WordPress.org

Ready to get started?Download WordPress

Forums

Recovering from white screen wp-admin page (13 posts)

  1. eswrite-wp
    Member
    Posted 2 years ago #

    Both my WordPress site and wp-admin show blank pages:

    http://imagesbyeduardo.com/main
    http://imagesbyeduardo.com/main/wp-admin

    I've found quite a bit of information (links below), but it seems dated (2 years old), and I'm wondering what the best/current approach for recovery is. Also wondering if recent WordPress changes have led to this. My last update was last week (2/15) after which all was working, but I did find that the is_human plugin had been updated recently -- though I did no such thing. On my FTP config, I also found a user I had not created whose access record was clean (no accesses), so I'm assuming a hack at this point.

    I'm thinking that if after a few hours of trying to figure what changed (what was hacked/corrupted) I can't put my finger on it, I should just do a clean install, then try to recover my theme (which I customized extensively) and database (3 years of blog posts I'd hate to lose). Can anyone point me to the best, simplest way to do this? I need to get up and running quickly.

    Reference links I've found:
    http://wordpress.org/support/topic/cant-access-wp-admin-blank-white-screen
    http://wordpress.org/support/topic/blank-page-on-wp-admin
    http://wordpress.org/support/topic/wp-admin-blank-page
    http://xpressabhi.com/recovery-from-disaster-of-blank-admin-page/
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://wordpress.org/support/topic/virus-appending-base64-code-to-all-php-files?replies=3

  2. esmi
    Forum Moderator
    Posted 2 years ago #

  3. eswrite-wp
    Member
    Posted 2 years ago #

    Thanks. Some of the links you post are already in the list I posted. The 2nd one is 2 years old, hence leading me to wonder if it still applies, especially since much of the information I've already read points to things and directories that don't quite match my installation (running the latest WP). But I'll look the other links you posted to see what I can glean.

  4. esmi
    Forum Moderator
    Posted 2 years ago #

    The 2nd one is 2 years old, hence leading me to wonder if it still applies

    Yes - in general, it does.

  5. eswrite-wp
    Member
    Posted 2 years ago #

    Thanks again. Looks like I have some roll-up-my-sleeves heavy duty work to do. Part of me is wondering whether this wouldn't be a good time to chuck my old design and just build from the ground up. I can tell you if I do that, WordPress will not be the foundation for my entire site. I thought it was pretty robust until I came here to research my problem and discovered a host (pun intended) of horror stories.

  6. esmi
    Forum Moderator
    Posted 2 years ago #

    The hack may have absolutely nothing to do with WordPress - assuming that you did keep your copy of WP updated.

  7. eswrite-wp
    Member
    Posted 2 years ago #

    Well... so far I'm seeing none of the usual hack suspects. Everything looks as it should be. Whatever happened is very obscure.

  8. eswrite-wp
    Member
    Posted 2 years ago #

    Ooops... spoke too soon. Just found evidence of the "eval... base64" hack in my wp-config.php file. More to do....

  9. eswrite-wp
    Member
    Posted 2 years ago #

    I'm up and running now after cleaning that bit, but I'll need to run through the rest of the gauntlet now.

  10. eswrite-wp
    Member
    Posted 2 years ago #

    One other link:

    http://www.rvoodoo.com/projects/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

    Thing I can't find anywhere is, how does this base64 stuff get on there in the first place?

  11. esmi
    Forum Moderator
    Posted 2 years ago #

    The hacker has added it.

  12. eswrite-wp
    Member
    Posted 2 years ago #

    The hacker has added it.

    No kidding. But how? I don't expect you to figure it out for me, but in all those links posted above, I see nothing that helps me figure it out so I can plug the hole. I did see a FTP user that I didn't add, but the access log showed no activity, and none of the modified files had time stamps beyond December of last year. The logs are useless. So?

  13. eswrite-wp
    Member
    Posted 2 years ago #

    Though I'm still figuring out how to clean-up my database for which I have no recent/useful backup, I thought I'd jot down the "anatomy of the hack" as far as I've been able to figure it out.

    1. I found and removed a FTP user name I had never created (user name similar to mine, but with some gibberish text after an under-score). According to my ISP, this FTP user had never accessed my site, so assuming the hacker didn't clean his tracks (simplest assumption), it appears that's one backdoor for future use.
    2. I found and removed a recently added (at or about the time my site went to the white page) is_human plugin folder. I used to have this plugin, but removed it some time ago. This is pretty much the only alteration I can detect via recent time stamps.
    3. I found and replaced a base64 infected wp-config.php file. Interestingly, it's timestamp was not recent at all. As soon as I cleaned this file, my site no longer showed the white page and was up and running.
    4. I found another base64 infected file, this time in a theme I wasn't using. I removed all themes except for the default and my own customized theme. For the latter, I scanned each file, line by line (painful!) to ensure no monkey business. This is tough because though I've been editing these files for some time, I derived them from another theme, and hence I'm not quite sure what does and doesn't belong.
    5. I found nested wp-admin, wp-includes and wp-content directories (i.e., wp-admin had a wp-admin sub-directory, etc.) I removed all these.
    6. For good measure, I replaced all directories/files that wouldn't erase content data with what comes in a clean WP 3.3.1 install.
    7. Finally, on my ISP's MySQL control panel, I found 3 databases, at least 2 of which appear to be copies of each other and have unusual naming. In the process of figuring out how best to deal with that, as I linked above.

    This is really a very painful and paranoia-filled exercise. Have I looked at everything, cleaned-up everything, changed all that I need to change? Baring a full re-install with complete database loss, I'm beginning to think I will never know.

Topic Closed

This topic has been closed to new replies.

About this Topic