WordPress.org

Support

Support » How-To and Troubleshooting » Help! Site crashed!?

Help! Site crashed!?

  • I have three WP sites based off of a primary domain.

    Primary domain: thejourneyanchorage.org
    Add-on domain: ellenstevens.com
    Add-on domain: tobystevens.net

    Yesterday, on “ellenstevens.com” I updated to the latest WP version, added a new WP blog post and made a few changes to the theme. Nothing behind the scenes or requiring widespread changes. No problems. No issues. And no changes to the other sites.

    This afternoon, I find all three websites are down. I don’t know if my host made a widespread update, or if there was a hack.

    When I access the site, I receive the following message:

    On http://www.ellenstevens.com:
    Parse error: syntax error, unexpected T_VARIABLE in /home/sojour5/public_html/ellenstevens/wp-includes/functions.php on line 192

    On http://www.tobystevens.net:
    Parse error: syntax error, unexpected T_VARIABLE in /home/sojour5/public_html/tobystevens/wp-includes/functions.php on line 192

    On http://www.thejourneyanchorage.org:
    Parse error: syntax error, unexpected T_VARIABLE in /home/sojour5/public_html/wp-includes/functions.php on line 192

    Can you advise me on how this happened across the board, and what I can do to fix it? Any ideas?

    Thanks for your help!

Viewing 15 replies - 1 through 15 (of 30 total)
  • I’m having the exact same problem. Did you find a solution?

    I’ve also had this happen to every single site 30+. Such a pain, not understanding what the trigger was, but I replaced with new functions.php and fixed. The old functions.php was 2Kb smaller, something has been deleted from there… What plugins are you running? if we have the same plugin, that may be the cause.

    to be clear on the fix, replace wpincludes/functions.php with fresh wordpress 3.5 file.

    I have compared new functions.php to broken functions.php files and here is the difference.

    New function.php file does not have this on line 1 (or anywhere)

    <?php eval(gzinf [hacking code moderated] ‘)));?>

    Also line 192-208 has been deleted and should have this:
    if ( doubleval($bytes) >= $mag )
    return number_format_i18n( $bytes / $mag, $decimals ) . ‘ ‘ . $unit;

    return false;
    }

    /**
    * Get the week start and end from the datetime or date string from mysql.
    *
    * @since 0.71
    *
    * @param string $mysqlstring Date or datetime field type from mysql.
    * @param int $start_of_week Optional. Start of the week as an integer.
    * @return array Keys are ‘start’ and ‘end’.
    */
    function get_weekstartend( $mysqlstring, $start_of_week = ” ) {
    $my = substr( $mysqlstring, 0, 4 ); // Mysql string Year

    Looks like a hack, or a major WordPress mess up

    Moderator Mark Ratledge

    @songdogtech

    Forum Moderator

    @digitalcashcrop: Ah, that’s a hack, not a WordPress screwup.

    I deleted the code php eval code because we don’t need it in the forums.

    Everyone in this thread: Who is your webhost?

    And to be clear, any hack repair is much more than replacing that one file. Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.

    Change all passwords. Scan your own PC. Use http://sitecheck.sucuri.net/ before and after.

    Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

    thanks for the tips I’m seeing this – http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v49

    Not sure how this happened, recently changed pass and always update wordpress the minute it releases.

    Moderator Mark Ratledge

    @songdogtech

    Forum Moderator

    @digitalcashcrop: Many hack vectors are through the host. Who is your webhost?

    Updated function.php and it cleared up! Great!

    I believe it was definitely a hack in my case, as all three sites were using different WP versions, and only one is used consistently.

    My webhost is: Lunar Pages http://www.lpwebhosting.com They used to be great, but lately I’m not so sure.

    How can I avoid this in the future?

    I have to say, I was grateful that you could see my current function.php file and tell it was corrupted, but equally concerned that you could see it. Is that normal? How do I prevent it for being hacked?

    Moderator Mark Ratledge

    @songdogtech

    Forum Moderator

    @eystevens: I couldn’t see your current file, but I could see the error.

    Update all your sites. Follow the steps above to clean the hack from each.

    Consider changing to a more secure host: Recommended WordPress Web Hosting

    eystevens – The function.php is only part of the problem – I found 139 infected files. Currently running anti malware scan with – http://wordpress.org/extend/plugins/gotmls/ . What a disaster, any one know how this could of happened?

    @songdogtech my web host is hivelocity.net. they sent a warning last week that they detected something sus on the server and advised to update root passwords- i did this but that obviously didnt help me.

    Moderator Mark Ratledge

    @songdogtech

    Forum Moderator

    The function.php is only part of the problem – I found 139 infected files.

    @digitalcashcrop: That’s why you replace everything, as I point out above.

    What a disaster, any one know how this could of happened

    Are you shared? Or on a managed or unmanaged VPS?

    Server vulnerability. Sounds like hivelocity.net should have investigated and done more than suggest a root password change. Tell them what happened; they need to look in the logs for the clues.

    I’m on manged and dedicated hosting.

    Well they have attacked every single on of my sites, its a mess.

    Here’s the run down on my scenario. We were running 3.4 on all the websites. We have a main corporate website and then several addon domains for various countries.

    main website:
    http://www.evolvhealth.com

    addons/sub directories:
    http://mx.evolvhealth.com
    http://www.evolvhealth.com/blog

    I updated the main site to 3.5 using the installer. Ran into an error. Had to download 3.5 from the website, uploaded the wp-include folder. Then ran into an error with a plugin from Tri.be for Events Calendar Pro. Fixed that. Everything looked to be in order. Main site was pulling up fine.

    Then I pulled up my subdomain sites that are a completely separate install of wordpress running 3.4 and now they are not working.

    This only happened once I updated 3.5. They were working fine when everything was 3.4.

    I’m trying to figure out why upgrading the main site that’s on the root directory would have affected the sub directories since they are running their own install of wordpress.

    All my sites were running latest WordPress 3.5, all have seperate FTP login’s. All are infected.

    @tony – If you are saying WP 3.4 version sites only got infected once updating to WordPress 3.5 on separate sites within same server, means that this hack once infected one site spreads server wide? Don’t understand how this is possible,but looks like this is what has happened.

Viewing 15 replies - 1 through 15 (of 30 total)
  • The topic ‘Help! Site crashed!?’ is closed to new replies.
Skip to toolbar