I hosed my wordpress installation

So, I had done a backup with Snapshot last night, was trying to fix some stuff today. Made a change to my theme's style.css when I was trying to fix an error that seemed to be in the theme itself. The change hosed wordpress so I reuploaded the file (had a copy of the theme on my desktop) via cPanel.

WP still is incapacitate so the best I can figure is, that WordPress is gagging on the different file modification time. Permissions etc are the same as before. File is the same as before.

The site loads -- sorta, but I cannot log in to the dashboard. No access via my hub.

Of course, this happens right when I have to travel for 3 days....

Site is wp.interiorhorsecouncil.com and I had enabled WPMU DEV support for 5 days earlier this morning.

I have located and downloaded the snapshot file from last night to my desktop and also copied it to a folder at a higher level than my wp install. I also backed up my child theme's functions.php. My custom css desktop backup is a week old, but apparently the JetPack "edit css" custom css module stores that output in a database, so if I can restore the Snapshot backup I should be ok.

Is there a way to restore wordpress and the snapshot backup easier than reinstalling WP from scratch, reinstalling all the plugins etc then restoring from the Snapshot backup?

Thank you for the assistance.

PS - interestingly, I just received an unsolicited email from someplace called fixrunner.com that wants to fix my site (for a hefty fee). Is it possible this outfit hacked my site?

  • Rupok

    Hi djohns

    Hope you had a wonderful day.

    The site loads -- sorta, but I cannot log in to the dashboard

    Well, might be you had a different password when the backup was taken, might be not. But this can be fixed from PHPMyAdmin panel, don't worry. You can do this by following this article: http://www.wpbeginner.com/beginners-guide/how-to-reset-a-wordpress-password-from-phpmyadmin/

    Is there a way to restore wordpress and the snapshot backup easier than reinstalling WP from scratch, reinstalling all the plugins etc then restoring from the Snapshot backup?

    Basically there is no easier way. Another way could be making a zip file with all the files in your web root directory and mysql dump, but that's not easier than snapshot.

    PS - interestingly, I just received an unsolicited email from someplace called fixrunner.com that wants to fix my site (for a hefty fee). Is it possible this outfit hacked my site?

    I can't totally ignore the idea that your site is compromised, but without seeing the site, checking configurations, comparing with previous state, it's kinda impossible for me to say if your site is compromised or not.

    Have a nice day. Cheers!

  • djohns

    Hi Rupok,

    I gotta get some sleep as driving 340 miles tomorrow, but the site password hasn't changed.

    Hahahaha. I needed practice with WP installation & restoring backups anyway.... and at least the site is a test/development site, not live yet. Although I was hoping to get there by end of next week.

    Once I reinstall WP and Snapshot, do I need to reinstall all the plugins before restoring the backup?

    Aren't I glad I have a full backup! :slight_smile:

    Have a great weekend.
    Diana

  • Jaxom

    Hi Djohns

    I had a look at that unsolicited email site, not based in the US despite there statement, really bad use of English, obviously not there native language and an IP in Israel and If you look carefully they actually do say there in Israel.
    The fact they knew your site was down and some things they say on there web site says to me , they did it. (I'm retired Military Police, if it looks like a rat and talks like a rat, it's a rat)
    I recommend, WPMU Defender or Wordfence, both due a great job of locking down your site.
    I would also suggest hiding your login, this is one I use Lockdown WP Admin

    Jaxom

  • PowerQuest

    djohns I found some interesting things some time ago about the subject of backups:
    https://premium.wpmudev.org/forums/topic/backup-solutions-for-wp-multisite-with-many-websites#post-1025671

    Basically- the short history is that I'm using my own hosts backups that they run on a daily basis, and it works very well for me. Have you tried to make a rollback from your host to restore the website?

  • PowerQuest

    djohns I missed the second part, sorry about that, quote:

    PS - interestingly, I just received an unsolicited email from someplace called fixrunner.com that wants to fix my site (for a hefty fee). Is it possible this outfit hacked my site?

    After you have done the roll back from your host (BOTH database and files) you need to carefully see that your WP install in locked down in terms of security.

    1.) Move the wp-config file to somewhere else location and call it something else. Aka the wp-config is just a empty file. Example:

    <?php
    /**
     * The whoooaaa! Surprise,nothing here!
     *
     * Some cheaky bandits have stolen the information and is drinking cockstials on a sunny Bahamas beach right now!
     *
     * @package WordPress
     */
    
    require_once("my-directory/my-directory/my-directory/my-supersecret-file.php");
    /**

    2.) Make sure that all directories are locked down with .htacess preventing directory browsing.
    3.) lock down the .ht acces files with 400. (you need to test if it work in your install or set to 404 --OR-- 444 depending on your server config)

    404 File Permissions

    .htaccess files should have 404 File Permissions

    Owner Permissions – Read On – Write X – Execute X
    Group Permissions – Read X – Write X – Execute X
    Public Permissions – Read On – Write X – Execute X

    400 File Permissions

    index.php, wp-config.php and wp-blog-header.php should have 400 File Permissions

    Owner Permissions – Read On – Write X – Execute X
    Group Permissions – Read X – Write X – Execute X
    Public Permissions – Read X – Write X – Execute X

    Make sure that you have a good software firewall installed on your installation. Additionally you could also use cloudflare for extra protection that comes with using a CDN network like theirs.

  • djohns

    Alas, the host did not have a backup as it's a premium feature. And my client pays for nothing extra.

    Ok, this did NOT work: http://www.inmotionhosting.com/support/edu/wordpress/change-theme-in-db

    I had twentysixteen as an alternative installed but not activated, so I was hoping that editing the database would fix stuff. Alas, not.

    Under my wp db I noticed an item called "hack_file" value 0 (zero) set to autoload. Anyone know what is this item?

    Looks like I need to delete everything, reinstall WP. My db tables did not have the standard prefix -- tried to harden the site some previously. I was able to download wp-config.php which should have the custom stuff that I'll need.

    When I went to http://wp.interiorhorsecouncil.com/wp-admin, there was no option to log in.

    Back to the pick & shovel.

  • PowerQuest

    djohns Sorry to hear that!

    Alas, the host did not have a backup as it's a premium feature. And my client pays for nothing extra.


    Wow!!!

    That is really *%& host...

    I would say as first thing:
    change hosting company!

    Personally I am using meebox.dk (Danish host) where all this included (daily backup etc) from the start as standard feature. So there no need to pay extra at some crappy host..

    Looks like I need to delete everything, reinstall WP. My db tables did not have the standard prefix -- tried to harden the site some previously. I was able to download wp-config.php which should have the custom stuff that I'll need.

    If you just started working on it and got "nothing to lose", then that might be the best option as you cannot remove what the hacker/s have done to your installation through the hosts restore system, (which would wipe that clean). It is almost "impossible" so track down and find all the things a hacker could have done to your files and DB. Doing the forensics will be a pain in the %&#)/ and the slowest option for recovery in my opinion. So wiping it all clean would be the fastest option in that case.

  • PowerQuest

    @djohns
    Did you update your user credentials for the SQL server in your wp-config file? I suppose you created a new DB and DB user? (also remember to check if HOST is set to correctly according to your web hosts specs.).
    https://wordpress.org/support/topic/1045-cannot-log-in-to-the-mysql-server-phpmyadmin?replies=11

    Google query: https://goo.gl/VWES5g

    Can't help you with the snaphot part, WPMU staff Rupok has to step in and help you there. :slight_smile:

  • djohns

    I was able to restore a late March backup of the database tables, install a default theme then re-install Evolve theme, reinstall missing plugins, upload the child functions.php & style.css and thinks mostly look ok except that all the media files are missing.

    Snapshot can find its April 05 backup but it will not restore. I am going to enable the WPMU DEV dashboard support and turn over to Rupok, why Snapshot can find the back up but will not restore it, since the database tables etc are now accessible under the original credentials.

    Again, thank you for the moral support. I've never managed to hose a site so completely--although I'm still suspicious regarding that place from the middle east that mysteriously offered to help for $50 within minutes of the site going down.

    Working on more hardening.

    Later,
    Diana

  • PowerQuest

    good stuff then, glad it worked out for you, djohns !!! :wink:

    Now lock down your website as fast as possible and secure it from another lame hacker!
    Lock down all files sensitive files and directories, - also delete upgrade.php and the install file, (install.php i thin the name is if i remember right). to for additional security. (cuz if it ain't there - it cannot be used, right?)

    Limit/lock down your database access also - see the attached file..

    Limit access to the wp-config and other things .htaccess:

    01.In your .htaccess add the following to prevent any access to the wp-config.php file:
    `<Files wp-config.php>
    order allow,deny
    deny from all
    </Files>`

    02. Admin access from your IP only
    You can limit who can access your admin folder by IP address, to do this you would need to create
    a new .htaccess file in your text editor and upload to your wp-admin folder.
    The following snippet denies access to the admin folder for everyone, with the exception of your IP
    address, but please note if you have a dynamic IP, you might have to regularly alter this file
    otherwise you will be denied access yourself!
    Copy code

    order deny,allow
    allow from 202.090.21.1 (replace with your IP address)
    deny from all

    03. No directory browsing
    As WordPress is now so popular many people know the structure of a WordPress install and know
    where to look to discover what plug-ins you may use or any other files that might give away too
    much information about your site, one way to combat this is to prevent directory browsing.

    # directory browsing
    Options All -Indexes

    04. Prevent Access To wpcontent
    The wp-content folder contains images, themes and plug-ins and it's a very important folder within
    your WordPress install, so it makes sense to prevent outsiders accessing it.
    This requires it's very own .htaccess file which must be added to the wp-content folder, it allows
    users to see images, CSS etc... but protects the important PHP files:

    Order deny,allow
    Deny from all
    <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
    Allow from all
    </Files>

    06. Protect .htaccess
    Sounds crazy, huh? We spend so much time worrying whether we have the right plug-ins and fixes
    installed, we overlook the fact the .htaccess file is still open to attack.
    This snippet basically stops anyone viewing any file on your site that begins with "hta", this will
    protect it and make it somewhat safer.

    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
  • djohns

    Kasia,

    Possibly the backup was running when you tried to get on just now.

    Got almost everything back except some BuddyPress group banners & avatars.

    I logged out of Chrome where I was fixing stuff, and the site display was clearly off. Logged back in again, and all pages display fine. This would seem to be a local caching issue but it's going to have to wait until tomorrow. I've been at this for about 10 hours and need to get some sleep.

    Support access has been granted to WPMU DEV, if that might help.

    I'm not going to disable plugins again for a couple of days. The client wants to demo the site tomorrow evening and turning off plugins was what I was doing right before the site was totally hosed.

    I may or may not have time to work on this tomorrow, but best bet is going to be in another 48 hrs. I have a backlog of things to do, unfortunately, since this has cropped up.

    Please do check back. There is something weird happening but right now I can't tell if it's a theme incompatibility or a problem with shared hosting, or a misconfiguration.

    Thank you very much for keeping in touch.

  • djohns

    Well isn't this the S#(*&&#^%!!!,

    I logged out & back in a few times, site looked weird when I was logged off but fine when I was logged in. But now I can't log in again, and the site looks as wacky as it did this morning when I started restoring everything.

    What a pain in the @#4*(&^!!!

    I had Wordfence & Defender both running, had done a full cPanel backup, disabled access to .htacess but was too tired to get much else done after flogging all day.

  • djohns

    So, I got back into my cPanel, and the new WordPress install didn't show under MotoMarketplace which is how the new install was done.

    Then I pulled up some WordPress tools that Bluehost has--they having talked the client into some premium stuff last renewal, and there was a red flag that the WP Core files had been altered.

    I need to figure out how to get the site fixed and hardened; I had restored a backup from late March, or over 3 weeks before I had any problems.

    Time for some shut eye.

    Thanks all, for the suggestions & encouragement.

  • Rupok

    Hi djohns

    Hope you had a wonderful day.

    WordPress core has been altered again

    This is really really weird. Can you provide us your server log so we can check what's actually going on there? If you can't find it, can you ask your host for this?

    This is really alarming and should be stopped first. I'm looking forward to hear from you and try to resolve this issue as soon as possible.

    Have a nice day. Cheers!

  • PowerQuest

    djohns
    Aslo..

    Did you harden the database as of the example above?
    Did you put .htaccess files as I showed you examples of and set the correct permissions? (You need to put the .access files into ALL folders)
    Did you set the salts correctly in wp-config?
    Did you use an alternate table prefix than _wp?
    Did you move the WP-config file to a secret place on your server?
    Did you disable the file editor in WP?

    <blockquote>//**Disable file editor in wordpress. */
    define('DISALLOW_FILE_EDIT', true);</blockquote>

    Did you disable error reporting in WP?

    //**Disable error reporting in wordpress. */
    error_reporting(0);
    @ini_set(‘display_errors’, 0);

    Did you install a software firewall like for example iThemes on the server?
    Are you using strong passwords on your database and WP users. Strong passwords like lastpass.com can generate for you? (up to100 chars/characters)
    Did you create a new admin user and deleted the default admin (user ID 1) from the installation?
    Are you using security software tools such as "Block Bad Queries" and "Protect " (now part of jetpack) for brute fore protection etc?
    Are all your plugins LEGIT? Are you reusing them form the old install? - or have you download fresh new versions that not may be infected.

    Did you move the Wordress corefiles?
    Moving WP core files to any non-standard folder will make your site less vulnerable to automated attacks. Most scripts that script kiddies use rely on default file paths. Check this video --> https://www.youtube.com/watch?v=PFfvBJVtzqA

    Note also that many of these security tweaks can be done before the Wordpress installation also!

    Make a local folder and set up with structure with .htaccess files and prep the WP install with a empty wp-config fle and also prepped the plugins folders with the security plugins so that everything is on place once you uploaded it with Dreamweaver etc or what ever tool you use to upload. Once WP is installed head over and set the file permissions on folders, files and .htaccess files. Activate the security software and do the necessary security tweaks. Then lock down the database too.

    This way you are not giving hackers any chance to take over the installation as it is already locked down to some degree when you upload it.

  • djohns

    Hi DreamQuest,

    All great suggestions.

    The backup was from March 19, the new one didn't work so far as I could tell. I guess the March 19 backup could have been infected. But I'm suspicious as to the timing of the offer from fixrunner.com that landed in my email within 15 min or so of the site going wacko.

    I suspect that the .access was not in all folders. I used the options under "Defender" for the .htaccess denial being in a bit of a hurry.

    The salts were from my old wp-config. I wasn't sure what to do with salts but will try to read more on that.

    I do/did have alternate table prefixes.

    Any plugins newer than March 19 had to be redownloaded & installed. All plugins and themes were up-to-date. Although, the theme kept giving a js error and could not find a media file that was there with 644 permissions, same as everything else. But the js error is months old and the site seemed to just load a little slower but otherwise worked ok.

    If the plugins were infected, than redownloading them would not have helped as they were all the latest versions.

    Both Wordfence and Defender were installed. I also installed IQ something-or-other to restrict access via country, allowed primary English speaking countries and most of Europe but not Russia, China, or SE Asia.

    My admin account is not named "admin" and my password is strong.

    Was very tired after getting (I thought) things back and had not gotten to the other hardening stuff yet.

    Won't disabling the editor make it so that my clients can't post?

    The site probably has all of 150 members at the very maximum, takes no money online and is a small non-profit. When you are talking horses in Fairbanks, Alaska, you are not going to have much traffic. So unless a plugin was infected that hasn't been caught yet, or something weird with the (shared) server, I'm stumped right now.

    I need to check the server logs for Rupok. Next on the list.

    After I'm done beating my head against the wall so it will feel good when I stop, I'm going to read all your posts very carefully and anything else I can find regarding APACHE, linux & WP security. I'm trying to convince myself this is a great learning experience -- and it is, since I'm not paid for any work, no one can bug me about deadlines. But I do have other things that are going to be demanding time this next month and I did want to deliver something fun for the Pony Clubbers. I guess I'm really doing ok considering this is only my 2nd WordPress fling.

    Worst case, I go back to my desktop and migrate everything once it's finished. I had done development on the hosting company as a subdomain so my clients could see what was happening and have a voice in development, though.

    Gotta go check for those server logs.

  • djohns

    The jpg file is the one noting the WP core files were changed -- this was AFTER an apparent successful repair of those files.

    The server error log is below. I am interit3 and my IP is as listed. I include the other IP stuff as I've heard that on a shared host, one account messing up can affect others on the same physical host.

    Your Current IP is: 208.94.86.123

    You may cross reference errors in the Main Error Log containing this IP to determine errors associated with your website.
    Please Note: The MAIN error_log is a shared log meaning that errors from all websites hosted on the server will be displayed as well as those for your website, be sure to reference your IP when searching this log.
    Error Logs
    [Mon Apr 11 11:04:33 2016] CURRENT SERVER TIME
    MAIN error_log:
    [Mon Apr 11 11:04:23 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/news.php
    [Mon Apr 11 11:04:23 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/images/news_cats/news.gif
    [Mon Apr 11 11:04:23 2016] [warn] RewriteOptions: MaxRedirects option has been removed in favor of the global LimitInternalRecursion directive and will be ignored.
    [Mon Apr 11 11:04:23 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:23 2016] [error] [client 118.184.23.202] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.pitapocketeatery.com/cmsmadesimple/modules/MenuManager/CSSMenu.js
    [Mon Apr 11 11:04:24 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/news.php
    [Mon Apr 11 11:04:24 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/images/news_cats/news.gif
    [Mon Apr 11 11:04:24 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:24 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/images/news_cats/news.gif
    [Mon Apr 11 11:04:24 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/news.php
    [Mon Apr 11 11:04:25 2016] [error] [client 118.184.23.202] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.pitapocketeatery.com/cmsmadesimple/modules/MenuManager/CSSMenu.js
    [Mon Apr 11 11:04:25 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:26 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/news.php
    [Mon Apr 11 11:04:26 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/images/news_cats/news.gif
    [Mon Apr 11 11:04:26 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:26 2016] [error] [client 118.193.255.227] File does not exist: /usr/local/apache/htdocs/amandaosterphotography, referer: https://amandaosterphotography.com/typo3/contrib/codemirror/css/csscolors.css
    [Mon Apr 11 11:04:27 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/news.php
    [Mon Apr 11 11:04:27 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/images/news_cats/news.gif
    [Mon Apr 11 11:04:27 2016] [error] [client 118.193.255.227] File does not exist: /usr/local/apache/htdocs/amandaosterphotography, referer: https://amandaosterphotography.com/typo3/contrib/codemirror/css/csscolors.css
    [Mon Apr 11 11:04:27 2016] [error] [client 118.184.23.202] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.pitapocketeatery.com/cmsmadesimple/modules/MenuManager/CSSMenu.js
    [Mon Apr 11 11:04:27 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:28 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/news.php
    [Mon Apr 11 11:04:28 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/php-fusion, referer: https://www.ajjglass.com/php-fusion/news.php
    [Mon Apr 11 11:04:29 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/news.php
    [Mon Apr 11 11:04:29 2016] [error] [client 118.193.255.227] File does not exist: /usr/local/apache/htdocs/typo3, referer: https://amandaosterphotography.com/typo3/typo3/ext/README.txt
    [Mon Apr 11 11:04:29 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:29 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/php-fusion/news.php
    [Mon Apr 11 11:04:29 2016] [warn] RewriteOptions: MaxRedirects option has been removed in favor of the global LimitInternalRecursion directive and will be ignored.
    [Mon Apr 11 11:04:29 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/news.php
    [Mon Apr 11 11:04:30 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:30 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/php-fusion/news.php
    [Mon Apr 11 11:04:30 2016] [error] [client 68.180.229.219] Failed loading /usr/php/56/usr/lib64/php/modules/ZendGuardLoader.so: /usr/php/56/usr/lib64/php/modules/ZendGuardLoader.so: undefined symbol: zend_execute_ex
    [Mon Apr 11 11:04:30 2016] [error] [client 68.180.229.219] Zend OPcache requires Zend Engine API version 220131226.
    [Mon Apr 11 11:04:30 2016] [error] [client 68.180.229.219] The Zend Engine API version 220100525 which is installed, is outdated.
    [Mon Apr 11 11:04:30 2016] [error] [client 68.180.229.219]
    [Mon Apr 11 11:04:30 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/php-fusion, referer: https://www.elsmerefc.com/php-fusion/images/news_cats/news.gif
    [Mon Apr 11 11:04:31 2016] [error] [client 118.184.23.202] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.pitapocketeatery.com/cmsmadesimple/modules/MenuManager/CSSMenu.js
    [Mon Apr 11 11:04:31 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:31 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/php-fusion/news.php
    [Mon Apr 11 11:04:31 2016] [warn] RewriteOptions: MaxRedirects option has been removed in favor of the global LimitInternalRecursion directive and will be ignored.
    [Mon Apr 11 11:04:31 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/images/news_cats/news.gif
    [Mon Apr 11 11:04:32 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/php-fusion/news.php
    [Mon Apr 11 11:04:32 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.eatbarbacoa.com/bbpress/bb-includes/js/topic.js
    [Mon Apr 11 11:04:33 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/index.php, referer: https://www.elsmerefc.com/php-fusion/images/news_cats/news.gif
    [Mon Apr 11 11:04:33 2016] [error] [client 118.193.157.99] File does not exist: /usr/local/apache/htdocs/en, referer: https://www.ajjglass.com/php-fusion/news.php
    [Mon Apr 11 11:04:33 2016] [error] [client 118.184.23.204] File does not exist: /usr/local/apache/htdocs/bbpress, referer: https://www.eatbarbacoa.com/bbpress/profile.php?tab=edit

    SUEXEC error_log:

    PHP error_log:

    /home2/interit3/public_html/forum/error_log:
    [11-Apr-2016 00:40:03 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 00:40:30 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 00:42:43 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 00:42:44 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 00:42:44 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 02:52:35 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 02:53:06 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 02:53:06 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:08:45 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:08:49 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:08:54 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:08:56 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:08:57 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:08:58 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:08:59 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:09:00 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:09:00 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:09:01 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:25:45 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:25:46 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:25:48 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:29:36 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 04:29:37 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 05:59:00 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 05:59:10 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 05:59:10 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 06:09:11 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 06:09:12 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 06:09:13 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3
    [11-Apr-2016 07:11:10 America/Anchorage] PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home2/interit3/public_html/forum/Sources/Load.php(183) : runtime-created function on line 3

    /home2/interit3/public_html/wp/error_log:
    1430852106: /home2/interit3/public_html/wp/ssv3_payload_extractor-3RSZ8LzVvz.php startup
    [10-Apr-2016 16:14:17 America/Denver] PHP Warning: require(/home2/interit3/public_html/wp/wp-includes/load.php): failed to open stream: No such file or directory in /home2/interit3/public_html/wp/wp-settings.php on line 21
    [10-Apr-2016 16:14:17 America/Denver] PHP Fatal error: require(): Failed opening required '/home2/interit3/public_html/wp/wp-includes/load.php' (include_path='.:disappointed:usr/php/56/usr/lib64:disappointed:usr/php/56/usr/share/pear':wink: in /home2/interit3/public_html/wp/wp-settings.php on line 21
    [10-Apr-2016 16:14:19 America/Denver] PHP Warning: require(/home2/interit3/public_html/wp/wp-includes/load.php): failed to open stream: No such file or directory in /home2/interit3/public_html/wp/wp-settings.php on line 21
    [10-Apr-2016 16:14:19 America/Denver] PHP Fatal error: require(): Failed opening required '/home2/interit3/public_html/wp/wp-includes/load.php' (include_path='.:disappointed:usr/php/56/usr/lib64:disappointed:usr/php/56/usr/share/pear':wink: in /home2/interit3/public_html/wp/wp-settings.php on line 21

    /home2/interit3/public_html/wp/wp-admin/error_log:
    [11-Apr-2016 03:42:44 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:42:44 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:46:13 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:51:58 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:52:02 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:52:03 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:54:12 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:54:14 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:54:47 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:54:52 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:55:27 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:55:31 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 03:55:33 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:00:34 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:00:36 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:00:38 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:00:40 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:00:48 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:00:53 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:00:56 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:00:56 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:01:01 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:01:04 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:01:04 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:47:02 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:47:06 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 04:47:06 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 17:03:10 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 17:03:14 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28
    [11-Apr-2016 17:03:15 UTC] PHP Fatal error: Call to a member function get() on null in /home2/interit3/public_html/wp/wp-includes/query.php on line 28

    There are some raw access logs in gz format. I will see if I can read any of them.

  • djohns

    WP Error log (obtained via cPanel file manager):

    1430852106: /home2/interit3/public_html/wp/ssv3_payload_extractor-3RSZ8LzVvz.php startup
    [10-Apr-2016 16:14:17 America/Denver] PHP Warning: require(/home2/interit3/public_html/wp/wp-includes/load.php): failed to open stream: No such file or directory in /home2/interit3/public_html/wp/wp-settings.php on line 21
    [10-Apr-2016 16:14:17 America/Denver] PHP Fatal error: require(): Failed opening required '/home2/interit3/public_html/wp/wp-includes/load.php' (include_path='.:disappointed:usr/php/56/usr/lib64:disappointed:usr/php/56/usr/share/pear') in /home2/interit3/public_html/wp/wp-settings.php on line 21
    [10-Apr-2016 16:14:19 America/Denver] PHP Warning: require(/home2/interit3/public_html/wp/wp-includes/load.php): failed to open stream: No such file or directory in /home2/interit3/public_html/wp/wp-settings.php on line 21
    [10-Apr-2016 16:14:19 America/Denver] PHP Fatal error: require(): Failed opening required '/home2/interit3/public_html/wp/wp-includes/load.php' (include_path='.:disappointed:usr/php/56/usr/lib64:disappointed:usr/php/56/usr/share/pear') in /home2/interit3/public_html/wp/wp-settings.php on line 21

  • PowerQuest

    djohns
    Quote:

    Won't disabling the editor make it so that my clients can't post?

    No, it only disables the in-built file manager editor to you cannot alter core files from within Wordpress: such as css and other php file files like footer.php etc. But for that reason it si a real security risk, because once the hacker is in - they can change whatever they want basically.

    My admin account is not named "admin" and my password is strong.

    That doesn't really matter - user names are for humans. Computer only care about the "User id" which still would be 1 if you do not delete that account. You should consider that ost hacking it done by humans - but automatically by servers/computers that scans the internet and then hacks the target if it finds vulnerability and then once hacked - notifies the hacker. something like that.

    The BIG Question:
    How far are you really in the development of the site?

    Just started developing the website?

    if so I would (if it was me) strongly consider to just start from the beginning and this time make it right from the start. Aka prep the installation before you upload it. Take you time and apply my suggestions before you upload it. Then apply those that only can be done once the install is only aka security software (plugins) and harden the DB.

    This will save you lot of time (a grief later too) as doing all this will maybe take you a few hours to apply and then install WP.

    So this will save you time and you will be back up in a few hours. (Don't apply the backup - start from scratch with the new healthy installation instead.)

    Sometimes it just better to bite the sour apple and get on with it. As it has been said before "sometimes you need to tear down, to rebuild".

    Anyway - my point is that it will possibly take long time before you solve this forensic case, than just simply start from scratch again - and you be up again on your feet within a very short time.

  • djohns

    Kasia, do you happen to know what is this file? It's in the WP error file above.

    ssv3_payload_extractor-3RSZ8LzVvz.php

    Found the following threads on WordPress, don't know whether it might be applicable.

    https://wordpress.org/support/topic/internal-server-error-313

    https://wordpress.org/support/topic/blank-screen-after-moving-to-a-new-host

    https://wordpress.org/support/topic/500-internal-server-error-410

  • djohns

    Hi Kasia,

    Thank you for keeping an eye out. My hosting provider uses Mojo which I'm not that thrilled with. I'm going to try to directly install WP via the cPanel next time.

    For now, I'm rebuilding via my Jan 22nd backup on my desktop, then will upload. I never could get the recent Snapshots to restore properly.

    It didn't help that the theme I'm using seems to have occasional incompatibilities with things. But it's my 2nd WP site, and the first with any functionality to speak of. And all my labor is donated, so the client isn't going to kick! :slight_smile:

  • djohns

    An update: did some reading and enabled WP_DEBUG (sorry, this is my 2nd WP site and I apparently should have enabled this before).

    Tried to pull up the site and this error displayed:

    Fatal error: Call to a member function get() on null in/wp-includes/query.php on line 28

    When I used "inspect" on the page, Wordfence gave this error:

    <b>Notice</b>: bp_setup_current_user was called incorrectly. The current user is being initialized without using $wp->init(). Please see Debugging in WordPress for more information. (This message was added in version 1.7.) in <b>/home2/interit3/public_html/wp/wp-includes/functions.php</b> on line <b>3792</b>

    This is the theme's functions.php, not the child theme functions.php file.

    Line 3792 is blank but the line above it reads:
    $supports_permalinks = class_exists( 'DOMDocument', false ) && isset($_SERVER['IIS_UrlRewriteModule']) && ( PHP_SAPI == 'cgi-fcgi' );
    }

    I have no idea what is going on here.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.