wolstech

Unblocked.

Check in your ~/mail folder for a folder called battistini-impianti.old which contains the mailboxes from your old account. I went through a few recent emails from each mailbox and didn't see any phishing, so I moved them for you. You may not be able to get the old messages to show in your new mailbox (you could try moving them into the corresponding folders in the new mailbox, but I don't know if that will work), but you can open those long filename files and see the messages at the bottom.

Cool. I see your new account hmradio created Let me know if you have any questions.

I took a look and also deleted the config folder for you. That one had malware in it as well. I don't see any malware left now. I'd suggest just changing your password and getting everything set up again now. Only other thing to do would be to delete AnonymousFox any unknown users from the users table of your WP (or just drop the database entirely) since the files are gone. EDIT: Looks like you deleted the whole account. Check your forum email address for an invite.

No problem

It still had DNS entries for your old account in the system. Give me a few to get them cleaned up and I'll send another invite.

The well known folder is normal. Delete the index folder entirely. If they keep coming back after that, delete your entire account and let me know. I’ll send an invite so you can sign up again.

We are unable to return any data from an account used for phishing because there may be stolen data on the account. This is done to protect the victims who were phished. Please restore from backup.

It's banned due to AnonymousFox setting up a phishing site on it. I've sent you an invite for a new account and removed your domain from your old one.

It won't reset because it's banned due AnonymousFox setting up a phishing site on it. You'll need to signup again. I've sent you an invite for a new account.

Looks like the compromise's purpose was not just phishing emails with that leafmailer.php, but they're setting up the actual phishing websites on them as well. I suspect a lot of our Tommy users who aren't aware of this hack are about to get Phishing bans I just banned an account that had a phishing site uploaded (Bank of America phishing). I check its databases and confirmed that it was indeed AnonymousFox'd. This guy had his account for a year. His domain is now flagged on google as Deceptive as well... /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/Validation/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/b400207e72aeab4eeffc53d317b8f5d6/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/25fd28df336fcf7ae0fd51a5881a7b91/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/dc4a49c1f699bf96baae178003c659a9/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/c9b235e46164fa42699a51a44b192fbf/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/4c9fabe8e899cf54cabeb8952e56682d/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/bdfc473696eadceec723041abd35d4ef/step6.php

Thanks.

Krydos can enable this for you...moving so he sees it.

Unblocked.

Whatever the IP of Minecraft.raxsoft.com currently is (can’t check easily on mobile). It’s a dynamic IP though it usually doesn’t change that often.

Check the databases for both of them and see if there is an entry in the user table for “AnonymousFox”. Also check for random number file names in the wp-admin folder. If either exists, delete the entire installation, drop the databases, and reinstall. We recommend not using WP for exactly this reason. It’s notorious for terrible security and getting hacked. The hacked sites are being used for phishing based on the abuse reports we are getting. If that happens to yours, your account will get banned, which will cause you to lose your data and you’ll have to sign up again, so it’s a good idea to be proactive and take care of it before it goes phishing.

What database, database user, and IP (or you allow any IP) needs remote access?

Krydos, Can you check to see if port 51990 outbound got closed on Tommy? It just recently stopped working for me, one of my sites uses it to communicate with a remote server. Was working fine until a few weeks ago, and now just reports a cannot connect error. The IP it connects to is dynamic and recently changed. https://www.raxsoft.com/temp/fsock.php should work but does not...

Even if you got paid hosting at hostgator, you'd have the same problem with WordPress...it's WP that's the problem, not us, so moving hosts won't fix it and in fact might cause you to lose your money if they decide to ban you when you inevitably get hacked again. You're more than welcome to create a new site here, but please don't use WP this time around if you do.

The proper configuration is to create NS records pointed to ns1.heliohost.org and ns2.heliohost.org. Some services list this option as "use my own DNS" or "custom dns server". If they don't support NS records, you'll need to change your main domain to the co.vu domain you registered using this: http://heliohost.org/classic/support/scripts/domain then set an A record pointed to your account's shared IP address (you can find this on the right side under server information). Please note that without the name servers, several features including email and subdomains will not work.

Time to learn I think. Joomla will be the easier of the two to learn, and honestly, once you're used to it, you'll probably end up preferring it. It's just so much better built than WP, and is arguably what WP should have been. I used WP myself initially, then played with joomla, which I use for a few sites I host elsewhere, and found it to be a better product. It's usually my first choice when building a site for someone these days. I still have a single WP install laying around, which got hacked, and I'm tempted to not bother fixing it. I eventually wrote my own site myself (custom CMS) and have yet to have an issue with that. Programming experience is obviously needed for that method though.

Do you run Wordpress? Many WP installs on Tommy were compromised on Friday, and the hacker did change cpanel passwords as part of the hack using the malware he uploaded. Start by resetting your password here: https://tommy.heliohost.org:2083/resetpass?start=1 After that, check for random number files in your Wordpress installations created on Friday (they'll be in WP-admin and WP-content), and for a user account named AnonymousFox in the user's table of the database. If any exists, delete the ENTIRE Wordpress installation and reinstall.

I'm betting he scraped DNS and searched for other domains running WP with the same IP. I can't think of any way he'd be able to browse across accounts locally. One user won't have access to another's home folder.

Something in your Wordpress installation had a security hole that got abused to hack your account. Either you failed to keep it up to date, or you had bad luck and used a plug-in that has a hole. We recommend that people not use Wordpress for this exact reason. It is far too easy to compromise and causes a big mess when it does get compromised.

A user inherently has rights to all files in its home folder as well as the right to change its own password. Scripts execute under the context of the user account that owns them, so by nature, any script within an account has the right to place files anywhere on the account (permissions allowing) or to change the password of the account running it. If the script is running as the user, changing the cpanel password is as simple as executing the passwd command. A cpanel password is actually just the password of the Linux user behind the account. Changing it could be done using nearly any programming language we support, or even by creating a cron job (which is just a file in your home folder). Putting the leafmailer in another site is a matter of just saving it in a different folder.