All WP Sites Downed: Hacked But Doesn't Explain All

what a nightmare.

I got 20+ sites ..similiar to your situation and also self-thought.

If i were you, I’d start from scratch
-get a nice VPS or dedi at hostgator or mediatemplate.
-Install one copy of WordPress, enable network, install the domain mapping plugin.
-go over every line of themes’ codes.
-install fresh copies of the plugins
-import your cleaned databases manually via phpmyadmin.

If you want to go this route, I’d help.

Have you asked your hosting provider if they have any recent backups that they can restore your account from?

Or, do you have any resent backups that you can restore from?

@klark0 How very kind of you to offer. I can see that you appreciate the frustrating situation here having a similar setup yourself. I do see a lot of people recommending Host Gator. It does seem for good reason; the whole server configuration seems to be at the core of it. Which one do you use?

I don’t know as I “need” virtual or dedicated. While I had a lot of installs, none get anything like the traffic necessary to trigger that need. That may become necessary in the future, but we weren’t there yet. The only reason to go virtual or dedicated would be that shared hosting is hazardous to the health of multiple sites at once. From what I’ve read, if that is possible, it’s poor server configuration. But I could very well be incorrect.

I believe you’re correct regarding fresh copies. The reading I have done regarding EVAL base64 hacking recommends not trying to import the databases from sites hit, but to focus in on the Exported content file as this is by far the most difficult / impossible aspect of one’s site to replace.
Fortunately, on none of the sites was there such significant CSS editing on the themes that it would be prohibitive to just upload fresh copies. Apparently themes are one of the “favorite” targets of the hackers.

Ultimately, if I can find any kind of scanning software to go through the export files and ensure those are clean, that would cut the work down a great deal. I’ve already done a preliminary text string search on one of the exported files and cannot find any of the very well known strings for the EVAL base64 code.

I’d be interested in your answer re: hosting. Thanks again for the interest.

@james There are backups available from the hosting provider – I’ve tried three times to do restores, backing up a little each time. As noted above, it is murky as to whether the restoration was actually truly successful on each occasion because I always get an error message that the process could not complete. The reason it is murky, is because after the first attempt, some of the sites were back up and the folders inside c-panel showed changes consistent with the restores.
From my reading, restore won’t solve the problem with the hacking because either 1) the database tables are corrupted or 2) the server is getting hit with another round of attacks.
Restoring from my backups apparently won’t work either according to what I’ve read. All recommendations point to scrapping the wordpress and database files totally.

The core issue again here is: Is the EVAL hack known to actually blank out whole file contents? I can’t find anything on that anywhere.

Stubborn,

before you slip into suicide mode maybe we can offer some ‘comfort’. It is a very long story but due to the fact we are in aviation we don’t have the pleasure (and luxury) to tell it all. So here in a nutshell: Recently we’ve installed W3-total cache and it messed up bad. And when we say bad, we actually mean catastrophic – We got the 505 internal error, the 404, you name it we got a screen-shot of it. Our bounce-back rate increased to 65%!! Our Apache server was bogging and sputtering. In 76 hours since installment W3 almost crashed our database. We have not contacted the ‘author’ of this product since all and everything is grass-root-development and we are not into blaming games.

From this point on we are not going to install ANY cache program until it is proven in a test environment. We are not developers and/or code-monkeys (but we learned our lesson).

Here was our strategy to get out of this flat spin (after a nerve wrecking investigation): we de-activated W3, we deleted (yes, DELETED) .htaccess in your public_html folder to cure the 505 Internal Server Error, gave your server a couple of minutes to recover, logged-in as admin, went into our permalinks and saved our options again (to cure the 404 Not Found Error). Since 48 hours our server runs nice (not perfect) – all links and functions work. Eventually we had to go through all our settings and re-save them. 99% of our options show up the way we had them set up, but we needed to SAVE them AGAIN to re-write .htaccess and all plug-in specific config files.

We don’t know about any hacking and/or manipulation regarding our database. We definitely know that our trouble was caused by W3 describing behavior you mentioned.

Hope that helps.

I wish someone would have contacted me because there has never been a case like this and I would like to know specifically what transpired and how the plugin was used to cause this outcome.

@p3air I laughed outloud when I read your reply. I HOPE I wasn’t coming across as nearly suicidal! It’s frustrating, to be sure, but in the big picture, life will go on.

I really appreciate your post here and the information about what you’ve done to recover. I’m going to review what we’ve done and see how it lines up. As I noted in my posts, it may well be that there were a couple of things that happened on top of each other here. For us, it comes down to the configuration of the server(s). There’s just no getting around the fact that we had an account wide problem regardless of the hacking or effects of the plugin.

But that doesn’t sound like your issue – if I am following what you are saying this is a server you are running yourself. If I detected that correctly, you simply don’t have that same issue, which is great.

We know we had hacking – I’ve now seen the code myself.

Again, I appreciate the information and hope that your whole situation stabilizes.

—-
@frederick Townes – The reason I didn’t contact you is because I had already resolved the issue regarding the W3 plugin by doing a Google search on how to properly thoroughly delete it. One of the restores I mentioned took the site temporarily to a point that the W3 was back in the WP Plugins list but not activated.

I know you said that there has never been a case like this, but in THIS thread a number of people are specifically discussing server configuration issues.

Do note that I said the following:

The plugin is not configured to do damage, but it seems that it may likely did, only because of the poor configuration.

I am not blaming W3 – the server should be configured in such a way that the obvious interactivity of files on the one on which my sites site is happening should never occur.

I can see you work hard to communicate with people who are having issues and are genuinely interested in learning about any trouble people are having. This is a free plug-in…I greatly appreciate the amazing hard work of the many coders who do these projects.

I firmly believe – as stated above – I was really taxing my setup with all of the plugins I was trying to use and there was simply some issue with bad interactivity. Despite the fact that there was interactivity…my site DID speed up while it was running your plugin.

Server configuration is huge – as I’ve learned the hard way. It does seem like there is some evidence pointing to the idea that depending upon the server configuration, W3 may be having an impact outside of the expected locations of install.

We may simply never know precisely all that occurred here. The programmer who went thoroughly through another one of our sites and got it back up, said the following after hearing that it went back down again:

I had replaced all of the WP files so unless there was a backdoor in a
plugin, it was no different than starting from scratch. Without
detailed server logs I have no idea why seemingly random files are going
to 0 bytes and getting wrong permissions set on them.

This again, points to server configuration issues. But in reading the post I linked to here, I do see that people were mentioning permissions issues.

In any case, my real purpose in posting this was to get to the bottom of whether the EVAL hacking is known to cause files to zero out.

It didn’t even occur to me to contact you and you can imagine how insane it has been with this many downed sites.

I had replaced all of the WP files so unless there was a backdoor in a plugin, it was no different than starting from scratch.

Just a quick note… that statement is technically not correct. Unless you delete everything first there is always the chance that a back door was left behind somewhere else in the installation. Also plugin files themselves are often targets for infection.

A good portion of what I do these days is clean WordPress installations for people (I wrote the article about GoDaddy you linked to in the original post above, and I wrote a guide on how to completely clean WordPress) and to be honest I have never seen one where there were files getting emptied out.

I have seen files that were overwritten with malicious code, however, and I know of at least one host (MediaTemple) that is performing periodic cleanings on client websites without even telling them that they are infected in the first place. If GoDaddy has started emulating this practice as well (a practice which I personally feel is unethical), then it is possible that the files are getting infected, and then automated sweeps are cleaning out the infected code leaving blank files behind.

My suggestion is to restore from GoDaddy’s backups, but restore to a directory other than where the sites actually are, and as soon as the restore has been completed, download the whole thing and move it to a new location. You don’t need the WordPress or the plugin files/directories at all. The only thing you need are what is in the uploads directory and the theme, and non-Wordpress directories that might be at the root (such as independent /images directory, or uploaded movies, whatever), the sitemap (if there is one), favicon, etc. Everything else can be replaced with fresh files.

If you need a hand scanning the non-replaceable files and folders for infection then hit me up by email, I can probably help.

-Michael

@michael
Thank you very much for your reply.

I just re-read your article – I had read so many in researching this whole issue I wanted to make sure I had the correct one in mind. It’s frustrating to review. I cannot tell you how insanely illogical the conversations with my hosting provider have been. Obviously they have the same mind set of the folks you dealt with, only they know even less. I have learned a number of lessons from this, not the least of which is when you notice a degrading level of service it’s time to bail out. I saw the occasional red flag for the past few months.

I’ve been trying to decide whether it is even worth bothering to take the time in calling them back and very bluntly saying “the jig is up”.

If these folks had any real principles, they would dig up known working copies of my files and reload somewhere – anywhere.

You have provided the only plausible theory regarding the blanking out of those files I’ve heard so far. It unfortunately fits the SOP we’ve both observed. Your suggestion about restoration has inspired me to try a couple of things that may not only help me get at some of the files that we’ve lost, it may tell me more about what is going on here regarding the server.

I agree with you regarding the effort to repair undertaken by the programmer. He’s a great programmer but he’s not incredibly familiar with WordPress. He didn’t take into account buried files in plugins or even the database when he did the cleanup. Simply installing fresh wordpress core files will not do the job. I wasn’t clear on that when he proposed attempting to do so.

The very frustrating thing here is that XML imports in WordPress 3.0 don’t work very well. I did a search for some of the coding from the EVAL injection and visually scanned and can’t see anything “obvious” in the xml file, yet it simply won’t import all of my content. I did some searching to see if I am alone in this problem and I find a lot of information that leans towards widespread difficulty.

I would have been satisfied with the ability to do that since I have full copies of the items you mentioned such as images, etc.

In any case, I’m going to “experiment” with the restoration thing a bit in a couple of respects.

I am also going to keep in mind that you’ve been specializing in this area lately. There are a couple of sites that are going to be real nightmares if we can’t get to a place where we can restore the posts via some automated means.

Thanks again.

The very frustrating thing here is that XML imports in WordPress 3.0 don’t work very well. I did a search for some of the coding from the EVAL injection and visually scanned and can’t see anything “obvious” in the xml file, yet it simply won’t import all of my content.

Have you tried importing the data into some installation other than the corrupt one? Meaning, an entirely different account altogether, fresh install, fresh database?

It’s hard to say for sure without seeing the details of the file itself and what it is exactly that isn’t importing. Is it posts that are not coming in correctly? And did you verify that the post content was in fact intact inside the xml export?

My email is michael at endlesspoetry dot com, feel free to drop me a line if you want to get into details. That way we can post here if we come up with a solution and hopefully help someone else without them having to read the whole conversation.

Michael,
I’ll be sending you a message – mainly to clarify so this thread doesn’t become even longer. I’m hoping to provide some information a “solution” but it’s probably prudent to have some “supervision” since I am clearly learning as I go.

Does anyone here need any input from me? The W3TC tag was added here, so I’m trying to be sensitive to any issues surrounding this topic.