I saw you on a dating site sometime last week, i got sum dirtypic 4 ya..<br> <br> message my # real quick its +1~717~723~3934.<br> <br> Im just a 24 year old gal. Im looking to meet new people and maybe hookup.<br> message me if you get a chance plz.<br> </html> </body> --b1_6a165a4c03d7aa7763e36efb59a0b272-- --boundary-1138-29572-2659438-9899-- As you can see the spam was coming from /home1/graenfur/public_html/inbox/fonts/.include8.php I also noticed that your domain has also been flagged by google as malicious.

Settle down. Posting three times in five hours doesn't accomplish anything more than making yourself look incredibly impatient. This is the reason I asked your permission before I changed your password, and you said it was fine. Anyways, your password has been reset again, and emailed to your contact address again.

Did you check your spam folder?

This has been fixed for a while. Marking solved.

Your password has been changed, I logged in with the new password, and phpmyadmin on your account works perfectly for me. The new password has been mailed to the contact email address associated with your account. The problem is NOT with the server or upgrades or reinstalling or mysql or cpanel or phpmyadmin or missing files or tables or databases or accounts or configuration or ipv6 or dns or anything else that you suggested that I missed. The problem MAY be with your browser, or your router, or your computer, or something else that is specific to you. I suggest trying to connect to phpmyadmin from another location on another internet connect, or another computer, or another browser to try to narrow down and troubleshoot what the problem might be. The server and everything on our end is working as expected.

Since there is an active account with the username quantas on Stevie I'm going to assume that this issue was resolved. Let us know if you're still having any issues with your server transfer and we can removed the [solved] tag.

The problem is http://dppas.heliohost.org/forum/ It looks like bots are trying to create accounts with random email addresses. Even though the bots won't be able to post to your forum the account creation emails still get sent out, and they get flagged as spam. I would suggest using a stronger captcha to block the bots, or remove the forum completely if it isn't in use. Account dppas unsuspended.

Access granted.

It works for me on my Stevie account. Is there any particular instructions you can give me to reproduce the error? Does it always show that error for you, or just intermittently? Do you consent to me changing your cpanel password so I can log into your account specifically to see if I can reproduce the error?

Your account was suspended because you falsely advertise SSL encryption on a page proxy that clearly isn't encrypted in any way. That is a common sign of an illegal phishing website. Are you intending to add SSL encryption at some point? You might want to read our instructions on enabling SSL/https on your Heliohost account http://wiki.helionet.org/SSL Your account has been unsuspended, but keep two things in mind: Intentionally misleading visitors to your site into thinking that their connection is secure when it isn't is illegal and violates our ToS http://wiki.helionet.org/Terms Your site appears to be nothing more than a web proxy. Proxies tend to cause a lot of load, and you may end up being suspended again for high load even if you fix the misleading SSL references.

403 forbidden on that link.

Your account was running about 50 perl scripts each of which was trying to use about 5% of the server memory, and your account caused such high load that the entire Johnny server and the other 11,000 accounts on that server experienced 6 hours of downtime. I'm trying to determine whether you did this on purpose.

This will be fixed soon. I'll make another post when it is ready to go.

What were you doing on your account when it was suspended?

What makes you think Johnny has it enabled? From Johnny phpinfo: From Stevie phpinfo:

Your account has been unsuspended. You've got yourself a spambot problem on your smf install. Delete or prevent the spambots from posting on your forum and I'm sure your account will stop sending thousands of emails each day.

Deployed. http://amolsarang.heliohost.org/soamportal

Unsuspended. If that's the case I guess this is proof that we respect the privacy of our users and don't snoop into the actual contents of the emails, but rather just monitor the volume of emails. Sorry for the inconvenience, and good luck.

Due to abuse of our email system (especially on Stevie) we have had been forced to tighten our security on spam sending accounts. Your account was suspended for sending 281 emails on average per day. We recommend you keep this value below 50 emails per day to avoid being suspended. This is your only warning. The next suspension will be permanent. Feel free to use these forums for assistance if you're unsure how to reduce the number of emails your account sends, how to prevent vulnerabilities on your site that could allow a spammer to send mail from your account, etc. When you are confidant that you can solve your spam email problem quickly before you get suspended again let us know by replying to this thread and the first admin that sees it can unsuspend your account.

Deployed. http://softlab.heliohost.org/blog

This doesn't look like it's going to be feasible. Are there any other options that you could use to convert html to pdf, or can you run this program on your home computer and upload the results to your website?

Delisting a server only to have it listed again a few days (or hours) reflects even worse on the reputation, and in some cases they can permanently block the server from ever being delisted again. The more information you all can provide as to the nature and method of the spam being sent from our servers the more quickly we can refine our automated spam prevention processes, and hopefully never have this happen again.

Looks like everything is working now. My guess is that, like most Johnny accounts when the server was broken, the account creation failed. Since his domain is not something.heliohost.org then it will show up as queued until the account is created properly rather than show no domain by that name.