[closed] Help! Site crashed!? (31 posts)

  1. eystevens
    Posted 2 years ago #

    I have three WP sites based off of a primary domain.

    Primary domain: thejourneyanchorage.org
    Add-on domain: ellenstevens.com
    Add-on domain: tobystevens.net

    Yesterday, on "ellenstevens.com" I updated to the latest WP version, added a new WP blog post and made a few changes to the theme. Nothing behind the scenes or requiring widespread changes. No problems. No issues. And no changes to the other sites.

    This afternoon, I find all three websites are down. I don't know if my host made a widespread update, or if there was a hack.

    When I access the site, I receive the following message:

    On http://www.ellenstevens.com:
    Parse error: syntax error, unexpected T_VARIABLE in /home/sojour5/public_html/ellenstevens/wp-includes/functions.php on line 192

    On http://www.tobystevens.net:
    Parse error: syntax error, unexpected T_VARIABLE in /home/sojour5/public_html/tobystevens/wp-includes/functions.php on line 192

    On http://www.thejourneyanchorage.org:
    Parse error: syntax error, unexpected T_VARIABLE in /home/sojour5/public_html/wp-includes/functions.php on line 192

    Can you advise me on how this happened across the board, and what I can do to fix it? Any ideas?

    Thanks for your help!

  2. Tony Bianco
    Posted 2 years ago #

    I'm having the exact same problem. Did you find a solution?

  3. Digitalcashcrop
    Posted 2 years ago #

    I've also had this happen to every single site 30+. Such a pain, not understanding what the trigger was, but I replaced with new functions.php and fixed. The old functions.php was 2Kb smaller, something has been deleted from there... What plugins are you running? if we have the same plugin, that may be the cause.

  4. Digitalcashcrop
    Posted 2 years ago #

    to be clear on the fix, replace wpincludes/functions.php with fresh wordpress 3.5 file.

  5. Digitalcashcrop
    Posted 2 years ago #

    I have compared new functions.php to broken functions.php files and here is the difference.

    New function.php file does not have this on line 1 (or anywhere)

    <?php eval(gzinf [hacking code moderated] ')));?>

    Also line 192-208 has been deleted and should have this:
    if ( doubleval($bytes) >= $mag )
    return number_format_i18n( $bytes / $mag, $decimals ) . ' ' . $unit;

    return false;

    * Get the week start and end from the datetime or date string from mysql.
    * @since 0.71
    * @param string $mysqlstring Date or datetime field type from mysql.
    * @param int $start_of_week Optional. Start of the week as an integer.
    * @return array Keys are 'start' and 'end'.
    function get_weekstartend( $mysqlstring, $start_of_week = '' ) {
    $my = substr( $mysqlstring, 0, 4 ); // Mysql string Year

    Looks like a hack, or a major WordPress mess up

  6. @Digitalcashcrop: Ah, that's a hack, not a WordPress screwup.

    I deleted the code php eval code because we don't need it in the forums.

    Everyone in this thread: Who is your webhost?

    And to be clear, any hack repair is much more than replacing that one file. Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.

    Change all passwords. Scan your own PC. Use http://sitecheck.sucuri.net/ before and after.

    Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

  7. Digitalcashcrop
    Posted 2 years ago #

    thanks for the tips I'm seeing this - http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v49

    Not sure how this happened, recently changed pass and always update wordpress the minute it releases.

  8. @Digitalcashcrop: Many hack vectors are through the host. Who is your webhost?

  9. eystevens
    Posted 2 years ago #

    Updated function.php and it cleared up! Great!

    I believe it was definitely a hack in my case, as all three sites were using different WP versions, and only one is used consistently.

    My webhost is: Lunar Pages http://www.lpwebhosting.com They used to be great, but lately I'm not so sure.

    How can I avoid this in the future?

    I have to say, I was grateful that you could see my current function.php file and tell it was corrupted, but equally concerned that you could see it. Is that normal? How do I prevent it for being hacked?

  10. @eystevens: I couldn't see your current file, but I could see the error.

    Update all your sites. Follow the steps above to clean the hack from each.

    Consider changing to a more secure host: Recommended WordPress Web Hosting

  11. Digitalcashcrop
    Posted 2 years ago #

    eystevens - The function.php is only part of the problem - I found 139 infected files. Currently running anti malware scan with - http://wordpress.org/extend/plugins/gotmls/ . What a disaster, any one know how this could of happened?

  12. Digitalcashcrop
    Posted 2 years ago #

    @songdogtech my web host is hivelocity.net. they sent a warning last week that they detected something sus on the server and advised to update root passwords- i did this but that obviously didnt help me.

  13. The function.php is only part of the problem - I found 139 infected files.

    @Digitalcashcrop: That's why you replace everything, as I point out above.

    What a disaster, any one know how this could of happened

    Are you shared? Or on a managed or unmanaged VPS?

    Server vulnerability. Sounds like hivelocity.net should have investigated and done more than suggest a root password change. Tell them what happened; they need to look in the logs for the clues.

  14. Digitalcashcrop
    Posted 2 years ago #

    I'm on manged and dedicated hosting.

    Well they have attacked every single on of my sites, its a mess.

  15. Tony Bianco
    Posted 2 years ago #

    Here's the run down on my scenario. We were running 3.4 on all the websites. We have a main corporate website and then several addon domains for various countries.

    main website:

    addons/sub directories:

    I updated the main site to 3.5 using the installer. Ran into an error. Had to download 3.5 from the website, uploaded the wp-include folder. Then ran into an error with a plugin from Tri.be for Events Calendar Pro. Fixed that. Everything looked to be in order. Main site was pulling up fine.

    Then I pulled up my subdomain sites that are a completely separate install of wordpress running 3.4 and now they are not working.

    This only happened once I updated 3.5. They were working fine when everything was 3.4.

    I'm trying to figure out why upgrading the main site that's on the root directory would have affected the sub directories since they are running their own install of wordpress.

  16. Digitalcashcrop
    Posted 2 years ago #

    All my sites were running latest WordPress 3.5, all have seperate FTP login's. All are infected.

    @Tony - If you are saying WP 3.4 version sites only got infected once updating to WordPress 3.5 on separate sites within same server, means that this hack once infected one site spreads server wide? Don't understand how this is possible,but looks like this is what has happened.

  17. Tony Bianco
    Posted 2 years ago #

    Spoke with my hosting company. No malware was scanned on the server. It was simply fixed by re-installing the core files.

    Had to escalate the ticket to the higher level techs. The lower level tech couldn't understand or explain what was going on. Once I hear back from my hosting company I'll post the answer here in case people want to know the solution for future reference.

  18. Digitalcashcrop
    Posted 2 years ago #

    can't even connect to my server now

  19. Digitalcashcrop
    Posted 2 years ago #

    I reinstalled core files twice, did nothing.

  20. raaboo
    Posted 2 years ago #

    I had the same issue - using Hostroute in the UK. Problem is not just restricted to wordpress; this affected an installation of my podcasting script, wordpress and also LimeSurvey - none of which were linked from any external site or wordpress, they do not exist online apart from a direct URL that I know about, however they too had code modified with the same base64 encoding information.

    I also found a 'timthumb' exploit in mine?

    Scanned and re-installed, contacted host too as all files affected contain the following words in the file names:

    • config
    • functions
    • index
    • view
  21. raaboo
    Posted 2 years ago #


    My host have said this is a wordpress exploit and is nothing to do with the server?

  22. Charger
    Posted 2 years ago #

    I got the same problem with my website since yesterday. I replaced my hacked functions.php several times and it was good (but very provisional...). Now, it's instantly ! When i replace the hacked file with a clean file, it become hacked instantly ! So i can do nothing...

    I'm waiting for my host answer. I hope someone will find the solution :(

  23. puravidaboy
    Posted 2 years ago #

    Same thing. All my sites on the server. lines of code deleted from the wp-includes/functions.php file. To keep clients from calling I am having to use the File Manager / History to revert my whole server to a clean point yesterday. The attack seems to be automated (bot) in cycles throughout the day. This is the 3rd variations of attack in the past 2 months. The first attack entered eval code at the top of all of my index.php files every hour or so.. so had to create a cron that runs a script to check and clean my server. 2nd attack inserted malicious code @ the bottom of all 6,000 javascript files on my server. That started and stopped the past month. Now this started yesterday.

  24. Julien Desrosiers
    Posted 2 years ago #

    All the WP sites belonging to a particular shell user on my VPS server had the same problem yesterday or today (not sure). Another user on the same linux instance had no problem with its WP site. All sites use the same WP version.

    Here is a git diff and status of what it looks like for one site in particular:

    It seems to add the same eval line at the beginning of some theme and plugin files, and some core WP files also.

    I have reset the shell password of the attacked user. I'm still looking at what could have caused this.

  25. archetypemkt
    Posted 2 years ago #

    I am having the same issue. Hostgator running a scan right now. What a complete drag. I'm on a VPS Server and it was only one of my WP networks that had issues thankfully.

  26. jonnyburch
    Posted 2 years ago #

    I know this might not be an option for all but I lost three sites to this and paid Sucuri.net to sort it out. Went to bed and just woke up, the malware's gone! $189 (£121) for piece of mind...

    (and no I don't work for them)

    Good luck all!

  27. eystevens
    Posted 2 years ago #

    I think I'm getting closer to a fix. :)

    1) After updating all my sites to WP 3.5, and re-updating function.php over and over again for the past 48 hours, I decided I needed a do-over.

    2) I found some really odd files in each of the roots for all of my domains. Didn't recognize them so I just deleted them. I know. Not smart, but I did it. Files similar to: 234u823144f1237428021.

    3) I backed up my theme and image files, deleted all files, and reinstalled with a fresh version of WP 3.5.

    4) New issue with the install.

    The site comes up fine - http://www.ellenstevens.com
    However, when I try to access http://www.ellenstevens.com/wp-admin I get a blank screen.
    When I try to access http://www.ellenstevens.com/wp-login I get a 404 error.

    What am I missing?

  28. Digitalcashcrop
    Posted 2 years ago #

    @Tony Bianco - How did you fix? I've re-installed all core files with no luck.

    @eystevens Did you update wp-config? I also deleted file 234u823144f1237428021 however mine was called 169b171bbdffdf3759850fef45515c67 - for larget sites this file had massive amoutns of ip's in it, for smaller sites it had only several ips. I have no idea what it is, but its in the bin now.

    My hosting company has been scanning for last 20 hours, which is almost pointless since I know its infected...

    I can't believe no one on the internet has a solid solution to this.

    If we know which file the code is hosted in, surely it can be fixed easy. Right now any changes made simply re-infect the site as within the hour.

    [No bumping, thank you.]

  29. arunthomaskb
    Posted 2 years ago #

    Same here. Changes are overwritten within an hour. Google has blacklisted us. My hosting company is servage.net and they are not even ready to do a scan.

  30. esmi
    Forum Moderator
    Posted 2 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic