engrish

Understood. Thank you @wolstech!

Thank you @wolstech! Do you know why my account was moved from Tommy to Johnny?

Hi! My website is not longer accessible. It used to be on Tommy but now it's hosted on Johnny for some reason. I double checked the nameservers and they are set correctly to ns1.heliohost.org and ns2.heliohost.org. I also tried to update / reinstall the SSL certificate and kept getting the following error: Could not issue an SSL/TLS certificate for engrishc.heliohost.org Details Could not issue a Let's Encrypt SSL/TLS certificate for engrishc.heliohost.org. Authorization for the domain failed. Details Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/264310743266. Details: Type: urn:ietf:params:acme:error:dns Status: 400 Detail: DNS problem: SERVFAIL looking up A for engrishcheck.me - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for engrishcheck.me - the domain's nameservers may be malfunctioning Can an admin have a look and fix the problems if possible? Here are the details: Account: engrishc Server: Johnny Aliases: engrischeck.com; engrishcheck.me Thank you!

Thank you wolstech! It's good I have a recent backup with me. I will restore the files on server. No worries!

Hi wolstech. I tried to park my domains (engrishcheck.me and engrishcheck.com) and got the following error: Can you please resolve it?

Thank you wolstech!

Hello Heliohost admins. Can you please unarchive my account? User: engrchk Server: Tommy Domains: engrishcheck.me; engrishcheck.com Thank you!

I have a feeling that the compromise was based on this: https://secupress.me/blog/wordpress-core-vulnerability-496/

Brute force attack? I found this about something called "user enumeration attack". https://perishablepress.com/stop-user-enumeration-wordpress/

I started my investigation by first going through the access logs. My guess is that the attacks started on the 17th of July. First, on the 17th of July there were hundreds of attempts to login at my WP site from this IP: 23.94.66.178 - - [17/Jul/2018:22:19:59 +0000] "POST /blog//wp-login.php HTTP/1.0" 401 3448 "-" "-" The IP is somewhere in Bufallo, NY: https://ipalyzer.com/23.94.66.178 IP Owner is someone named ComelyHost Then, I found this IP was trying to access my WP site several times on the 20rd of July. Here is the info from the log: 95.174.64.69 - - [20/Jul/2018:03:15:50 +0000] "GET //blog/wp-login.php HTTP/1.1" 200 1687 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.7.2 Safari/533.24" 95.174.64.69 - - [20/Jul/2018:03:15:53 +0000] "GET //blog/?author=1 HTTP/1.1" 200 9301 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.7.2 Safari/533.24" This kept going until "GET /blog/?author=30". The IP is somewhere in Milan, Italy: https://ipalyzer.com/95.174.64.69 IP Owner is someone named GLOBALAXS NOC MILAN Then on the same day this: 46.250.4.149 - - [20/Jul/2018:18:17:20 +0000] "GET //blog/?author=1 HTTP/1.1" 200 9301 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:52.56.09) Gecko/20167285 Firefox/52.56.09" This kept going until "GET /blog/?author=29". The IP is somewhere in ODESSA, UKRAINE: https://ipalyzer.com/46.250.4.149 IP Owner is someone named TOV TRK Briz Then again on the 23rd this IP was trying to access my WP site several times 41.149.72.132 - - [23/Jul/2018:06:14:04 +0200] "GET /blog/?author=1 HTTP/1.1" 301 246 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15" This kept going until "GET /blog/?author=10". Then it tried to access this for hundreds of time: 41.149.72.132 - - [23/Jul/2018:04:14:36 +0000] "POST /blog//wp-login.php HTTP/1.1" 301 250 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15" The IP is somewhere in South Africa: https://ipalyzer.com/41.149.72.132 IP Owner is someone named Markus Stoltz Any comments? What kind of WP vulnerability allowed that to happened and managed to get cpanel access? Must be 0day, since I religiously update WP to the latest release...

Thank you Byron!

Not actually suspended, but WP was hacked like the rest of the recent suspended accounts. Can't login at cpanel and can't reset my cpanel password. The WP installation is at http://engrishcheck.me/blog Please advise and help! Thank you! Username: engrchk Server: Tommy Main domain: engrishcheck.me