wolstech

Johnny accounts have a 5 domain limit, so these won't fit as written. To make them fit, we need to reduce the number of domains by one. I would suggest either making one of them your main domain (and remove ashraf.helioho.st), or skip the alias.

How do you want to proceed?

In regards to your original request, you must send your support request from the email address on the account in order for it to be reset. 
 

Providing the email address in the body of the email is not sufficient, the email must actually be sent from that mailbox to prove that you control the associated email address.

non-WordPress domain on this account)

That's why I missed it...that domain has node instead. When I went through the domains, I saw that one had node enabled and just skipped over it, as I was focused on the WP stuff. Good news is that those files, while definitely malicious, likely would not have been able to run anyway since you had Node enabled (passenger redirects everything to node when enabled on a domain, so Apache never gets to run the PHP files).

The interesting part is that the index.php is clearly meant for a nonexistent WP on that domain, and the mac.php looks like it may be the same or a very similar file to a file called bless24.php that was on the compromised lda.ng domain (I recognize this string from the top: xtamdxsirm from the other day).

Updated and unsuspended. Your account may take up to 2 hours to function.

The files from your old account can be downloaded from https://heliohost.org/backup/ 

What is your username?

The contents of the domain lda.ng have been discarded, the associated WP database developer1_lda has been dropped, and you've been unsuspended. Your account may take up to 2 hours to function fully. The attack came in through Wordpress itself, which is usually either a result of plugins with vulnerabilities, or failure to install updates.

A backup from February actually does exist for your account at https://heliohost.org/backup/ if you need anything from that timeframe.

You can make backups using the backup tool in Plesk. Note that if you use this, it is advised that you configure remote storage, as the backups it creates count towards your disk space quota and can quickly cause you to run out of space.

Krydos can install this for you.

Our policy is typically to require the entire account be reset without a backup to destroy the contents before you can recover a hacked account (in case phishing or similar was set up and stolen information is present), though after looking through your account I don't see anything suspicious outside of the one domain that was compromised (lda.ng). 

Are you OK with deleting the contents of the domain lda.ng and the associated WP database to be unsuspended?

Your friend can do that themselves by logging into the account, selecting delete account, and then on the following screen, clicking the option to archive account instead of deleting it.

If they do this, they'll also be able to restore the account themselves later without losing any data.

Wiki got attacked by bots. The forum and wiki live on the same server, so the wiki being hit causes the forum to slow down.

We are working to mitigate the bot attack against the wiki.

The file hk_hlm_founds.txt on your account is in a folder called pass_lists, which we took to mean it's "found" (stolen) passwords. Can you explain what this file is for? Can you show how you obtained the contents of this file? 

Note that if we agree to unsuspend you, we are likely going to require a full reset without a backup as well.

Also escalating as I'm curious about Krydos's input on this...

That account is permanently banned because it was used to store what appears to be stolen personal information.

The IP you're posting from is not blocked. What IP are you having issues with?

I've gone ahead and created this under your other account. Please check your PMs for information regarding your Lily account.

That domain is working for me and the SSL certificate is installed now. A test email also delivered successfully from my end.

You probably didn't wait long enough for DNS to propagate or something. Can you give it another try?

That particular subdomain cannot be added because it is reserved by the system (it's used by the Plesk built-in webmail if you enable it). If you're trying to set up webmail for email accounts you created in Plesk, there's an option to turn this on in the mail settings. Note that it takes 2 hours to start working, and you'll probably also want to install an SSL certificate for it.

If you're trying to run your own webmail app instead, you'll need to pick a different subdomain.

No problem. Escalating to have this taken care of for you.  

Your account has been reset. You'll receive an email shortly with a link to start over and create a new account.

It wasn’t suspended for excessive load, it was suspended for attempting to run commands as root.

Attempting to run commands as root on the shared hosting is indeed considered a hacking attempt and typically results in a permanent ban without warning or refund.

I’m willing to reset your account (which permanently deletes all of your data) and let you start over, however, you must never attempt to run that script here again, nor should you ever attempt to run shell commands as root. If you’re unable to kill processes on your own, you must contact support and request they be killed for you.

A second violation will result in a permanent ban without warning or refund.

Are you OK with starting over?

Escalating to Krydos.

I'm not sure which of these are actually missing on Morty2, and honestly I don't even know how to check, so just going to forward the entire list. You're one of the very few here who likes Perl  so would not be surprised if most or all are missing.

We would need to know which ones you're missing. Can you provide a list of the ones you need installed on Morty2?

Since you're not using our name servers, this is not something we can do for you. You'll need to do this yourself.

The DKIM records can be gotten from Plesk as they are unique to each account.

For SPF, the record should have no name (or the same name as your domain, it should be in the root), and you use this value: "v=spf1 include:johnny.heliohost.org ~all"

For DMARC, name the record _DMARC and use this value: "v=DMARC1; p=quarantine"

High server load. 10033.60 CPU.

Excess CPU usage is usually caused by leaving processes running continuously, overusing scheduled tasks, leaving SFTP sessions open, or writing code that gets stuck in a loop or never exits. The notes on your account say you're using Wordpress, which is also infamous for causing high load (see https://wiki.helionet.org/WordPress), so that's probably the most likely cause.

No process data is available since it has been more than 24 hours since your suspension.

Please monitor your load (you can do so here: https://heliohost.org/dashboard/load/ ), and fix any issues quickly.

Unsuspended. It can take up to 2 hours for your site to function.

Please do not post multiple topics for the same issue. Requests can take up to 24 hours to receive a response.