wolstech

Nope. Both are likely from the malware. If they aren't yours, remove them. If you check them, I'll bet they have phishing mails in their sent folder.

That htaccess is normal, those two folders with the random number files and php.ini are malware and should be deleted in their entirety.

It's banned for phishing...contents show that yeah, it's the WP hack. The bad news is since they set up a phishing site on it, it can't be unsuspended due to the presence of stolen data. I've removed your domains from your banned account and you should receive an invite for a new account shortly at the same email address that was on the original one.

Ironically, wordpress' themes are the number one way it gets infected... Joomla templates tend to not be nearly as prone to malware as WP is either, at least in my experience. I've used them off a few of the common free template sites you find on google with no issues. If you want something simple, you can also just modify the ones included. They're mostly just CSS and images. The templates in the older 2.5 version were better than what comes with 3.x, but I would not recommend using old Joomla (tends to be like WP, best kept updated).

The domain loirp.com is not hosted with us because it's name servers point to GoDaddy. As for ecjrp.com, it's not attached to an account, so it doesn't work. Add it to your account as an addon or alias and it should work.

Unblocked.

Check in your ~/mail folder for a folder called battistini-impianti.old which contains the mailboxes from your old account. I went through a few recent emails from each mailbox and didn't see any phishing, so I moved them for you. You may not be able to get the old messages to show in your new mailbox (you could try moving them into the corresponding folders in the new mailbox, but I don't know if that will work), but you can open those long filename files and see the messages at the bottom.

Cool. I see your new account hmradio created Let me know if you have any questions.

I took a look and also deleted the config folder for you. That one had malware in it as well. I don't see any malware left now. I'd suggest just changing your password and getting everything set up again now. Only other thing to do would be to delete AnonymousFox any unknown users from the users table of your WP (or just drop the database entirely) since the files are gone. EDIT: Looks like you deleted the whole account. Check your forum email address for an invite.

No problem

It still had DNS entries for your old account in the system. Give me a few to get them cleaned up and I'll send another invite.

The well known folder is normal. Delete the index folder entirely. If they keep coming back after that, delete your entire account and let me know. I’ll send an invite so you can sign up again.

We are unable to return any data from an account used for phishing because there may be stolen data on the account. This is done to protect the victims who were phished. Please restore from backup.

It's banned due to AnonymousFox setting up a phishing site on it. I've sent you an invite for a new account and removed your domain from your old one.

It won't reset because it's banned due AnonymousFox setting up a phishing site on it. You'll need to signup again. I've sent you an invite for a new account.

Looks like the compromise's purpose was not just phishing emails with that leafmailer.php, but they're setting up the actual phishing websites on them as well. I suspect a lot of our Tommy users who aren't aware of this hack are about to get Phishing bans I just banned an account that had a phishing site uploaded (Bank of America phishing). I check its databases and confirmed that it was indeed AnonymousFox'd. This guy had his account for a year. His domain is now flagged on google as Deceptive as well... /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/Validation/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/b400207e72aeab4eeffc53d317b8f5d6/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/25fd28df336fcf7ae0fd51a5881a7b91/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/dc4a49c1f699bf96baae178003c659a9/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/c9b235e46164fa42699a51a44b192fbf/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/4c9fabe8e899cf54cabeb8952e56682d/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/bdfc473696eadceec723041abd35d4ef/step6.php

Thanks.

Krydos can enable this for you...moving so he sees it.

Unblocked.

Whatever the IP of Minecraft.raxsoft.com currently is (can’t check easily on mobile). It’s a dynamic IP though it usually doesn’t change that often.

Check the databases for both of them and see if there is an entry in the user table for “AnonymousFox”. Also check for random number file names in the wp-admin folder. If either exists, delete the entire installation, drop the databases, and reinstall. We recommend not using WP for exactly this reason. It’s notorious for terrible security and getting hacked. The hacked sites are being used for phishing based on the abuse reports we are getting. If that happens to yours, your account will get banned, which will cause you to lose your data and you’ll have to sign up again, so it’s a good idea to be proactive and take care of it before it goes phishing.

What database, database user, and IP (or you allow any IP) needs remote access?

Krydos, Can you check to see if port 51990 outbound got closed on Tommy? It just recently stopped working for me, one of my sites uses it to communicate with a remote server. Was working fine until a few weeks ago, and now just reports a cannot connect error. The IP it connects to is dynamic and recently changed. https://www.raxsoft.com/temp/fsock.php should work but does not...

Even if you got paid hosting at hostgator, you'd have the same problem with WordPress...it's WP that's the problem, not us, so moving hosts won't fix it and in fact might cause you to lose your money if they decide to ban you when you inevitably get hacked again. You're more than welcome to create a new site here, but please don't use WP this time around if you do.

The proper configuration is to create NS records pointed to ns1.heliohost.org and ns2.heliohost.org. Some services list this option as "use my own DNS" or "custom dns server". If they don't support NS records, you'll need to change your main domain to the co.vu domain you registered using this: http://heliohost.org/classic/support/scripts/domain then set an A record pointed to your account's shared IP address (you can find this on the right side under server information). Please note that without the name servers, several features including email and subdomains will not work.