wolstech

This is a Krydos issue. Escalating...

Specifically, there was a page phishing Instagram credentials in the loginpage folder.

Unblocked. Failed IMAP logins...you have a mail client somewhere (often a cell phone) that is checking mail with bad credentials.

You've been moved to Tommy. Thank you for the donation

Unarchived.

You've been moved to Tommy. Thank you for the donation

Unarchived.

I think you're the first person to ever donate via BAT Krydos should be able to see the coins, but since you posted the transaction information, moving...

The email address has been released. Please keep in mind that we no longer offer the .heliohost.org domains, they're .heliohost.us now. If you want your original domain back, please sign up with a different domain then let us know and we can add your old domain back manually.

@Luigi: He misspelled it. It's webjjig (not c). You're suspended because you created 3 accounts. You're only allowed one. Since the others are suspended, this one has been unsuspended

Please check your PMs for Lily account information.

Gone.

.NET 5 is not supported, the server supports .NET CLR 4.7 and .NET Core 3.1. Because other people are already using apps built for these versions, upgrading may break the other users' websites. Also, if you want to use Postgres databases from your ASP.NET applications, you'll need to request remote postgres access to your database from IP 65.19.141.70 so the application running on Lily can access the databases. Do you still want me to set up a Lily account for you?

The invite went to the email address in your first post. It was sent around 5:40AM Eastern time. Please check your spam bin. If you can't find it, please provide a different email and I'll send it there instead. The domains have already been removed. As for not having WP, you definitely do (or perhaps the attacker installed it to try and hide his attack?). Below is what your account looked like at the time it got suspended. Based on the dates, it looks like the hacking actually went undetected for over a month beforehand. It was only when he decided to phish (dated March 30 below) that he got caught. root@tommy [/home/karachi/www]# ls -l total 3700 -rw-r--r--. 1 karachi karachi 946 Feb 22 15:21 aeynqnfmak.php <- Malware -rw-r--r--. 1 karachi karachi 1640 Feb 20 16:45 basic.php drwxr-xr-x. 2 karachi karachi 6 Apr 6 09:42 cgi-bin lrwxrwxrwx. 1 karachi karachi 36 Feb 22 15:12 config.php lrwxrwxrwx. 1 karachi karachi 43 Feb 22 15:12 configuration.php lrwxrwxrwx. 1 karachi karachi 32 Feb 22 15:12 db.php -rw-r--r--. 1 karachi karachi 50027 Feb 22 13:36 eplvoyiclx.php <- Malware -rw-r--r--. 1 karachi karachi 2066 Mar 28 16:36 error_log drwxr-xr-x. 2 karachi karachi 1564672 Mar 30 13:16 F0xAutoConfig <- AnonymousFox hack -rw-r--r--. 1 karachi karachi 946 Feb 22 15:11 fuksqdyscq.php <- Malware -rw-r--r--. 1 karachi karachi 1172 Mar 26 12:36 helper.php -rw-r--r--. 1 karachi karachi 946 Feb 22 15:21 ifyhxpznqc.php <- Malware -rw-r--r--. 1 karachi karachi 405 Feb 6 2020 index.php -rw-r--r--. 1 karachi karachi 19915 Mar 10 17:05 license.txt -rw-r--r--. 1 karachi karachi 946 Feb 22 15:18 mqehyqiumu.php <- Malware -rw-r--r--. 1 karachi karachi 946 Feb 22 13:35 oykltfhhwz.php <- Malware drwxr-xr-x. 7 karachi karachi 161 Mar 30 13:10 paypal <- Phishing (Paypal) -rw-r--r--. 1 karachi karachi 111 Feb 22 15:21 php.ini -rw-r--r--. 1 karachi karachi 50027 Feb 22 13:35 qimvxzkjgk.php <- Malware -rw-r--r--. 1 karachi karachi 7345 Mar 10 17:05 readme.html -rw-r--r--. 1 karachi karachi 946 Feb 22 15:11 rrqbixencx.php <- Malware drwxr-x---. 2 karachi karachi 6 Feb 20 18:38 shipment.option <- Malware -rw-r--r--. 1 karachi karachi 946 Feb 22 13:35 sqtgqicpeb.php <- Malware lrwxrwxrwx. 1 karachi karachi 42 Feb 22 15:12 submitticket.php -rw-r--r--. 1 karachi karachi 1316563 Mar 30 07:06 v2.zip <- Zipped phishing site drwxr-xr-x. 3 karachi karachi 17 Mar 30 07:06 Voice <- Phishing (Chase Bank) -rw-r--r--. 1 karachi karachi 7165 Mar 10 17:05 wp-activate.php drwxr-xr-x. 9 karachi karachi 4096 Feb 20 16:51 wp-admin -rw-r--r--. 1 karachi karachi 351 Feb 6 2020 wp-blog-header.php -rw-r--r--. 1 karachi karachi 2328 Oct 9 02:45 wp-comments-post.php -rw-r--r--. 1 karachi karachi 3116 Feb 20 16:51 wp-config.php -rw-r--r--. 1 karachi karachi 2913 Feb 6 2020 wp-config-sample.php drwxr-xr-x. 6 karachi karachi 82 Mar 28 17:13 wp-content -rw-r--r--. 1 karachi karachi 3939 Jul 31 2020 wp-cron.php drwxr-xr-x. 25 karachi karachi 8192 Mar 10 17:05 wp-includes -rw-r--r--. 1 karachi karachi 2496 Feb 6 2020 wp-links-opml.php -rw-r--r--. 1 karachi karachi 3313 Mar 10 17:05 wp-load.php -rw-r--r--. 1 karachi karachi 44993 Mar 10 17:05 wp-login.php -rw-r--r--. 1 karachi karachi 8509 Apr 14 2020 wp-mail.php -rw-r--r--. 1 karachi karachi 21125 Mar 10 17:05 wp-settings.php -rw-r--r--. 1 karachi karachi 31328 Mar 10 17:05 wp-signup.php -rw-r--r--. 1 karachi karachi 4747 Oct 9 02:45 wp-trackback.php -rw-r--r--. 1 karachi karachi 3236 Jun 9 2020 xmlrpc.php root@tommy [/home/karachi/www]#

Your Wordpress installation got hacked and the attacker set up phishing, resulting in the account being permanently banned. We recommend avoiding Wordpress because this is pretty common. WP is extremely insecure. An invite for a replacement account has been sent to you.

It was actually for SFTP logins. Please be aware that SFTP only works with your cpanel account, it won't work with the addition accounts you can create in cpanel. Unblocked. It may take up to 15 minutes to be effective.

@Flazepe: It won't work because it's archived. If he's deleting it so he can sign up again, there's no need to do so. He can simply sign up again. If he needs it removed so the domain can be reused, we can just edit the domain in the admin tools so the sign up lets it be reused. If he doesn't wish to host here any longer, he can simply abandon the account.

Outbound port opened. Note that our firewall doesn't accept hostnames. That hostname seems to resolve to 35.167.241.233 so I opened it for that IP. If this changes, I'll need to update the record to make it work again.

What is the IP address of the remote server?

A ban for intentional phishing is permanent. You're no longer welcome here.

The reset request was me. You said you couldn't get it to reset so I tried and it sent just fine. Your account is already active, you don't need to renew it. Either log in, or reset the password if you need to do so, then log in.

It just sent a code fine for me. Did you renew it and immediately try to reset the password? The renewal process can take a little while...

I'm not sure why it keeps forgetting his password when it goes inactive, but he might still need a password reset since it wouldn't reset for him. Johnny users are often better off using https://johnny.heliohost.org:2083/resetpass?start=1 to reset passwords. The website reset tool relies on an API call that has a bad habit of timing out on Johnny due to load and producing that password reset error he posted.

Did you just add them? If so, it takes 2 hours or so before they work.

Nevermind, this is intentional phishing. Chase bank specifically. root@johnny [/home/umeshyad/www]# ls -lR .: total 4 drwxr-xr-x. 2 umeshyad umeshyad 25 Apr 2 07:18 cgi-bin drwxr-xr-x. 10 umeshyad umeshyad 229 Apr 2 07:18 chase -r--------. 1 umeshyad umeshyad 165 Apr 2 07:18 haccess.php ./cgi-bin: total 4 -r--------. 1 umeshyad umeshyad 165 Apr 2 07:18 haccess.php ./chase: total 120 drwxr-xr-x. 8 umeshyad umeshyad 174 Apr 2 07:18 023179ca6 drwxr-xr-x. 8 umeshyad umeshyad 174 Dec 28 2019 06d8ed3ca -rw-r--r--. 1 umeshyad umeshyad 87206 Apr 2 07:21 adminpanel.php -rw-r--r--. 1 umeshyad umeshyad 15508 Dec 28 2019 admin.php -rw-r--r--. 1 umeshyad umeshyad 1 Apr 2 07:18 antibots.txt drwxr-xr-x. 2 umeshyad umeshyad 190 Apr 2 19:02 bot drwxr-xr-x. 8 umeshyad umeshyad 174 Dec 28 2019 eba26e5e8 -r--------. 1 umeshyad umeshyad 165 Apr 2 07:18 haccess.php drwxr-xr-x. 8 umeshyad umeshyad 174 Dec 28 2019 home -rw-r--r--. 1 umeshyad umeshyad 935 Jun 7 2018 index.php drwxr-xr-x. 2 umeshyad umeshyad 25 Feb 24 2019 uploads -rw-r--r--. 1 umeshyad umeshyad 93 Apr 2 07:18 vu.txt