I have a real problem on my cpanel I do not understand all my sites and my applications have not worked since this morning, try to restore without success I have tried everything, I am afraid to watch help me.
when I check the files of my site and application there are unknown files that create themselves all the time even when I delete completely when I update it comes back alone and it affects the operation of my site and application
I don't know if I was really hacked, or if it's an extension problem, or it's a quota or php problem but nothing's going well here are some images of the unknown folders, I've already written to support they say they will delete the hosting and create a new one when I can't afford it right now
According to your screenshot, you have really messed up your WordPress Core. Firstly, fix your .htaccess and 'delete the folders'. Additionally, you can always reinstall WordPress Core to fix any problems that might have happened from a Malware action.
However, there has been a rise in WordPress Database Malware as well, so you might wanna look in that as well.
Related
I have seen lots of critical errors on my WordPress website. I attached a screenshot below that shows some of these issues. Please look at this and provide some suggestions so that I can fix this problem.
Thank you so much.
Depends how badly broken your site has become.
What is it doing to make you think it's been hacked? Is it just the warnings in the Wordfence scan report?
Before going much further you should for sure grab a backup of your database, wp-config.php, and the contents of the directories wp-content/themes, wp-content/uploads, and wp-content/plugins. Might be a good idea to make a separate backup of the entire WordPress installation directory.
Since you can still access the administration panel, might as well change your password just to be safe. Are there multiple users for your WP installation?
What changes have been made if you click "Details" button in the Wordfence scan?
If you're sure changes to the wp-core files are due to a hack, you can try to repair them using Wordfence's repair feature--it'll restore them to their base WordPress version. But if significant differences are showing for dozens of core files, might be a good idea start over with a clean installation of WordPress.
You'll also want to track down what allowed these malicious changes to be made (has an unknown IP logged into your administration panel recently? Are you using a plugin with a known security issue?), or it'll just happen again.
All I know is there is a script causing a dump on wp-login.php. I had the host do a restore, I changed the password, I disabled all plugins but it still keeps on dumping and now all my space is full. I can delete the core files but that fills up quickly. If there is anyone here willing to help me in exchange for some work, I'm open.
As for the malware scan, nothing comes up, I've tried, wordfence and a few others as well as have InMotion due to a scan.
There's still potential that malware could linger in other places.
Thanks
I would recommend getting a fresh copy of the Core and fresh copies of all plugins, then check each plugins support forums for vulnerabilities, that may point towards a culprit. Also check your theme support for the same.
Essentially replace everything but .htaccess, wp-config and any custom theme code.
I noticed that on a wordpress site I'm going to take over the following scripts are found on multiple pages:
When the page is displayed here is what I see:
This seems incredibly scammy, does anyone know what this is?
I am going to delete all of those and restrict access to the website in the meantime
Thank you
One of two things likely happened. Either you are serving flash and have a really old version on your computer - OR - your website has been compromised and injected with some sort of malware.
Are the unusual scripts showing up in the content or the theme files? If they are showing up on the content, that means someone has added these scripts to the database, and it will require a bit of cleanup (or a restore to a previous version). If the scripts are showing up in actual .php files, then someone has gained access to the file system on the server.
You should re-install WordPress entirely to ensure all core files are clean, and then go through plugins and themes to ensure all malicious code has been removed.
Also, it would be good to find out how this happened, to attempt to stop it from happening again.
I'm in the progress of setting up a development and live development environment for some basic projects I'm working on. Ideally I want git to push changes from the development server to the live site. However I want each version to use the exact same database so the posts and content are identical at all times.
Obviously the Site URL is set to only the live site so the development site's links don't work. If I overrode the site url in the wp-config.php file of each and used .gitignore to ignore both wp-config.php files would this be enough for this to work or is there something else I'm missing?
I'm posting in the hope somebody has tried it before me and that might have any answers to problems I encounter now or in the future.
Thanks in advance, Ollie
Make sure you add the .gitignore entry before changing and committing the wp-config.php.
Once you update wp-config.php, it's going to go through and update URLs in the database. Since WordPress is stateless - to say there is no session management, there is no way of tracking if a database has been swapped.
Lastly, WordPress uses a MySQL database, which wouldn't be versioned unless you went through a lot of work to do so. Aside from wp-config.php, there aren't any other stored references of what the site's URLs should be.
I got a problem that's driving me up the wall: I made a Wordpress Blog, using the Gantry framework for layout en several different widgets and plugins. Everything works fine in FF, Safari, and Chrome, but trying to open the site with IE 8 the browser crashes or in the best cases I get a message that the tab has been closed and reopened due to an error; after which the site is loaded fine. I try finding out what happens during the opening of the page, but the debug panel of IE doesn't point out any error!
Does anybody have clue on what the problem might be?
The website is: http://www.danielevecchiotti.it/
I suffered from the same attack today, so I investigated a bit:
That injection is done through the hole in one of the plugins, most likely through the outdated contact-form-7 plugin. Check if you have this folder in your wp-content/plugins directory - even if it is not activated in Wordpress, the very presence of it there is a potential security threat as the attacker can use the direct URL of the plugin faulty file to access it.
(source: http://wewatchyourwebsite.com/wordpress/2011/11/wordpress-websites-infected-through-outdated-contact-form-7-plugin)
Patching the hole: if you use this plugin, update it to the latest version which is not vulnerable. If you don't use it and just keep it deactivated (like I did), you can remove it at all.
It is also a good idea to prevent people from accessing your plugins directly. You can create a wp-content/plugins/.htaccess with the following content:
<Files *.php>
deny from all
</Files>
This might not work with every configuration, but usually plugins are only accessed in the code, not with HTTP calls so that shouldn't do harm to visitors' experience.
Restoring your site: If you don't have backup of your *.php files to restore them all from by overwriting your current ones, you need to search for every file containing the string specific to the malicious code, e.g. "eva1fYlbakBcVSir". Then you need to edit all those files - for every file, remove a long line from it's end.
Or if you're proficient with command line and, say, perl, you can build a regular expression to do the work for you.
What was the purpose of the attack? Obviously there were links to some Java plugin added to your site's pages by those code snippets. The plugin added is believed to be the following: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0840.KM&threatid=2147649278
However, I didn't manage yet to decipher the injected code fully - it's very well messed up and the reverse engineering is hard. So I can't tell for sure that apart from showing that Java plugin to visitors the exploit was doing nothing like reading users' passwords or removing some files (unlikely, but possible).
I can't find any information about that as well, looks like nobody traced the consequences fully yet.
Please share if you know more.
I finally found the problem: the site has been HACKED!
I noticed the index.php and wp-blog-header.php files modified on a strange date and time. Downloading the two files I found they had been compromised: a whole section of unreadable code had been added. Uploading the original PHP files the above problem was solved.