wolstech

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

Yes its compromised due to WordPress being hacked. The malware spreads outside of WP once it gets in, and usually infects every index.php on the account, along with htaccess. It also tends to drop random-named PHP files in lots of folders that can be later used as back doors. Because of this, the entire account is typically considered lost. I can fetch databases for you though (except the WP database) if you need them. An invite will be sent for a new account shortly.

Were they from AutoSSL? If so, the server will eventually make you new ones on its own. It can take 24 hours, though for some reason yours haven't issued yet (they're sitting in the queue...6 of the 47 certificates waiting are yours). I'll let Krydos look at this, some of those have been sitting there for 2+ days. I ran AutoSSL for you yesterday which put you in line, but usually these come in within a few hours. To see certs from as far back as July 24 sitting there waiting is odd. If this was a DCV issue, usually they won't even go in the queue (I'd see an error saying it failed DCV). If the certs in question were ones you provided, you would get them from wherever you got them from before (usually your CA's website, ZeroSSL if you used LE, etc.)

We have 5.4, 5.5, and 5.6. Which one?

The invite would've come within minutes of when your domains stopped working. I forget if you did or not, but if you had to ask me to remove additional domains, those particular domains you asked about would've stopped working within a few minutes of the time I posted saying you can set them back up.

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

All of your databases except for the infected WordPress installations have been exported and placed in your home folder. The files cannot be recovered because they're full of malware. The way AnonymousFox infects an account means it tends to tamper with a lot of htaccess and index.php files and drop a ton of random-named PHP shell scripts. There's just too much to clean up.

Account removed and new invite sent

The domains listed above have been removed and cleaned up. You can go ahead and try adding them now

We need to remove the domains for you to reuse them. If you want to stay, let me know the domain and I'll release it for you. Otherwise, you need not do anything more, your account will expire on its own from lack of use.

This needs to be fixed before I can delete this and resend the invite to you: https://www.helionet.org/index/topic/33702-website-down/

<p>Unblocked.</p> <p> </p> <p>It was for failed IMAP logins. Make sure you updated your mail client settings.</p>

I just manually ran AutoSSL on your domain, it validated everything except the domains you normally can't get one for (webdisk and cpanel), so you're now in line for certs to be issued (the deceptive page is actually produced by Chrome itself, so it's irrelevant when you access the domain with literally anything else, like the script used by AutoSSL). The server's a bit backlogged on them due to the high number of replacement accounts being set up due to the hack, but they'll come in eventually (there's a few from yesterday still in the queue).

Working on this now, it may take a little bit since I have to remove all the subdomains too...

So, I'm getting some really strange errors from our website at the moment. Keeps timing out, and when it does attempt to load, I'm getting an invalid self-signed certificate instead of the normal LE cert that should be there. https://imgur.com/a/cy2iZtU What's going on here? Monitor says the site is up, but I can't reach it...

I can't even reach the admin tools right now...they're returning a 404 error so I can't check the log on this. I'll look when its back up.

Correct, usernames cannot be reused if banned due to hacked WP. Since the database name always starts with your username, your DBs will all have a new name now. This behavior is by design, so no, you will not be able to rename the databases to use their old names (even if you could change the prefix, the banned ones still exist as evidence, so the names are taken anyway). Please update your code to use the new names.

This is likely the WP hack, but I can’t verify right now since I’m on mobile. I’ll take a look at this tonight if someone else doesn’t do so before then. I apologize for the delay.

You won’t be able to reuse your username since it’s attached to the banned account and cannot be removed without deleting the account (which destroys the hacking evidence inside). I can delete your new account and resend the invite if you wish, but the new account will ultimately need to have a different username anyway. Do you want me to this? As for the logs, can you make a separate post for that regarding the police wanting logs? Krydos would be the one to handle that if possible, and he would want them to contact us directly if they’re interested in any logs.

The IP in your PM is not blocked.

It depends when they were sent. If it was before I removed your domains, they were delivered to the banned account successfully, but are not retrievable by you. No error.If it was after I removed your domains, but before you set them up and created mailboxes on the new account, then it depends on your settings. If you had a catchall mailbox (I forget if cP sets one up by default), they'd go in there, otherwise they get returned undelivered.If it was after you set everything up again, you should have received them, and they wouldn't get an error.

Just looked and you do indeed have a dedicated IP. I'll have Krydos go ahead and reassign it to you. I'm not sure what the proper process is for setting one of those up.

If you're curious, google "AnonymousFox WordPress". This particular hacker is apparently a big issue right now since even the latest WP with no extensions or themes is vulnerable to whatever he's using. People across the world are reporting this hack on many different hosts. Once hacked, he uses the accounts to set up a spambot or phishing site.

Yeah, NA, though I do sometimes use a VPN that gives me a blocked ip, which was specifically what I'm referring to. Note that some "Chinese" IPs aren't actually based in China either. The VPN i was referring to is in Taiwan... If your intentionally blocking those countries, then yeah, it's not gonna work.