rossmcm

The problem is still with us as at 24th November with the latedt version of the plugin. I did have an error log of some 700 Mb – filled with:

[22-Nov-2014 12:06:40 UTC] PHP Warning: Invalid argument supplied for foreach() in /public_html/wp-content/plugins/wponlinebackup/include/tables.php on line 693

but after running the backup manually this time it still fails with:

Latest backup:

24th Nov 2014 8.52.38 AM (Manual)
 Failed
The backup ran for 3 m 2 s and backed up 0 B in 0 files. A total of 0 B in 0 files were scanned.

but I cannot see any sign of an error log file.

The hack was originally picked up by a plugin I have installed. When I complained to the hoster they ran some scanner they have (unknown) and picked up that file as well.

_That_ is a good point. I don’t know. Maybe I should rename the /public_html/wp-includes/js/jquery folder and do a reinstall?

Oops. Problem solved. I had the relevant plug-ins disabled.

This event turned out to be two problems. The first was the hijacking of my footer.php file by a link farm as described here. This didn’t actually have any visible impact on the operation of the website that I can see. The password problem was due to the handling of passwords being changed between the version of WP I was running to version 3.5 (see here).

I still have a problem where the markup for a slideshow is now not being parsed correctly and is resulting in the fragment of markup being emitted to the page, also I suspect related to the “upgrade”.

Hi again Christine,

The site now reports as clean after the Sucuri scan, but the password problem is still with us. I also seem to have a rogue fragment of HTML showing in the header (if you look at https://www.cityofsailschorus.com/members-area/password-test-page you can see it just to the right of the “pole”) so something is still screwy somewhere. I don’t know where next to look.

Thanks for your help,
Ross

Thanks Christine. It looks like this one: https://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html.

What I’m curious to know is how these cretins get into the site. The hosting provider isn’t interested – “it’s your problem, not ours”, though when this happened with another site I administer, I found that all the sites that were co-hosted with mine were also infected – I just checked the adjacent IP addresses, but that approach doesn’t seem to work here.

At first glance it looks as if only one file – header.php – is affected, though even after fixing that the site still seems to be broken.

I’m currently getting a snapshot of the wp folders and will take a better look.