Help! Site crashed!?

Spoke with my hosting company. No malware was scanned on the server. It was simply fixed by re-installing the core files.

Had to escalate the ticket to the higher level techs. The lower level tech couldn’t understand or explain what was going on. Once I hear back from my hosting company I’ll post the answer here in case people want to know the solution for future reference.

can’t even connect to my server now

I reinstalled core files twice, did nothing.

I had the same issue – using Hostroute in the UK. Problem is not just restricted to wordpress; this affected an installation of my podcasting script, wordpress and also LimeSurvey – none of which were linked from any external site or wordpress, they do not exist online apart from a direct URL that I know about, however they too had code modified with the same base64 encoding information.

I also found a ‘timthumb’ exploit in mine?

Scanned and re-installed, contacted host too as all files affected contain the following words in the file names:

• config
• functions
• index
• view

Update:

My host have said this is a wordpress exploit and is nothing to do with the server?

Hi,
I got the same problem with my website since yesterday. I replaced my hacked functions.php several times and it was good (but very provisional…). Now, it’s instantly ! When i replace the hacked file with a clean file, it become hacked instantly ! So i can do nothing…

I’m waiting for my host answer. I hope someone will find the solution ??

Same thing. All my sites on the server. lines of code deleted from the wp-includes/functions.php file. To keep clients from calling I am having to use the File Manager / History to revert my whole server to a clean point yesterday. The attack seems to be automated (bot) in cycles throughout the day. This is the 3rd variations of attack in the past 2 months. The first attack entered eval code at the top of all of my index.php files every hour or so.. so had to create a cron that runs a script to check and clean my server. 2nd attack inserted malicious code @ the bottom of all 6,000 javascript files on my server. That started and stopped the past month. Now this started yesterday.

All the WP sites belonging to a particular shell user on my VPS server had the same problem yesterday or today (not sure). Another user on the same linux instance had no problem with its WP site. All sites use the same WP version.

Here is a git diff and status of what it looks like for one site in particular:
https://gist.github.com/4526116

It seems to add the same eval line at the beginning of some theme and plugin files, and some core WP files also.

I have reset the shell password of the attacked user. I’m still looking at what could have caused this.

I am having the same issue. Hostgator running a scan right now. What a complete drag. I’m on a VPS Server and it was only one of my WP networks that had issues thankfully.

I know this might not be an option for all but I lost three sites to this and paid Sucuri.net to sort it out. Went to bed and just woke up, the malware’s gone! $189 (￡121) for piece of mind…

(and no I don’t work for them)

Good luck all!

I think I’m getting closer to a fix. ??

1) After updating all my sites to WP 3.5, and re-updating function.php over and over again for the past 48 hours, I decided I needed a do-over.

2) I found some really odd files in each of the roots for all of my domains. Didn’t recognize them so I just deleted them. I know. Not smart, but I did it. Files similar to: 234u823144f1237428021.

3) I backed up my theme and image files, deleted all files, and reinstalled with a fresh version of WP 3.5.

4) New issue with the install.

The site comes up fine – https://www.ellenstevens.com
However, when I try to access https://www.ellenstevens.com/wp-admin I get a blank screen.
When I try to access https://www.ellenstevens.com/wp-login I get a 404 error.

What am I missing?

@tony Bianco – How did you fix? I’ve re-installed all core files with no luck.

@eystevens Did you update wp-config? I also deleted file 234u823144f1237428021 however mine was called 169b171bbdffdf3759850fef45515c67 – for larget sites this file had massive amoutns of ip’s in it, for smaller sites it had only several ips. I have no idea what it is, but its in the bin now.

My hosting company has been scanning for last 20 hours, which is almost pointless since I know its infected…

I can’t believe no one on the internet has a solid solution to this.

If we know which file the code is hosted in, surely it can be fixed easy. Right now any changes made simply re-infect the site as within the hour.

[No bumping, thank you.]

Same here. Changes are overwritten within an hour. Google has blacklisted us. My hosting company is servage.net and they are not even ready to do a scan.

You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

@digitalcashcrop I did notice that my wp-config.php file had an enormous amount of excess code in it that I didn’t recognize. So, I’m guessing that was definitely compromised.

My host has told me there is no need for them to scan because no one else has complained. I find that hard to believe.

At this point, I’m still up and running, so I think the complete overhaul of all files may have worked. Except that I may have screwed up the install. So, now I’m just trying to troubleshoot that.