wolstech

The program in the "SchoolIS" folder appears it was responsible for the issue since the malware was found hiding in there, but there's no guarantee they didn't just hide it there. We have no way of actually knowing how they got in. Unfortunately we can't provide any data from an account affected like this because of the potential that other malware or stolen information could be hiding in it.

Whatever was in the SchoolIS folder got hacked. Don't reinstall that software. Malware was uploaded into the hacked software's folder, and that malware was in the process of compromising other users on the server to extract database credentials when the server auto-banned the account. If you're curious this sort of attack (and the consequences of it when successful), search our forums for "AnonymousFox". We had an attacker successfully pull it off just over 2 years ago, and it resulted in almost every Wordpress installation on Tommy being banned for phishing and spam. It primarily attacks WP, but also can hit Joomla, WHMCS, IPB, and a few others. Here's a basic description of it: https://www.helionet.org/index/topic/33983-what-was-the-anonymousfox-hack/ (the malware on your account was the script used to conduct the initial sweep and grab database credentials, it appears the server banned it before the attacker could do anything further). Our attack was over 2 years ago, but AnonymousFox hasn't gone away and was seen in the wild as recently as just a few months ago: https://www.brightvessel.com/anonymous-fox-wordpress-5-5-hack-should-i-be-concerned/

What was the username of the old account? Also, did you delete the account, or just abandon it? If you deleted it, we won't have any backups or other data to recover. Abandoned accounts get archived and can be recovered.

Yep. Krydos has posted numbers on here before...we had a site running something else pushing thousands of views and causing virtually no load, while a comparable WP site caused more load in like 5 page views than the first one did with its thousands. We also see WP get suspended when it isn't even being used (things like it's cron can get it suspended).

You can add error_reporting(E_ALL); to the top of your script and it will show every little thing. The errors will also log to the error_log file in the same folder as the script.

That account was hacked and used for illegal activity, and as a result cannot be unsuspended nor backed up. An invite has been sent to the email address on file to create a new account.

Krydos has to set this up for you. You can't do it yourself.

While not the easiest, you can do all but the contact form using plain HTML and CSS if you don't mind working directly in HTML. Also, a script to email you the results of a contact form isn't terribly hard to make in PHP. Joomla was a pretty popular alternative to WP, but it's become a bit bloated these days (though still not as bad as WP). It's hard for me to speak to public alternatives since I ended up building my own CMS (granted it needs an overhaul due to the dated look of my site, it still works and isn't slow or hacked 8 years later...)

Unarchive already running. Looks like someone else started this already...

That account is not archived. EDIT: Just realized Krydos is also on at the moment, he probably unarchived it already.

Wordpress is doing that, not the server. You have to reconfigure it for the new domain. I renamed index.php to index.old for you and it's no longer redirecting. You'll need to rename it back once you reconfigure WP. Word of advice: Don't use WordPress. It's the leading cause of performance issues, load suspensions, hacked accounts, and even accidental phishing bans. Literally any other software is better.

Unarchived.

It will never install a certificate for him because he forced SSL in .htaccess (AutoSSL requires the site be able to accept a plain HTTP connection). I deleted his htaccess file and it immediately issued a cert. If he really wants to require SSL, either exceptions need to be included to make AutoSSL work properly, or he can do it in PHP instead. I see the cert in his cPanel now as well, so as soon as Apache restarts this should work for him (he may need to clear his cache). Also, word of advice: Dump WordPress. If there's any one program that will run terribly and get you suspended, it's WP. Literally any other product is better.

I've never heard of it, but pretty much anything is better than WP, so definitely give it a shot. WP is junk internally, insomuch that it's our number one cause of performance issues, high load suspensions, even accidental phishing bans (when it gets hacked, and it almost certainly will considering how insecure it is).

CF registrar is not compatible with our service (it's one of 4, the others are OVH, eu.org, and registro.br...) We are unable to provide support for users who use CF registrar because CF is known to not work reliably with our service and it's nearly impossible to diagnose due to their lack of a way to change name servers. We can't run any of our normal tests and cannot control what their servers are doing to your connection. CF is quite literally the number one cause of all the weird issues we see around here. Since they don't let you change the NS on your domains, your options are to transfer the domains out to a service like namecheap, use third party email, or find another web host

We also support Skrill as well as various cryptocurrencies. https://heliohost.org/donate/ Please post the transaction ID if you use one of those methods so we can send you the tommy invite

Well, the mail definitely doesn't arrive for you. I sent an email to the contact address at one of your domains, it never arrived. I am unable to troubleshoot further because CloudFlare is enabled. Please remove CF and set your name servers to NS1.heliohost.org and NS2.heliohost.org if you would like me to troubleshoot further. EDIT: It made to the server after several minutes, then gave this error in the logs: The mail server could not deliver mail to [redacted]. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries. Could be DNS issues on CF's end, but unless you remove CF and use our NS so I can review your records, I can't test any further. The domain and mailbox definitely exist because I can check the mail in Roundcube...it would error out if it couldn't check the mail. Tommy is not blacklisted, nor is your domain.

I was able to receive email at my Tommy account a few minutes ago, but I use CF for the DNS since most of my stuff is on Lily and I have a ton of custom requirements, so it's not a good test. I'm looking into this again.

MySQL is v5.7.32 on Johnny and Tommy, 5.6.37 on Ricky. You'll need a VPS if you want to run that script here.

That account is not suspended and is working properly. If you see a suspended page, please clear your cache.

If he had a .org previously and can prove he had it, he can get it back, though we'll need to set it for him. Be aware that the change domain script sometimes fails on the .us subdomains. If that happens let us know and we can change it for you manually.

Krydos can get you logs to find out why it failed.

Oh. Whenever a user in here mentions email issues involving gmail, we typically immediately blame gmail because it's known for not being the most cooperative with our service. Their spam filter loves to cause lots of weird issues. Since you're using zoho now it's a moot point, but my guess is it was a DNS issue or spam assassin. If you want us to troubleshoot that further, please let us know.

If it's the issue I'm thinking of, it's because you can't use Gmail to "send as other account" when the recipient is the gmail account being used to send it. If you log into cPanel and send the mail from there, it should arrive at your gmail just fine (though it may go to spam). Same goes for if you make the recipient an address that's not your gmail account.

I've suspended lighttec and unsuspended lightech so you can get your data. Please let me know when you've backed your data up, and I'll resuspend this and unsuspend lighttec again.