travellers

I’m trying to do just that now, and failing miserably ??

I’ve ‘solved’ my own problem, but this still needs to be reported as a bug because I’ve had to ‘cheat’ to get it working. All I’ve done is added a drop down menu ‘quantifier’ with ‘1’ as its default value, set it to ‘Visibility: Never’, and added (*quantifier) within my formula. Until bug is traced and rectified this’ll have to do!

There’s a bug. Absolutely sure of it. If you use only free input fields and a moderator, the result will not display correctly. If you add a drop down menu, it seems to correct the fault.

Example:
Input field ‘length’ (enter 3 in box)
Input field ‘height’ (enter 2 in box)
Input field ‘width’ (enter 4 in box)
Output field formula ‘length*height+width’
Result: echo of ‘width’ (4)

Remove Input field ‘height’ and replace with a dropdown box of choices, 1 OR 2 OR 3. Leave all other fields alone and Save, refresh the page and enter the same figures, and Result: 10 (correct, being 3 * 2 + 4). That’s a bug, right?

I cannot believe how frustrating this plugin is! Nothing I try seems to work, I can’t even get the simplest example actually running just so I can see what’s happening. I’ve tried replicating what’s above with no success, I’ve tried simply adding two input fields and summing them, and still getting nowhere.

The plugin MUST work, because others are using it, but without even the most basic level of support I’m going nowhere fast. I have field1 named ‘length’, field2 named ‘width’, and Element1 with formula ‘width+length’. What does it display on a page? It echoes ‘width’. Go figure… For the love of God, someone please write a tutorial for this thing!

Yes, you have to pay a not insubstantial sum to remove their spamlink. Funny, there is NO mention of this, ANYWHERE AT ALL, on the plugin description, or on their webpage to download the slider maker, nowhere. That’ll be because they don’t WANT you to know that you’ll have to fork out that sum, because then you’d not download it in the first place. They like it just like this, where you download, install, configure, and finally upload your slider before you discover that there’s this horrible little banner in the corner of all your shows demanding money. Now, before you think ‘hmm, it ain’t a massive amount, I’ll just pay it’, ask yourself – do you really want to buy something from a company so underhand that they hide their sales demands until you’ve purchased? I don’t, and so the plugin has been uninstalled. I’ve also complained to www.ads-software.com that they shouldn’t have a plugin in the library that uses deceitful tactics.

Guys, if this can’t be done then fine, but can someone at least say so?!

So, having followed the steps above, do I need to worry about the database itself, or is that going to be okay?

There’s two things left, if what I’ve suggested so far hasn’t been too far off. First up is the database itself – I haven’t checked that, because I don’t know how to.
And then there’s the question of how my hacker got in in the first place?

Okay, you’ve now cleared MOST of the problems, but we’re not done yet.
Step 5. Inspect the remaining files in your root folder. I’m thinking of specifically wp-config.php, but there are others too. Open each of them in your FTP editor and look for the /* god_mode telltale. Any files you find there with that content are going to have to go, so delete those.
Step 6. You just deleted your wp-config, so your site isn’t going to work at all. Good news – WP will recreate it for you. Just load your site in a browser and follow the instructions – get the necessary info from your original setup, or phpMyAdmin etc.
Step 7. Now, log back into your dashboard, and run the Exploit Scanner again. You’ll probably find that all your theme files still show infections. The ‘basic’ themes are there in your freshly downloaded copy of WordPress, but if you’re running a different theme you’ll have to get a fresh copy of that too. Regardless of which theme you are running, there is one more thing you can do (which I unfortunately forgot when I just did mine – oops…). Download and save a copy of your style.css file, THEN delete the theme, and replace it with your fresh copy. Make sure you do it like that – delete the WHOLE theme folder, because our pal the hacker might well have uploaded additional files which wouldn’t be overwritten, and then upload a whole brand new copy of the theme. Then you can open your style.css file and check it for anything odd, and if you don’t find anything then replace the default style file on the server with it.
Step 8. Any OTHER themes that you have on your site but that you’re not actually using will ALSO be infected. Delete and replace those too.
Step 9. Another run of the Exploit Scanner will show you that unfortunately all your plugins are dodgy too – every one of them will have ‘god_mode inclusions all over them. You’re going to have to delete all of the folders, so you have no plugins left APART FROM THE EXPLOIT SCANNER. That’s ‘safe’, because you only just downloaded it!
Step 10. Run the Exploit Scanner yet again. Hopefully now you’ll not have any results, or results that are benign.

Now, its over to Jan for some help, because although we’re back running again and clean, we have no plugins. Can we just download and install them again Jan, or will WP complain that it thinks we already have them? Anything else we need to check?
Many thanks for pointing me in the right direction – I might well not have noticed I’d been hacked otherwise

@suzanneper

Sorry to be the bearer of bad tidings but Jan is right, we’ve been hacked. Badly, too ?? . In case you’re a novice like me, I’m going to list the steps I’ve taken to remove the infection. It won’t take you too long, and you’re going to have to do it to get rid of the hack.

Step 1. Download a fresh copy of latest version of WordPress here: https://www.ads-software.com/download/
Step 2. Log in to your Dashboard and install Exploit Scanner here: https://www.ads-software.com/extend/plugins/exploit-scanner/
Step 3. Run the scanner, it will confirm you have been hacked by showing you a huge list of files. Near the top of my list was wp-activate.php, which had the content
/*god_mode_on*/eval (base64_decode("ZXZhbC hiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0 phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1 (loads more characters)
Needless to say, your installation should not have anything like that in it – ‘base64_decode’ is a *BAD* sign.
Step 4. Now that you’ve confirmed you’ve had an intrusion, use the fresh copy of WordPress you just downloaded to get rid of it. You *should* start by deactivating plugins, but since your plugins aren’t showing up you can’t do that! Follow this sequence:
Step 4a. Delete the complete wp-includes and wp-admin directories via your FTP client.
Step 4b. Upload the wp-includes and wp-admin directories from your downloaded new version.
Step4c. DO NOT DELETE your existing wp-content folder, but upload all the files in the wp-content folder from your downloaded fresh copy ‘over the top’ of existing files, allowing them to be overwritten.
Step 4d (optional). Having done this, I looked at my dashboard and ran Exploit Scanner again. Still a long list of files, but far fewer than I had previously. Okay, its going well…
Step 4e. Upload the files in the root folder of your download, again allowing the files on the server to be overwritten, these are the files like wp-activate, wp-blog-header, etc.
I’ll continue in another post in a moment, in case there is a limit to how much I can enter in one post!

I’ve ended up having my host restore the domain from their most recent backup – I just couldn’t track it back. I’ve updated all my plugins to latest version, and now my finger is hovering over the ‘Automatic Update’ button again, but I know as soon as I press it I’ll have the fatal error back. I can’t simply ignore it and run a previous version indefinitely because I know that makes me vulnerable, but I just don’t know what to do next ??

Okay, I’m now officially stuck!
I downloaded 3.2 from https://www.ads-software.com/download/release-archive/, deleted my wp-admin and wp-includes folders via FTP, and uploaded those two complete folders from the older version. STILL got the same error.
So, its not a plugin (plugin folder disabled)
Its not the database (most recent version re-uploaded)
And its not the files (older files uploaded)
Ummmm…. what do I try now?!

One of your plugins aint wot it sez it is… :o(

Well yes I can follow that. My machine comes back clean, and I’m guessing my host isn’t responsible since it was him who discovered it and notified me. I’ve changed all my passwords across the board, cpanel, wp admin, etc. And I can restore backups of the files and the database.
But none of that does anything about how they got in in the first place. They certainly didn’t guess any passwords – none of those is less than a dozen characters that are all random symbols. I’m running the latest version of WP, all my plugins and theme are up to date. If I can’t close the back door, all I’m doing is rearranging deckchairs on the Titanic – the hacked files will be back next time the hacker’s bot stops by!

You could be right – I am currently running ie9 beta and having major problems with pdf viewing would seem to indicate others feel IE9 has issues with pdf’s. I just tried to look up the instructions to ‘roll back’ IE9 to 8, but I’m afraid they look a bit over my head, and all the PC’s I have here have already upgraded so I reckon I’m stuck with it!