wolstech

It was removed by Krydos as he'd rather the info not be published for security reasons.

No I did not. That set of files showing up today means the hacker still has active access to your account. It's been banned. Please use the invite I just sent. See this topic if you wish to speculate on this...https://helionet.org/index/topic/33637-anonymousfox-the-motherlode/

That's the stuff AnonymousFox used to compromise the server by the looks of it. We thought metals was to blame, but it looks like your account may be the initial entry point based on that. Krydos and I will find those files very interesting, and some security researchers may as well. EDIT: You will be getting a new account. There's things like direct symlinks to system files on your account. An invite will be sent shortly once I get your domains released so you can use them again.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

@Byron: That's not actually high load. There's malware on it (looking deeper shows there's actually phishing too...). The diagnostic script for these won't flag infected files though, so it only reports infected if the AnonymousFox user exists in the WP DB.

The domain lslab.heliohost.org has been cleaned up. Try again now. A new invite has been sent.

It won't stay unsuspended so I may end up needing to give you a new account after all. I'll take a closer look when I'm at a pc later this morning. EDIT: You missed a malicious index.php in the root of public_html. I've deleted it for you and took a look through your other folders. Your account now seems to be staying unsuspended. I put in a test index file pointed to /wp/ so your dir listing isn't showing, however I don't know if the content is correct for the domain.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended.<br /><br />An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing.<br /><br />As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

I unsuspended you again. I think you still have something compromised though. Our servers were updated yesterday to auto suspend anyone who executes the malicious files or has the anonymousfox user present. Note that even though WP is the attack vector, we've found the hacker sometimes places the modified index.php files and the malware random number files well outside of WP installs on compromised accounts. Open all of your index.php files and ensure there's no random gibberish or eval statement at the top.

You should have already received it. Resent.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

Depends whether they're infected and how many files and folders there are. I'd have to go through all of them to verify there's nothing malicious or stolen in there, then move them. Which ones do you want?

The domain cbrpics.com has been cleaned up.

I have a WP myself that I completely replaced the login system on...it got hacked. I don't think they're guessing passwords or attacking the login system, there's a massive hole somewhere in WP. The only commonality is that everyone hit had WP somewhere on their account, and it doesn't matter what extensions or version you were using. Even the latest release with no addons is vulnerable. Seeing that WP is just garbage code that they keep fixing, I'm not really surprised either. There's thousands of people from different hosts around the world reporting this exact AnonymousFox attack over the past week...

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

It's not inactivity. This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

It wasn't bandwidth. This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised WordPress installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. As a reminder, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

We looked through that account further and it has since been permanently suspended for being hacked. I'll be sending an invite for a new account shortly. EDIT: you already have a new account...

High load, which is caused by the malware in most cases. Since WordPress is full of malware, you'll need to fully delete your WordPress installations. I don't see any phishing on this account yet, so I'm OK with unsuspending it on condition you delete your WordPress installation. I've added a deny from all to your .htaccess file so the site cannot be accessed until you can delete it. As a reminder, we do not recommend using WordPress. It has the worst track record for CMS security of any CMS available today, and is regularly compromised. Nearly every other CMS out there performs better and is more secure than WordPress. Unsuspended.