wolstech

I'm going to let one of our other root admins Krydos decide on this. Your best case scenario would be a new account with a new domain (we don't unsuspend phishing or let you reuse domains that hosted phishing content). In the meantime, can you explain the above 5 points A - E from my last post? He'll want to see your answers so he can decide.

Your IP address of registration as well the one your posting from are both showing as belonging to M247 Ltd, a Los Angeles-based company known to supply VPNs/proxies so I can't tell where you are. The forum and hosting registration IPs don't match but are both from the same Proxy/VPN service. Also, I do find it odd that: A. You registered using a VPN or proxy, which in most cases only happens when phishing is planned in advance. We do have a few legitimate accounts like this, but they're hosting legitimate blogs and such. B. The phishing is oddly related to the account's username. C. You used the same excuse that nearly every phisher we've dealt with has used ("friend did it"). D. The last login IP in cPanel is from the same proxy/VPN service, suggesting that no "friend" ever signed in. E. Your email address is from a known abuse domain that also contains no meaningful content. The odds that they'd use the exact same VPN used to create the account to sign into a friend's hosting account and upload oddly-specific phishing just doesn't happen. Can you explain? I'll let Krydos make the final call on this, but I suspect he'll stand behind me when we say you intentionally phished.

Um...that's Chase bank phishing, Office 365 phishing, and something else in that zip file that I didn't bother to inspect. root@johnny [~]# cd /home/micoexel/www root@johnny [/home/micoexel/www]# ls -R .: Best Scama Bank Chase Full Info.zip chase microsoftexcelverification cgi-bin ducuhakwe.zip ./cgi-bin: ./chase: home index.php rezlt.txt uploads ./chase/home: antibots.php css index.php verification-finished.php blocker.php css2 res verification-id.php bt.php email.php robots.txt verification-info.php chase.png error_log verification-email.php verification.php ./chase/home/css: 112.png favicon.ico alert.png jquery-3.1.0.min.js background.desktop.night.4.jpeg jquery.fileuploader-theme-thumbnails.css background.desktop.night.7.jpeg jquery.maskedinput.js background_image.png js background.mobile.night.4.jpeg logon.css background.mobile.night.7.jpeg main.css background.tablet.night.7.jpeg new-bg.png blue-ui.css next-bg.png builderstyle.css opensans-regular.eot Capture.PNG opensans-regular.woff chasefavicon.ico opensans-semibold.woff chase-touch-icon-120x120.png php chase-touch-icon-152x152.png sample-photo-id-card.svg chase-touch-icon-76x76.png sample-selfie-card.svg chase-touch-icon.png src css warning.png css.css ./chase/home/css/css: background.desktop.night.7.jpeg jquery.fileuploader-theme-thumbnails.css css.css ./chase/home/css/js: custom.js jquery-3.1.1.min.js ./chase/home/css/php: form_upload.php upload_file.php upload_remove.php ./chase/home/css/src: class.fileuploader.php jquery.fileuploader.js jquery.fileuploader.css jquery.fileuploader.min.js ./chase/home/css2: background.mobile.night.4.jpeg jquery.maskedinput.js background.mobile.night.7.jpeg opensans-regular.eot blue-ui.css opensans-regular.woff chasefavicon.ico opensans-semibold.ttf chase-touch-icon-120x120.png videoplayer.eot chase-touch-icon-152x152.png videoplayer.ttf chase-touch-icon-76x76.png videoplayer.woff chase-touch-icon.png ./chase/home/res: post1.php post3.php post4.php post5.php system.php view-success.php ./chase/uploads: 1 gsTafzc-lQ261udNR81msA.jpeg ./microsoftexcelverification: images index.php login.php New Folder phone.php post.php verification.php ./microsoftexcelverification/images: favicon.ico m1.png m2.png m3.png m4.png m5.png m6.png ./microsoftexcelverification/New Folder: root@johnny [/home/micoexel/www]#

That account is suspended for Phishing. HelioHost does not tolerate phishing activity of any kind, and for security reasons will not unsuspend, back up, or delete an account that was involved in phishing. Because this was intentional phishing, you are no longer welcome to utilize our services and we ask that you find another web host. We apologize for any inconvenience and would like to thank you for interest in HelioHost.

We don't officially support such configurations, which is why we advise people not to do this, though if this setup is working for you, that's fine. Just be aware that if you ever need to reset your password and cannot get to the email box associated with the account for any reason, your only option will be to abandon the account and create a new one. You won't be able to delete it or get backups either.

An invite has been sent the email address associated with your forum account.

Actually you'd be surprised. Oftentimes the email accounts used were phished or had weak passwords. As someone who has a gmail account that it happened to (weak password), it's more common than you think. Other times they just use random addresses in hopes of not needing the verification (blog comment systems are often like this by default).

$1 or more. You should receive an email within 24 hours of donating with a link to register for tommy.

If your personal email was given to a spam bot, and the bot used it to try to sign up for 1000s of websites so it could spam them, you'd receive 1000s of emails as a result of the bot. Would you report those 1000s of unwanted emails as spam? I bet you would.

What you're missing here is that it's not even our policy unfortunately. Our provider Hurricane Electric requires us to suspend or ban users who receive abuse reports, so our system suspends all users who receive a report regardless of its content (the large majority of these reports are for phishing and other cybercrime, but unfortunately legitimate ones will get flagged too). If we fail to do so, they take the entire server offline (and if it happens too much, they could in theory put us out of business by cancelling our service). As a result, as ridiculous as it sounds, we have no choice. Most users who run larger forums here simply use an external SMTP server for their forum and call it a day.

You're suspended for distributing hacking tools, which is against our terms of service.

Gone.

Done. You should now be able to log in and your website should start working within 2 hours.

Unarchiving.

I'm aware it's not "spam" in the traditional sense, but it was unwanted by its recipient (which appears to be a rather dubious email address), and as a result you need to respect that by preventing that user from receiving further email from your account. Some email services automatically report spam on their users' behalves and not even deliver them. AOL (Verizon) is the most famous for doing this, though Comcast and GMX have been known to do it automatically as well. This might be what has happened since it was a Comcast address, however since there's no way of knowing, you need to make sure that particular address never receives another email from you (usually that means banning them from your forum). We also usually recommend our users disable registration emails on forums for this exact reason. We receive a lot of reports for forum registration email being marked as spam, usually when a forum get hit by spambots trying to sign up to post their spam. Also, while this email wasn't "technically" spam, this unfortunately isn't something we're able to take lightly because if we don't suspend users for spam reports and your emails continue to get marked as spam, the entire server you're on (several thousand websites) can end up on major spam blacklists, meaning nobody sharing the same server is able to send email without it being marked as spam. Needless to say, that's a massive inconvenience to everyone else, and even worse, it can take months to fix and get unblocked.

You're suspended because someone reported your email as spam. Please make sure that the email address referenced in the abuse report below never receives email from you again. Unsuspended. It should start working again in the next few minutes... We have received a complaint about your account. Please investigate and fix within 24 hours. Hurricane Electric Abuse Department support@he.net From fbl@bounce.mailstream.senderscore.net Wed Jan 23 09:58:51 2019 Return-Path: <fbl@bounce.mailstream.senderscore.net> X-Original-To: report@abuse.he.net Delivered-To: report@abuse.he.net Received: from he.net (he.net [216.218.186.2]) by abuse.he.net (Postfix) with ESMTPS id 0362F54030A for <report@abuse.he.net>; Wed, 23 Jan 2019 09:58:51 -0800 (PST) Authentication-Results: he.net; dkim=pass (no signature error) header.i=@senderscore.net header.s=081107 header.b=Hv7NYjJ2 Received: from mrd.us-east-1a.returnpath.net ([54.84.12.226]) by he.net with ESMTPS (ECDHE-RSA-AES128-GCM-SHA256:TLSv1.2:Kx=ECDH:Au=RSA:Enc=AESGCM(128):Mac=AEAD) for <abuse@he.net>; Wed, 23 Jan 2019 09:58:47 -0800 Received: (Haraka outbound); Wed, 23 Jan 2019 17:57:44 +0000 Received: from localhost (ip-10-252-38-11.ec2.internal [10.252.38.11]) by mrd.us-east-1a.returnpath.net (Haraka/2.8.21) with ESMTP id 9246F72A-53F3-4855-9E80-ED8B9554B9A5.1 envelope-from <fbl@bounce.mailstream.senderscore.net>; Wed, 23 Jan 2019 17:57:44 +0000 From: Comcast FBL Service <feedbackloop@comcastfbl.senderscore.net> Date: Wed, 23 Jan 2019 17:57:44 +0000 Mime-Version: 1.0 X-Rp-Fbl: type=arf; Content-Type: multipart/report; report-type=feedback-report; boundary=f3afb0e75cc167b85f8d63a7c1276654b3998919183117501dcfe5d6aa28 Message-Id: <01D1XXRNVKVDR2ZA9N4SKR4WZC.fbl@bounce.mailstream.senderscore.net> To: abuse@he.net Subject: Comcast Abuse Report DKIM-Signature: v=1;a=rsa-sha256;bh=vBZvOW7xirtr8ACHEKiwFk0Uc9XP+SNuYTAfh4u6AQw=;c=relaxed/simple;d=senderscore.net;h=from:to:subject;s=081107;b=Hv7NYjJ2j5+jzvjkkK7kDtkEItBINBLDY0FbNW4DZbdNqlrh9crocItY2s/+3t+5JMwqX2AXNEwdD4D0S5e5lhej2PL/ZyQO+KCwGADSAMZMa8UmFKop7bb19T6+lONE8+BPds88+XeA49lQGEPvH5bn0x7bBMuky9KsdNVu8vg= --f3afb0e75cc167b85f8d63a7c1276654b3998919183117501dcfe5d6aa28 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable This is a Comcast Abuse Report for an email message received from domain gu= mbroker.heliohost.org, IP 64.62.211.134, on Wed, 23 Jan 2019 09:18:21 +0000= . --f3afb0e75cc167b85f8d63a7c1276654b3998919183117501dcfe5d6aa28 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: message/feedback-report Subscription-Link: https://fbl.returnpath.net/manage/subscriptions/122002 User-Agent: ReturnPathFBL/2.0 Original-Mail-From: gbadmin@gumbroker.heliohost.org Source-Ip: 64.62.211.134 Source: Comcast Abuse-Type: complaint Feedback-Type: abuse Version: 1 Arrival-Date: Wed, 23 Jan 2019 09:18:21 +0000 Original-Rcpt-To: d3ff0f8c850b855cd77b0562f5609996@comcast.net Reported-Domain: gumbroker.heliohost.org --f3afb0e75cc167b85f8d63a7c1276654b3998919183117501dcfe5d6aa28 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: message/rfc822 Return-Path: <gbadmin@gumbroker.heliohost.org> Delivered-To: d3ff0f8c850b855cd77b0562f5609996@comcast.net Received: from dovdir4-ch2g-03o.email.comcast.net ([69.252.207.19]) by dovback4-ch2g-03o.email.comcast.net with LMTP id SBduBVtQSFxELQAAfXIGpw for <d3ff0f8c850b855cd77b0562f5609996@comcast.net>; Wed, 23 Jan 2019 11:30:35 +0000 Received: from dovpxy-asb-14o.email.comcast.net ([69.252.207.19]) by dovdir4-ch2g-03o.email.comcast.net with LMTP id GMQgA1tQSFyKKwAAuRYs6A ; Wed, 23 Jan 2019 11:30:35 +0000 Received: from resimta-ch2-19v.sys.comcast.net ([69.252.207.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by dovpxy-asb-14o.email.comcast.net with LMTP id +A5oJ1VQSFxUaQAAfOHJ6w ; Wed, 23 Jan 2019 11:30:34 +0000 Received: from ricky.heliohost.org ([64.62.211.134]) by resimta-ch2-19v.sys.comcast.net with ESMTP id mGjpgOMSQvvn5mGjqgd8j9; Wed, 23 Jan 2019 11:30:34 +0000 X-CAA-SPAM: 00000 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedtledriedtgdeftdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucevohhmtggrshhtqdftvghsihenuceurghilhhouhhtmecufedttdenucdntegttghouhhnthculddvtddmnecujfgurhepuffvhfhrshggkffftgfgrfgioffqsehtkehjtdertdejnecuhfhrohhmpedfifhumheurhhokhgvrhcuhfhorhhumhhsfdcuoehgsggrughmihhnsehguhhmsghrohhkvghrrdhhvghlihhohhhoshhtrdhorhhgqeenucffohhmrghinhephhgvlhhiohhhohhsthdrohhrghenucfkphepieegrdeivddrvdduuddrudefgeenucfrrghrrghmpehhvghloheprhhitghkhidrhhgvlhhiohhhohhsthdrohhrghdpihhnvghtpeeigedriedvrddvuddurddufeegpdhmrghilhhfrhhomhepghgsrggumhhinhesghhumhgsrhhokhgvrhdrhhgvlhhiohhhohhsthdrohhrghdprhgtphhtthhopehkvghnnhgvthhhpghstghhlhgvihgthhgvrhestghomhgtrghsthdrnhgvthenucevlhhushhtvghrufhiiigvpedt X-Xfinity-CCat: updates X-Xfinity-VMeta: sc=20;st=transactional:account X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=1;DMARC= Authentication-Results: resimta-ch2-19v.sys.comcast.net; dkim=pass header.d=gumbroker.heliohost.org header.b=cYcUrNcA DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gumbroker.heliohost.org; s=default; h=Content-Transfer-Encoding: Content-Type:Date:Message-ID:MIME-Version:Sender:Reply-To:From:To:Subject:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=3HY9oUCl8DFnJdnNGZJbr+8cGq59xbKb6S8vhQmGiis=; b=cYcUrNcAp3h1vpC93NbS3LRQZ VN1pDZiP3jOf7kRKs5WYmwVbQbt8HmvseaPXnqB+HCk9y/oHIihx4PoC4sY+tvPKCtiFw0kRah5ed inYS3ofCvMYuxLdWViHZMEjf3GukyYohOnAnyR4vkXR0NUJ1NMfyc1Lged3/iQQMl8cDdRoEtqtIY MupqvSoNsIa8L/PYkict9cY1G46WGiaQBf5V6MtNZF53QxcPGOkVKtDq8o1y4VeJSGsY28zkXftRn /6+r30Ey1CPWgKE9GtHFxi5ilEbt2BE+3um6a9ocw4iGouR/TGUgeRb+TFVK3XuUVTP+quhM9FfgW mERzBxkDA==; Received: from ricky.heliohost.org ([64.62.211.134]:45692) by ricky.heliohost.org with esmtpsa (TLSv1:ECDHE-RSA-AES128-SHA:128) (Exim 4.89) (envelope-from <gbadmin@gumbroker.heliohost.org>) id 1gmEfu-000SJ8-UN for d3ff0f8c850b855cd77b0562f5609996@comcast.net; Wed, 23 Jan 2019 01:18:23 -0800 Subject: Welcome to "GumBroker" To: ab07afaef698e4357206005e678b0140 <d3ff0f8c850b855cd77b0562f5609996@comcast.net> From: "=?UTF-8?B?R3VtQnJva2VyIEZvcnVtcw==?=" <gbadmin@gumbroker.heliohost.org> Reply-To: "=?UTF-8?B?R3VtQnJva2VyIEZvcnVtcw==?=" <gbadmin@gumbroker.heliohost.org> Sender: <gbadmin@gumbroker.heliohost.org> MIME-Version: 1.0 Message-ID: <0a4eca5528e742af3c5ad7845ff719ac@gumbroker.heliohost.org> Date: Wed, 23 Jan 2019 09:18:21 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: phpBB3 X-MimeOLE: phpBB3 X-phpBB-Origin: phpbb://gumbroker.heliohost.org/forum X-AntiAbuse: Board servername - gumbroker.heliohost.org X-AntiAbuse: User_id - 1 X-AntiAbuse: Username - Anonymous X-AntiAbuse: User IP - 188.138.188.34 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ricky.heliohost.org X-AntiAbuse: Original Domain - comcast.net X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - gumbroker.heliohost.org X-Get-Message-Sender-Via: ricky.heliohost.org: authenticated_id: smtp_daemon@gumbroker.heliohost.org X-Authenticated-Sender: ricky.heliohost.org: smtp_daemon@gumbroker.heliohost.org X-Source: X-Source-Args: X-Source-Dir: Welcome to GumBroker forums Please keep this email for your records. Your account information is as follows: ---------------------------- Username: ab07afaef698e4357206005e678b0140 Board URL: http://gumbroker.heliohost.org/forum ---------------------------- Your account is currently inactive and will need to be approved by an administrator before you can log in. Another email will be sent when this has occurred. Your password has been securely stored in our database and cannot be retrieved. In the event that it is forgotten, you will be able to reset it using the email address associated with your account. Thank you for registering.

46.251.163.233 is your IP address, not the ip of our server. Your forum post came from that ip as well. You probably need to enable remote mysql in cpanel. There should be a page specifically for it, you just need to add 46.251.163.233 to the list of allowed hosts on that page to fix the mysql. As for SFTP, verify the port is correct. Also, only your cpanel account can use SFTP. If you created additional ftp accounts in cpanel, those need to use unencrypted, plain ftp on port 21.

I took a look through this account...it looks like it got hacked. That hacker then used your account to set up phishing. If there's any data you specifically need, let me know, it might be retrievable depending on what it is (I can't provide scripts, but things like photos and such if any could be retrieved) I've sent to an invite for a new account too so you don't have to wait until registration opens.

Many people do. The problem is that a lot of botnets also use it, and until we turned it off, we had a lot of criminals hosting panels for their botnets here. We didn't want that sort of stuff hanging around. We also had a lot of users who would run pirated/nulled software with it, so turning it off mostly fixed our copyright infringement problem as well.

You'll need to install an older version of Moodle. Barracuda is a feature of a newer version of MySQL that we don't run, and as a result it's not supported. It's apparently a very common complaint with Moodle. Even big-name companies like GoDaddy can't run it because of this very non-standard requirement. Moodle is the only program I'm aware of that uses this odd mysql format, and since most hosting providers don't support it, you might be better off finding other software so you don't end up stuck with obsolete versions. We likely can't upgrade MySQL easily due to cPanel limitations and the risk of breaking everything, but I'll let Krydos advise on that.

It appears to be running already: http://tommy.heliohost.org:8080/ Is there a specific reason that you need this restarted?

Unblocked. It was for failed cPanel logins, so I would suggest checking that your password is correct.

Did you change your file permissions? If you upload your own files, you need to make sure the permissions on them are set to 644. All folders inside of public_html (but not public_html itself) should be 755. When you upload, the folders are usually 775 and the files are 664 by default (note that center number!) and need to be changed. Apache does not like files and folders being writable by the group.

Done. You should now be able to log in and your website should be working again.

Unarchiving...