wolstech

So, I'm getting some really strange errors from our website at the moment. Keeps timing out, and when it does attempt to load, I'm getting an invalid self-signed certificate instead of the normal LE cert that should be there. https://imgur.com/a/cy2iZtU What's going on here? Monitor says the site is up, but I can't reach it...

I can't even reach the admin tools right now...they're returning a 404 error so I can't check the log on this. I'll look when its back up.

Correct, usernames cannot be reused if banned due to hacked WP. Since the database name always starts with your username, your DBs will all have a new name now. This behavior is by design, so no, you will not be able to rename the databases to use their old names (even if you could change the prefix, the banned ones still exist as evidence, so the names are taken anyway). Please update your code to use the new names.

This is likely the WP hack, but I can’t verify right now since I’m on mobile. I’ll take a look at this tonight if someone else doesn’t do so before then. I apologize for the delay.

You won’t be able to reuse your username since it’s attached to the banned account and cannot be removed without deleting the account (which destroys the hacking evidence inside). I can delete your new account and resend the invite if you wish, but the new account will ultimately need to have a different username anyway. Do you want me to this? As for the logs, can you make a separate post for that regarding the police wanting logs? Krydos would be the one to handle that if possible, and he would want them to contact us directly if they’re interested in any logs.

The IP in your PM is not blocked.

It depends when they were sent. If it was before I removed your domains, they were delivered to the banned account successfully, but are not retrievable by you. No error.If it was after I removed your domains, but before you set them up and created mailboxes on the new account, then it depends on your settings. If you had a catchall mailbox (I forget if cP sets one up by default), they'd go in there, otherwise they get returned undelivered.If it was after you set everything up again, you should have received them, and they wouldn't get an error.

Just looked and you do indeed have a dedicated IP. I'll have Krydos go ahead and reassign it to you. I'm not sure what the proper process is for setting one of those up.

If you're curious, google "AnonymousFox WordPress". This particular hacker is apparently a big issue right now since even the latest WP with no extensions or themes is vulnerable to whatever he's using. People across the world are reporting this hack on many different hosts. Once hacked, he uses the accounts to set up a spambot or phishing site.

Yeah, NA, though I do sometimes use a VPN that gives me a blocked ip, which was specifically what I'm referring to. Note that some "Chinese" IPs aren't actually based in China either. The VPN i was referring to is in Taiwan... If your intentionally blocking those countries, then yeah, it's not gonna work.

The anonymous fox hack is believed to work using an unfixed security hole in the WP core. People have had WP hacked using fully updated installs with no extensions and nothing else on the account. There is no fix for WP at this time aside from not using WP. The hack also seems to affect older Joomla, but not the latest versions (we found one of the folder/script setups used by "F0x" as he calls himself on a compromised account, he had a few Joomlas in the target lists, but inspection shows only 2 of the hacks succeeded, both were running 1.x). Once infected, the hack does spread outside the WP install. The WP install itself will have a tampered index.php, random number files in the folders, tampered htaccess, the user in the DB, and sometimes a phishing site or spambot buried in the themes or WP-admin folder. The index.php in the root of public_html is also usually malicious, a php.ini usually appears (doesn't do anything on our server), and sometimes you'll find folders called index and config that are also full of malware. The random number php files can also appear just about anywhere. Some users have reported a hidden folder called .F0x appearing in public html or their home dir too. We don't have any logs that can be released due to sensitive information. The hack can be found online though. Google "AnonymousFox Wordpress" and you'll find others reporting the same hack on other hosts and the WP boards. Yes we have brute force protection. It blocks your IP after 5 bad attempts in a 1 hour span. He would need a botnet to meaningfully brute force anything. Invite resent. Please check your spam, they sometimes end up in there.

Done. You should now be able to log in and your website should start working within 2 hours.

sigh it failed again, this time because my removing the domain during the first fix didn't fully clean up the DNS for it. The domain babooa.com has been cleaned up. Can you try one more time?

They've been copied to your home folder as text files. By the way, I would advise removing those IP blocklists from them. It slows your site due to processing every page load, and you're probably losing quite a few users with those (an IP that I often visit things from is in one of those ranges and I'm likely not the only one).

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

Unarchiving...

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

The domain industryus.ca has been cleaned up.

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

What domain is it?

Yes you can use it, but you need to provide a valid username and password to do so. It should just be your cpanel username and password. If it doesn't work, try plain unencrypted FTP on port 21 instead.

Nothing was found to unblock. Do you know what IP needs unblocking?

Unblocked. It was blocked for invalid POP3 logins, so make sure your email client has a valid username and password.

Unblocked. Those domains are attached to your banned account which is why you cannot reuse them. I'll clean them up shortly.