wolstech

Ziad's got it, but to clarify the reason above a bit more. The Tommy attack is actually a different type of DDoS (wasting traffic vs. just leaving connections open all day on Johnny). It may or may not be the same attacker. It could be retaliation for cleaning up AnonymousFox too. The people who have the resources to launch these attacks are almost certainly involved in other cybercrime too. You don't generally just keep a botnet around (or hire one and keep it on retainer) for no reason. Spam and phishing have the one of the best effort-to-profit ratios out there. Both are relatively easy to execute and very profitable when they pay off (send 1000 phishing emails, if just one user falls for it they can potentially get a few grand from a paypal account...). Sometimes other abuse comes along, usually with phishing or spam being the end goal. For example look at AnonymousFox, who used a 0-day WP exploit to take over more than 100 websites, saving him the hassle of getting domains and accounts and giving him the advantage of the site owner's reputation. Many of those then had a phishing site and/or spambot uploaded. Also, most hosting companies are reactive. Phisher goes phishing, email and security companies squawk, and eventually the host gets abuse reports and bans them. We don't wait for that report and instead proactively monitor for abuse. To cyber-criminals, that means "We make easy money difficult." Their response to us wasting their time is a botnet to the face.

Tommy has returned to normal. The complete outage of Tommy's public-facing services was actually caused by a (much more drastic) mitigation used on Tommy, not the attack itself. Unlike Johnny, where we just allow the attack to subside (well...hope it subsides), Tommy shares the Eddie hardware with Cody, which is responsible for our website and forums, admin tools, and also provides a name server. To avoid the load from the attack bogging Cody down, we had our provider intentionally null route Tommy so the attack couldn't reach the server. The downside is all legitimate traffic also goes off into the void when this is done.

Tommy has returned to normal.

I got a response from Krydos on this. Turns out his botnet is big enough, we just blocked the shared IP to keep it from being effective. Bad news is that means all the websites are down. The good news is all the other stuff is on another IP, which is why cPanel and everything else is accessible.

The mail server itself seems to be working fine (I can telnet to it inside SSH and get the expected responses, webmail also works). Apache is actually up as well if I telnet to it from localhost and request a document. The issue is that the traffic can't get in or out right now. EDIT: Just heard for Krydos...it's blocked intentionally to mitigate the attack.

I think there's some stuff Krydos can try, but we're gonna see if it subsides first most likely. We're not even sure it's the same attacker, but it's reasonable to believe so considering the attack started within 24 hours of Johnny being pulled for maintenance. Good news is that Tommy is beefy enough that he doesn't just collapse from the load caused by Apache and the firewall trying to block it. Apache is overwhelmed by the botnet, but everything else on him should be working just fine. cPanel, FTP, and email are up. Just the actual web server that isn't. Johnny on the other hand couldn't handle the load and basically folded under pressure.

Your account was suspended for causing high server load. I have unsuspended your account, but please try to limit the load you put on our servers as it slows down not only your site, but the sites of all other HelioHost users sharing your server. If you still see the suspended page, please clear your cache. If you need help figuring out why your site is causing such high load let us know and we can try to help. If the high load is simply because your site is getting a lot of traffic you might consider trying paid hosting from our partner starting at only a cent for the first month. https://www.heliohost.org/partners/hostgator

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

Considering we can't fix the ddos on Johnny, we have to just wait it out, which considering this botnet's persistence, it could be months. Maybe it will move back to Johnny when that maintenance is completed, but who knows. More than likely the goal of the attacker is to crash all of our servers and run us out of business. The attack started shortly after we banned ~150 phishing sites that signed up over the course of a week (mostly paypal phishing, and significantly more than normal), so my theory is that its retaliation for us banning some clown who wanted to phish paypal accounts. That's because the attack just overloads Apache, effectively keeping it from doing anything. The cPanel stuff runs under a dedicated web server application known as cpsrvd that is unaffected. Email and the like should still work too. Unlike Johnny, which buckled from load, Tommy is much beefier, so between him simply having a lot more capability and his firewall not hogging the CPU, he handles being attacked much better. TL;DR: Some idiot phisher is attacking us and his botnet ain't big enough

Yes it is. Supposedly the ddos from Johnny moved there because we took Johnny down for maintenance...

The ddos that was hitting Johnny for the past 3 weeks is now hitting tommy instead since Johnny was taken down for maintenance.

The ddos that was hitting Johnny is now hitting tommy instead since we took down Johnny for maintenance.

It's intentional due to planned maintenance. Please see https://www.helionet.org/index/topic/33812-johnny-maintenance/

It's intentional due to planned maintenance. Please see https://www.helionet.org/index/topic/33812-johnny-maintenance/

Please refer to https://www.helionet.org/index/topic/33812-johnny-maintenance/

Never mind. Within minutes you almost brought Tommy down again. Lets have Krydos figure this out. That red and orange on the monitor for Tommy was caused by your account: http://heliohost.grd.net.pl/monitor/

So I did some playing around with this...first there was a user I unsuspended earlier that was causing massive load on the server. He's been resuspended. Yeah, that's what I found too. That site is extremely bloated. Whatever forum software you're using is the reason for the slowness. Chrome measured 8.5 seconds for one page for me. I would consider that fast for a site of that size, but overall, yeah its very slow. Some of the heavier forum softwares (IPB and Xenforo) are known to perform very poorly on shared hosting services such as ours simply because they do a lot of processing on every page and pull down a ton of assets and scripts as well. I'm not sure what you're actually running, but it needs to be leaned up a bit if you want it to be fast. For comparison, my own basic website running a CMS loads in ~2 seconds. A static HTML page loads in 1 second. https://www.raxsoft.com/raxccm/index.php I have a bunch of web applications hosted on the backend too, they're blazing fast as well. I've been here for 7 years and wouldn't have stuck around if the performance was as you're describing. I've seen at all at this point...especially considering I basically work here too. The only recommendation we have is to change your software or purchase a VPS so you have a server to yourself. It's not our server, it's what you're running. If you want to buy a VPS, we recommend this service: https://heliohost.org/partners/vps

Now that's some high load. Please take care of it quickly. If this happens again or if you don't know the cause, let me know and I'll have Krydos identify the file since that amount of load is ridiculous. Unsuspended.

Yeah, his site is working just fine for me as well. Something's wrong with his internet connection or the like.

The account was disabled and archived in preparation for a server repair. We're archiving all accounts on Johnny so they can be restored after the repairs are completed to prevent data loss. The repairs aim to fix a memory issue that Johnny is facing, and in the process may also finally mitigate the DDoS that Johnny has been facing for the past several weeks. If you don't wish to wait for these repairs to be completed, donors can have their archive moved to Tommy and restored there, or you can abandon your account and sign up on Tommy or Ricky for free when registrations open at midnight UTC.

This cannot be unarchived at this time due to preparations for a server repair. We're intentionally archiving all accounts on Johnny so they can be restored after the repairs are completed. The repairs aim to fix a memory issue that Johnny is facing, and in the process may also finally mitigate the DDoS that Johnny has been facing for the past several weeks. If you don't wish to wait for these repairs to be completed, donors can have their archive moved to Tommy and restored there.

That should be installable for you, and since you donated, we'll probably also move you to Tommy anyway if you want. I'll let Krydos do it since he's the one who will know about the Python stuff.

Unblocked again. It's your devices that are causing this, so make sure you remove all of your HelioHost accounts from all of your devices, including cell phones/tablets/PCs/etc.

Unblocked.