wolstech

Files from accounts involved in a hacking attempt cannot be recovered because it may contain illegal or stolen information. I'll take a look at the databases when I get a chance.

WP themselves has been making an effort to actively deny this hack happened. They deleted numerous posts on their forums, and the hacker one reports just get closed saying no bug found... Meanwhile, just about every single WP on tommy got hacked. We found an account that we believe was the launch point for the attack. For Wordpress, it's known to work on the latest version with no extensions installed. There's reports of it from other users and hosts on WPs site back to June of 2017, so this has been around for a while and remains unfixed. The results of the attack are malware shells all over, modified index.php, and a php.ini file being dropped in several folders (useless on our servers, we don't allow ini overrides). Some accounts have a folder called index or config dropped in their public_html, generally also containing the above malicious files. Accounts that were actually used by the attacker after infection generally had a Paypal phishing site set up somewhere within wp-admin or the themes folders. A number of them also had a spambot known as leafmailer uploaded, which was then used to send phishing emails to get people to visit the aforementioned phishing websites. We began noticing the issue when tons of people were suddenly being suspended for high load or too many emails...then abuse reports for the phishing sites started coming in and we were having to hand out phishing bans to a large number of our longtime users' accounts. That's when we investigated and determined it was a mass hack...since the hack was easily detectable on an account, a mass-ban of all hacked accounts promptly followed.

No problem. I was confused the first time I got one too...that was back before I was here and I had no idea how it happened either.

Received: from [171.249.69.200] (port=12195) We don't own that IP (it's somewhere in Vietnam), which means you're the recipient of the spam, not the sender. A lot of spammers do this...they put the recipient in both the From and To fields to hide their origins. The recipient receives a mail that appears to have been sent to themselves. The domain they want resumes sent to resolves to an IP in Indonesia (a world-leader in Phishing operations), so I'm not surprised. The MX records for that domain point to mail.swisswatchshop.info, which in turn points to a server in Russia. TL;DR: Someone sent you phishing email. Just delete it.

All Johnny accounts are intentionally archived due to scheduled maintenance and cannot be restored at this time. Please see https://www.helionet.org/index/topic/33812-johnny-maintenance/ If you're a donor, we can restore it on a different server if you wish. If you want to download the content for free, see this topic: https://www.helionet.org/index/topic/33871-johnny-backups/ In addition, I see you have 2 accounts which violates our Terms of Service. When the server is repaired only one of your two accounts will be recoverable and you will need to decide which one you want to keep.

All Johnny accounts are intentionally archived due to scheduled maintenance and cannot be restored at this time. Please see https://www.helionet.org/index/topic/33812-johnny-maintenance/ If you're a donor, we can restore it on a different server if you wish. If you want to download the content for free, see this topic: https://www.helionet.org/index/topic/33871-johnny-backups/

That's because your account is archived. It cannot be unarchived either due to maintenance. https://www.helionet.org/index/topic/33812-johnny-maintenance/

It's intentional due to planned maintenance and cannot be unarchived at this time. https://www.helionet.org/index/topic/33812-johnny-maintenance/ If you want to download your content, see this topic: https://www.helionet.org/index/topic/33871-johnny-backups/ If you're a donor, we can move you to another server and restore it there. Please provide a transaction ID if this is the case. Minimum donation is $1.

That's to be determined, but I wouldn't expect it to return any time soon. Johnny has a severe memory leak, so it's possible that we end up rebuilding him yet again (that'll be round 5...) See here to get your content-https://www.helionet.org/index/topic/33871-johnny-backups/ Alternately we can move you to another server if you're a donor.

It likely failed. A lot of them do this if the old account isn't comlpletely cleaned out of dns beforehand. What was the new account's username so I can check the logs?

See https://www.helionet.org/index/topic/33812-johnny-maintenance/ There is no estimate for when it will return. It has a rather severe memory leak and may end up being rebuilt again (that'd be round 5...), so I wouldn't expect any time soon. Also, I would like to remind you that Johnny is an experimental server and is not intended for production hosting. If extended downtime, random quirks, crashes, or unexpected maintenance are problematic for you, Ricky or Tommy are better choices for your account.

There's two issues here. First, an email cannot have two accounts associate with it, so you'd need a new invite. Second, you're only allowed one account. Creating the second one violates the terms of service. Since you made the donation and manage it for your father, it's effectively your account, just hosting someone else's site (I do the same thing for people I maintain sites for on mine). What you need to do is use an addon domain on your existing account so you can host a second site on it. If your donation is $5 or more, I can add an extra GB of space for you (please provide a transaction ID so I can check).

It's intentional. Take a look at https://www.helionet.org/index/topic/33812-johnny-maintenance/ and https://www.helionet.org/index/topic/33871-johnny-backups/

You can change it after signing up with the invite. In cpanel, there's an option in the last group at the bottom for contact information.

Krydos would be the one to answer this, so I'll move it and let him explain the details, but most of that money goes to Hurricane Electric though ($400 IIRC) with the rest going towards software licenses, domains, etc. For what it's worth, we haven't had a month in the black since last year. We have money in the bank to operate for a while yet (2 years or so), but we're far from sustainable and if this trend continues, we will eventually end up going bankrupt. Google Adsense used to be our primary funding source, but they no longer allow us to use their ads on our main pages (our website, suspended pages, etc.), erroneously claiming there's "no content"...and of course being Google, there's absolutely zero customer support to speak to about that.

It's not inactivity, it's intentionally disabled due to maintenance. Please see https://www.helionet.org/index/topic/33812-johnny-maintenance/

Just sign up again on another server. You can't delete an archived account. If you're a donor, I can just move the archive to another server for you and restore it there if you prefer.

OK... Please check your PMs for details on what I did for you, however I've gotten your website up and running for you http://mail2ftp.heliohost.org Do you want your forum accounts combined? You now have mailftp, mail2ftp, and Lena. Lena is your original and the one associated with the fixed account.

All of the backups are doing that for some reason... Also, your accounts are a bit of a mess because it seems like your account is on all 3 servers at the moment...archived on Johnny, a new one on Ricky that doesn't work (shows inactive page for Johnny???), and apparently one on Tommy as well that was unaccounted for in the system (I tried just moving your archive for you since you're our longest-term customer and just have a static HTML site...it blew up due to the existing Tommy account and a domain conflict with the Ricky account you made). Let me get this mess cleaned up for you...

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

Johnny accounts are intentionally disabled due to scheduled maintenance. https://www.helionet.org/index/topic/33812-johnny-maintenance/

Johnny accounts are intentionally disabled due to scheduled maintenance. https://www.helionet.org/index/topic/33812-johnny-maintenance/

It's a botnet, so impossible to identify the source. The actual attack looks like it's coming from all over the world since botnets are usually made up of random PCs that have malware.

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

Sort of. They use a botnet (hence the first D, "distributed", in DDoS), so the connections come from random IPs making a conventional firewall useless. We do already restrict too many connections from an IP during these attacks, which helps, but they just bring more/different bots instead. The firewall uses quite a bit of resources to detect and refuse these connections too. A hardware firewall appliance would be more efficient here. The actual attack method varies. One method (was used on Johnny) entails wasting server resources by opening a ton of connections and just leaving them open all day without closing them. This causes the server to leave Apache processes open waiting for the content of their request that never comes. The connections do eventually time out, but the attacker just reopens the connections when that happens. This means decreasing the max connection time actually increases load (process for timed out connection closing, and new process for replacement connection starting), making it useless as a mitigation. The second is request flooding. In that method, they just send requests for a targeted website over and over again as fast as possible, which results in the server using its resources to fulfill these requests over and over again, leaving it little time for legitimate requests to be processed. Consider that a typical request involves: Apache receiving the request and finding the file, then launching PHP. PHP then runs the script in the file, which often asks MySQL for data. PHP then sits there in memory waiting for that data, then when it gets it, uses that data, finishes its script and returns a webpage to Apache to send out. Doesn't seem to bad when you're handling a few hundred at a time, but when you want to suddenly do 1 million of them concurrently, it becomes an issue...the server gets backlogged, and/or runs out of memory and crashes. This also often manifest as invalid requests or junk packets with no or useless data being sent...these aim to clog up the network as opposed to waste the CPU's time. This is what I believe was happening on Tommy. The result is the same: legitimate requests cannot get through and the websites on the server get slow or go down.