wolstech

All Johnny accounts were disabled and archived due to planned maintenance. Please see our recent news post: https://www.helionet.org/index/topic/33812-johnny-maintenance/ The contents of these accounts will be available for download in the near future. If you're a donor, you can have the account moved on another server instead.

All Johnny accounts are intentionally disabled due to planned maintenance. Please see https://www.helionet.org/index/topic/33812-johnny-maintenance/

The account metal has been removed.

Tommy has returned to normal. The complete outage of Tommy's public-facing services was actually caused by a (much more drastic) mitigation used on Tommy, not the attack itself. Unlike Johnny, where we just allow the attack to subside (well...hope it subsides), Tommy shares the Eddie hardware with Cody, which is responsible for our website and forums, admin tools, and also provides a name server. To avoid the load from the attack bogging Cody down, we had our provider intentionally null route Tommy so the attack couldn't reach the server. The downside is all legitimate traffic also goes off into the void when this is done.

Tommy has returned to normal.

All Johnny accounts are intentionally disabled due to planned maintenance: https://www.helionet.org/index/topic/33812-johnny-maintenance/ In addition, Tommy is currently down due to a DoS attack. You can move to Ricky if you wish, or wait out the maintenance and we can restore your account after the maintenance is complete.

I got a response from Krydos on this. Turns out his botnet is big enough, we just blocked the shared IP to keep it from being effective. Bad news is that means all the websites are down. The good news is all the other stuff is on another IP, which is why cPanel and everything else is accessible.

The mail server itself seems to be working fine (I can telnet to it inside SSH and get the expected responses, webmail also works). Apache is actually up as well if I telnet to it from localhost and request a document. The issue is that the traffic can't get in or out right now. EDIT: Just heard for Krydos...it's blocked intentionally to mitigate the attack.

I think there's some stuff Krydos can try, but we're gonna see if it subsides first most likely. We're not even sure it's the same attacker, but it's reasonable to believe so considering the attack started within 24 hours of Johnny being pulled for maintenance. Good news is that Tommy is beefy enough that he doesn't just collapse from the load caused by Apache and the firewall trying to block it. Apache is overwhelmed by the botnet, but everything else on him should be working just fine. cPanel, FTP, and email are up. Just the actual web server that isn't. Johnny on the other hand couldn't handle the load and basically folded under pressure.

Your account was suspended for causing high server load. I have unsuspended your account, but please try to limit the load you put on our servers as it slows down not only your site, but the sites of all other HelioHost users sharing your server. If you still see the suspended page, please clear your cache. If you need help figuring out why your site is causing such high load let us know and we can try to help. If the high load is simply because your site is getting a lot of traffic you might consider trying paid hosting from our partner starting at only a cent for the first month. https://www.heliohost.org/partners/hostgator

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

Considering we can't fix the ddos on Johnny, we have to just wait it out, which considering this botnet's persistence, it could be months. Maybe it will move back to Johnny when that maintenance is completed, but who knows. More than likely the goal of the attacker is to crash all of our servers and run us out of business. The attack started shortly after we banned ~150 phishing sites that signed up over the course of a week (mostly paypal phishing, and significantly more than normal), so my theory is that its retaliation for us banning some clown who wanted to phish paypal accounts. That's because the attack just overloads Apache, effectively keeping it from doing anything. The cPanel stuff runs under a dedicated web server application known as cpsrvd that is unaffected. Email and the like should still work too. Unlike Johnny, which buckled from load, Tommy is much beefier, so between him simply having a lot more capability and his firewall not hogging the CPU, he handles being attacked much better. TL;DR: Some idiot phisher is attacking us and his botnet ain't big enough

Yes it is. Supposedly the ddos from Johnny moved there because we took Johnny down for maintenance...

The ddos that was hitting Johnny for the past 3 weeks is now hitting tommy instead since Johnny was taken down for maintenance.

The ddos that was hitting Johnny is now hitting tommy instead since we took down Johnny for maintenance.

It's intentional due to planned maintenance. Please see https://www.helionet.org/index/topic/33812-johnny-maintenance/

It's intentional due to planned maintenance. Please see https://www.helionet.org/index/topic/33812-johnny-maintenance/

Please refer to https://www.helionet.org/index/topic/33812-johnny-maintenance/

Please refer to https://www.helionet.org/index/topic/33812-johnny-maintenance/

Never mind. Within minutes you almost brought Tommy down again. Lets have Krydos figure this out. That red and orange on the monitor for Tommy was caused by your account: http://heliohost.grd.net.pl/monitor/

So I did some playing around with this...first there was a user I unsuspended earlier that was causing massive load on the server. He's been resuspended. Yeah, that's what I found too. That site is extremely bloated. Whatever forum software you're using is the reason for the slowness. Chrome measured 8.5 seconds for one page for me. I would consider that fast for a site of that size, but overall, yeah its very slow. Some of the heavier forum softwares (IPB and Xenforo) are known to perform very poorly on shared hosting services such as ours simply because they do a lot of processing on every page and pull down a ton of assets and scripts as well. I'm not sure what you're actually running, but it needs to be leaned up a bit if you want it to be fast. For comparison, my own basic website running a CMS loads in ~2 seconds. A static HTML page loads in 1 second. https://www.raxsoft.com/raxccm/index.php I have a bunch of web applications hosted on the backend too, they're blazing fast as well. I've been here for 7 years and wouldn't have stuck around if the performance was as you're describing. I've seen at all at this point...especially considering I basically work here too. The only recommendation we have is to change your software or purchase a VPS so you have a server to yourself. It's not our server, it's what you're running. If you want to buy a VPS, we recommend this service: https://heliohost.org/partners/vps

Now that's some high load. Please take care of it quickly. If this happens again or if you don't know the cause, let me know and I'll have Krydos identify the file since that amount of load is ridiculous. Unsuspended.

Yeah, his site is working just fine for me as well. Something's wrong with his internet connection or the like.

That slot can be anything. The full username of the FTP account will be <whatever_you_enter>@dt22.net, and the password is whatever you specified. Note that user-created FTP accounts don't work over SFTP. You need to use plain (unencrypted) FTP on port 21 to use these accounts. The only account available over SFTP is the one that has the same username and password as cPanel.