developer1

Great observation! Thank you.

Hi Wolstech, Following up on this thread; wanted to flag something I found while cleaning up after the recent incident, in case it's useful for your records. While reviewing my ngo.helioho.st site (a separate, non-WordPress domain on this account) I found two files that don't belong there: a heavily obfuscated backdoor named mac.php (last modified June 11, ~7:49 PM), and an injected index.php containing a remote-eval payload pulling from 63.141.235.34, plus a redirect to a suspicious shortened link, swiy.co/goodrich555 (modified June 13, ~7:07–7:12 AM). Both timestamps are before your review where you mentioned nothing looked suspicious outside lda.ng, so this looks like it's from the same intrusion window, just on a domain that isn't WordPress and may not have been part of that check. Tried backuing up existing WP installs like ths.helioho, but i encounter Host Build interrupts sue to things like allowed runtime and PHP max execution. I've already renamed both files to .infected to disable them and remove them from execution and I'm restoring a clean copy of that site myself. I'm not asking for another account-wide reset; this is contained and I'm handling it, but since I don't have shell access to search file contents across the rest of the account, Since this looks like leftover from the same incident rather than a new one, I wanted to flag it rather than sit on it. Would it be possible to do a targeted check for similar files on my other domains rather than a full account reset?-since the rest of the account otherwise appears unaffected. Happy to send over the exact file contents if that helps your scan. Thanks again for the help.

wow, please don't reset as i haven't performed a full backup. i am okay with clearing/deleting the contents of the lda domain etc. for it to be unsuspended. Once restored i will create a full backup of the entire account so that i can avoid any major losses going forward. I would appreciate it if you can Kindly pin point me to an article/guide on how to do a wholistic backup for the whole account so i can reduce my exposures. Also any further information on how this attack was perpetuated/what exactly was affected, will go along way. Thanks!

Hello, i'm on the Morty plan and I got a mail from you yesterday that one of my sites that uses Wordpress was hacked and so my entire account has been suspended. I would like to request that my account be unsuspended as i have many other sites on it which are not affected and which rely on being online. I would appreciate it if the particular affected site is preferably brought down for maintenance but all my other sites which have been carefully curated and such are still left as they were. I look forward to your speedy intervention. I would also like to ask in future if it's possible in such cases that the specific site be suspended instead of suspending an entire account. Thanks.

Hi there, Please could you set up SPF, DKIM, and DMARC for my domain 'ngo.helioho.st' and it's associated alias. In Plesk’s “Track Email Delivery” I see messages leaving the server, but Gmail is bouncing them with error 5.7.26. In Mail Settings for ngo.helioho.st, I tried to turn on 'Use DKIM spam protection system to sign outgoing email messages' in Plesk but it shows “This option is not supported”, so I can’t enable DKIM myself. Could you please: Enable DKIM (and SPF and DMARC ) for full mail options for ngo.helioho.st, and Let me know what SPF / DKIM records or settings you recommend for authenticated sending, and/or confirm that I can/should instead use an external SMTP service for sending and if so, what are the recommended settings so that i can implement for my other domains when the time comes without having to bother you? Many thanks! User: 'developer1'

Thanks! I’ve pointed ngonike.dev and www.ngonike.dev to the IPs shown in Plesk via A/AAAA records on my Squarespace DNS. Both domains should now serve the same site.

I'd want both to work and just show the same content.

I'd want both to work and show the same content.

Hi, i have a domain in my user account: 'developer1', which i'd like to add a custom domain for the current site: 'ngo.helioho.st' on the account. Please park ngonike.dev (and www.ngonike.dev) on my account so it serves the same site as ngo.helioho.st. Thanks.

Tried that as well, to no success. Due to the way the folders are and the content , it's proving difficult. I'd appreciate if you can extract it from your end. Thank you.

I've been trying to extract a zip folder into one of my domains; ngo.helioho.st, but it delays and doesn't finish extracting or ends up showing errors. The folder name is 'node_module-linux.zip' and it's size is 185MB. On my local, the extracted size is 570MB. I still have ample space on my alloted space so i don't get why i can't extract it succesfully. Infact, other extractions have earlier failed for other domains before i cleared them out.

Hello my username is "developer1" and right now I have the main-domain "developer1.helioho.st" to my account. And I would like to add the following domains my account. Eventually when i've uploaded the sites and they are working on these domains, i will like to rework their DNS to reflect each of their original custom domains(.dev, .ng, .dev, .dev. .ng respectively) ngo.helioho.st lda.helioho.st agp.helioho.st sai.helioho.st fwx.helioho.st Thank you very very much in advance!