wolstech

It looks like the actual hack was a single user. Krydos reported that he believes one account was compromised then used to find and infect the other installations. We don't know exactly how it happened though and there's not much to look at. The files the attacker left behind are obfuscated malware, and we know the motive (the leafmailer on several accounts combined with a few logs show that the attacker needed to send phishing email). The issue with AnonymusFox hacks seems to be running rampant across the internet...WP denies it go figure. We're not the only ones getting hit by it: https://core.trac.wordpress.org/ticket/44554

Applications that include their own server (like yours) are not supported. You need to remove the built in server, repack as a war that can be served through tomcat on 80 or 443, request tomcat, wait in line, and once active deploy the war.

Any chance they were running WordPress? Numerous WP sites on Tommy got hacked yesterday and we don’t know how: https://www.helionet.org/index/topic/33552-numerous-hacked-accounts-w-wp-on-tommy/

Probably all of it since you were offering TV. You should look for public domain or other content with free redistribution rights. Some content from PBS used to fall in this category but I’m not sure if it still does (though it’s likely to be cheap compared to most if you it’s not free and you wanted to license it).

Wordpress has a major security issue right now, see this topic : https://www.helionet.org/index/topic/33552-numerous-hacked-accounts-w-wp-on-tommy/?view=getnewpost

If you want to build a site that does not offer such content you’re welcome to create a new account.

Rebuild your site. I’d suggest finding another program but if you use wordpress again make sure everything is up-to-date when you install it.

I added deny from all to your htaccess and unsuspended you so you can delete the WP installation.

Didn't get suspended, but my minecraft site did go down and was full of malware...I reset my password, deleted the malware, and tossed a deny from all in .htaccess for now since I have to go to work...http://acmine.tk/ (403 error is intentional until I have time to fix it properly by restoring a backup).

So, I'm seeing a lot of this today. WordPress installs on Tommy are getting hacked left and right. I even got mine hacked when it was fully up to date with no plugins beyond a port checker. Even weirder is that the cPanel password of a compromised account is being changed too. Mine changed, and I know it was not the same password as WP was. The things I've noticed is that its very consistent. All affected accounts so far (rax2, z9xdream, danval, usr8481, metals) are: On TommyRunning WordPressHave had their cPanel password changed by the hackerHave had their WP hacked and a backdoor/shell installed.Username in WP is changed to "AnonymousFox" I described the visible effects of a hacked WP here (as seen on my own account): https://www.helionet.org/index/topic/33543-suspended/?do=findComment&comment=150433 Any ideas on this?

I just found out my own account was compromised too. I had a WP site for Minecraft that was set up in 2014 but up to date as of 7/5...my cP password was changed like everyone else too. I suspect there's either a major hole in WP, or possibly cPanel itself considering account passwords are changing. It's only affecting WP users on Tommy for some reason. That DDoS on Johnny seems to actually be a blessing in disguise as I would not want to deal with several thousand hacked WP sites...and most WP users are on Johnny here.

Nice...decided to check mine...my old WP for a Minecraft server on Tommy is compromised too. And my CP password was changed like everyone else. He uploaded a backdoor too. A file called 4830068200.php in the wp-admin folder...also an htaccess file and a php.ini file (which does nothing on our servers). There was another random number file in wp-content as well as another htaccess and php.ini. The index.php has code to inject the backdoor added right at the top too. And of course I found a leafmailer.php...

You can't due to the suspension right now. I'm going to leave it that way since there's a massive outbreak of this AnonymousFox issue, WordPress seems to have a major security problem at the moment.

Just checked another account and that one's also AnonymousFox'd...on two different WP installs. There's something in common with the WP installations here that's causing this. Either it's WP itself, or you're all using the same compromised plugin (which I doubt).

You can look in the user table of WordPress's database for the username and email address. You should be able to change the username and email address to yours, then reset the password for WP. If I had to guess though, I suspect you'll find the username is going to be "AnonymousFox" since that's what 2 others have reported it being... EDIT: It's AnonymousFox...same as the other hacked accounts. Found in the wp8v_users table...

I honestly don't know how they do that either. My only thought was if you used the same password for WP and cPanel. Compromised WP is easy to get a password hash out of, and rainbow tables can usually crack hashes quite quickly these days. The thing I've noticed is that its very consistent. All affected accounts so far (yours, danval, usr8481, and metals from the other topic) are: On TommyRunning WordPressHave had their cPanel password changed by the hackerHave had their WP hackedThe username in WP on at least 2 of them has changed to "AnonymousFox" suggesting it's a single hacker doing this. The cPanel passwords changing and the fact the accounts all share a server is what worries me. I'll have Krydos look at this one too. EDIT: Make it 3 for AnonymousFox. The metals account also has that username in WP...

Yes, by nuke I mean delete. WP generally can't be cleaned once compromised anyway since the attackers often drop backdoors, shells, etc. once they get in, which they can use after the initial hole is fixed. We recommend just deleting it and reinstalling (and better yet, finding other software while you're at it). There's tons of other CMSes out there, and most of those don't have nearly as many issues as WP.

A whole bunch of accounts with WordPress on them got hacked yesterday. They're getting in through WP, then comprise cpanel from there (if I had to guess, people use the same password for cpanel as for the compromised Wordpress install, so they just guess) and change the password. These guys have the same issue with hacked WP and their cpanel password not working following the hack: https://www.helionet.org/index/topic/33536-invalid-login/ So far, there are no reports of non-WP accounts being compromised, so it seems to be the typical WordPress security issues to blame here.

Just nuke everything inside of public_html (don't delete the folder itself) at this point. Odds are there's a backdoor installed somewhere. Also, if you don't have time to fix this now, I can suspend you if you'd like, until you are ready to fix it.

Unblocked.

Unblocked. It was for failed SFTP logins.

That's because of an ongoing DDoS attack on our server. I've changed a setting on your account to mitigate the effect of the attack your account and it should start working in the next few hours. EDIT: Nevermind...it failed. Because the DNS updated, I'm not sure if httpd.conf will fix itself when it's next rebuilt or not...Lets have Krydos look at this. Changed all instances of [65.19.141.67] -> [64.62.211.131] in myfirstwordpress.heliohost.org Changed all instances of [65.19.141.67] -> [64.62.211.131] in chucachan.ga The system updated “23” entry. Updating httpd.conf....ERROR: Cpanel::Exception::Timeout/(XID shnkpu) The system failed to lock the file “/etc/apache2/conf/httpd.conf” after 301 seconds. at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 336. Cpanel::Exception::create("Timeout", "The system failed to lock the file \x{e2}\x{80}\x{9c}[_1]\x{e2}\x{80}\x{9d} after [quant,_2"..., ARRAY(0x4a41d30)) called at /usr/local/cpanel/Cpanel/Exception.pm line 61 Cpanel::Exception::__ANON__(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__..., ARRAY(0x4a41d30)) called at /usr/local/cpanel/Cpanel/SafeFile.pm line 729 Cpanel::SafeFile::_timeout_exception("/etc/apache2/conf/httpd.conf", 301) called at /usr/local/cpanel/Cpanel/SafeFile.pm line 761 Cpanel::SafeFile::_die_if_file_is_flocked_cuz_already_waited_a_while("/etc/apache2/conf/httpd.conf", 301) called at /usr/local/cpanel/Cpanel/SafeFile.pm line 829 Cpanel::SafeFile::_lock_wait("/etc/apache2/conf/httpd.conf") called at /usr/local/cpanel/Cpanel/SafeFile.pm line 355 Cpanel::SafeFile::_safelock("/etc/apache2/conf/httpd.conf") called at /usr/local/cpanel/Cpanel/SafeFile.pm line 558 Cpanel::SafeFile::_safe_open(undef, 66, "/etc/apache2/conf/httpd.conf", CODE(0x4a41a90), "safesysopen") called at /usr/local/cpanel/Cpanel/SafeFile.pm line 208 eval {...} called at /usr/local/cpanel/Cpanel/SafeFile.pm line 207 Cpanel::SafeFile::safesysopen(undef, "/etc/apache2/conf/httpd.conf", 66, 384) called at /usr/local/cpanel/Cpanel/SafeFile.pm line 121 Cpanel::SafeFile::safesysopen_no_warn_on_fail(undef, "/etc/apache2/conf/httpd.conf", 66, 384) called at /usr/local/cpanel/Cpanel/Transaction/File/Base.pm line 137 Cpanel::Transaction::File::Base::new("Cpanel::Transaction::File::Raw", "path", "/etc/apache2/conf/httpd.conf") called at /usr/local/cpanel/Cpanel/Transaction.pm line 20 eval {...} called at /usr/local/cpanel/Cpanel/Transaction.pm line 20 Cpanel::Transaction::get_httpd_conf() called at /usr/local/cpanel/Cpanel/HttpUtils/Config/Apache.pm line 73 Cpanel::HttpUtils::Config::Apache::new("Cpanel::HttpUtils::Config::Apache") called at /usr/local/cpanel/Whostmgr/Accounts/SiteIP.pm line 256 eval {...} called at /usr/local/cpanel/Whostmgr/Accounts/SiteIP.pm line 256 Whostmgr::Accounts::SiteIP::set("nicu", "65.19.141.67", "64.62.211.131") called at whostmgr/bin/whostmgr2.pl line 8674 main::dochangeip("changeip") called at whostmgr/bin/whostmgr2.pl line 8846 main::changeip("changeip") called at /usr/local/cpanel/Whostmgr/Dispatch.pm line 227 Whostmgr::Dispatch::_do_call("changeip", HASH(0x4a70518), HASH(0x4a406f8)) called at /usr/local/cpanel/Whostmgr/Dispatch.pm line 144 Whostmgr::Dispatch::dispatch("changeip", 1, ARRAY(0x4a798c8)) called at whostmgr/bin/whostmgr2.pl line 979 And a subsequent attempt at changing it again threw error: The remote dns zone is not consistent with the httpd.conf. The current ip in httpd.conf is: 65.19.141.67. The current ip in the dns zone is: 64.62.211.131! 64.62.211.131 will be switched to the new ip as well! The local dns zone is not consistent with the httpd.conf. The current ip in httpd.conf is: 65.19.141.67. The current ip in the dns zone is: 64.62.211.131! 64.62.211.131 will be switched to the new ip as well! Warning, serious database inconsistency. httpd.conf, local dns, and remote dns all have different ideas about what the ip address of this site really is. They will now all be changed to the new ip: 64.62.211.131! changezoneip requires the “sourceip” and “destip” to be different: “64.62.211.131”

I'll move this so he looks at it. He'll post when its enabled.

It can be made to work, but doing so will break the non-HTTPS access. You can't have it work on both because that would make your site hog two java slots on the server. Do you want me to have Krydos switch you to https for Java?

Wordpress is well known for severe security issues and is laughably easy to compromise, especially because it's usually not kept updated, and because it's extensions are usually also full of holes. We recommend not using WP for these and many other reasons. It's a leading cause of hacked sites, high load suspensions, spam suspensions, and phishing bans here at heliohost. Finding another CMS is your best option. If you really want to keep WP, delete your installation, reinstall using updated components, don't use dubious themes and extensions from random websites (many are actually disguised backwoods) and make sure you keep it updated going forward, Otherwise this issue is just going to come back. Also, that leafmailer is a spambot (we usually ban accounts that have it, please get rid of that ASAP or you'll lose your account).