Support » Fixing WordPress » link-template.php.suspected?

  • Resolved Mary_cap

    (@mary_cap)


    Hello,

    Yesterday I noticed that my websites hosted in GoDaddy were down and all I got where some blank pages with the follow error:

    Warning: require(/home/content/89/9175889/html/blog/wp-includes/link-template.php) [function.require]: failed to open stream: No such file or directory in /home/content/89/9175889/html/blog/wp-settings.php on line 125
    
    Fatal error: require() [function.require]: Failed opening required '/home/content/89/9175889/html/blog/wp-includes/link-template.php' (include_path='.:/usr/local/php5_3/lib/php') in /home/content/89/9175889/html/blog/wp-settings.php on line 125

    I called the team support and they told me that someone changed some strings in some file. They didn’t wanted to tell me which strings or wich file where changed, they just mentioned quickly that was something called more o less “template-link-suspected”, then they proceed to change the theme of one of the websites and they suggested to do same through FTP.

    The point is, they didn’t solve anything at all, because when I tried to log into the admin panel all I got is the left menu with another error:

    Fatal error: Call to undefined function get_avatar_url() in /home/content/89/9175889/html/cappuccinofactory/wp-includes/pluggable.php on line 2221

    I am really desperate, I don’t know who to contact or how to solve this. I don’t know any webmaster who can help me out with this and I am about to start crying since I think I’ve lost all of my content.

    Please, if anybody knows how to do solve this, anything, a tip, a email of some webmaster…anything.

    Thank you so much for reading, looking forward to any answer.

Viewing 15 replies - 16 through 30 (of 59 total)
  • I am also experiencing this issue, however only on one of 20+ sites on the same server.

    It is rather annoying, however I have simply made a script for the time being to rename the file back to .php from .php.suspected and stuck it in a cronjob to check every minute.

    I am running Wordfense, IThemes Security, Fail2Ban on the server.

    This site as well as all the others are up to date at 4.2.2 so I am guessing this is due to a plugin.

    Here is my list in an attempt to find some common ground:

    CF7 DatePicker
    Contact Form 7
    Cunjo
    Disable Comments
    Display Posts Shortcode
    Ditty New Ticker
    Ditty RSS Ticker
    Fusion Core
    Google Maps Widget
    iQ Block Country
    iThemes Security
    jCountdown Mega Package for WordPress
    MapPress Easy Google Maps
    Metro Style Social Widget
    Really Simple Captcha
    Responsive Mobile-Friendly Tooltip
    Revolution Slider
    Safe Redirect Manager
    Wordfence Security
    Wordpress SEO by Yoast

    All Plugins are current versions and up to date.

    Theme is Avada version 3.3.1

    I am having the same issue.
    Theme is Avada
    Using iThemes Security

    Joe

    (@joewa1980)

    Hi csasse, yes the 4.1.1 WP installations are thus far unaffected. I guess the auto-update had not been activated for those. Only the 4.2.2 were taken down. Renaming the link-template.suspected file back to link-template.php sorts it but obviously it’s just a quick fix until a patch is made (I hope?!).

    Joe

    (@joewa1980)

    Hi dgruhin, from your list I can only see one plugin that is on all our sites, WordPress SEO by Yoast, however, the 4.1.1 WP installations were not affected, only 4.2.2 versions were… so I’m erring towards this being a WP core issue.

    i also have the same problems for 3 days.
    i just try to do some tricky things for this.

    right now i copy and rename the link-template.php to another filename.php
    then i edit the wp-settings.php and replace link-template.php with the new filename i created.

    i’m using wordfence security plugins, so right now i disable the plugins first and will see again tomorrow. 🙂

    so far so good but tomorrow will check again.
    -Rio

    I would tend to agree, however if it is core, wouldn’t you think that all the sites on this server would be compromised?

    It is only happening to 1 of them, with an Old version of Avada theme, which has some known security issues per their KB

    prior to version 3.8.3

    Avada 3.8.3 – XSS Security Fix

    I am updating the theme now to see if it helps this lone site on my server. If not then it is CORE for sure.

    Joe

    (@joewa1980)

    None of our sites use the same theme and only the non-4.2.2 sites seem uncompromised.

    Joe

    (@joewa1980)

    Good idea about rioyotto with your suggestion, “right now i copy and rename the link-template.php to another filename.php
    then i edit the wp-settings.php and replace link-template.php with the new filename i created.”
    …obviously it’s not ideal, but desperate times call for desperate measures! I’ve done that to all the affected sites here, let’s see if anything happens.

    Happening to us too. I’ve also taken the above advice from rioyotto and renamed the link-template file and changed the wp-settings – an excellent idea. But we’ve also had other files renamed *.php.suspected. Seemingly at random.

    The mystery is that we have many WordPress sites on a dedicated server and only one is affected.

    Wordfence came up with a list of seemingly dodgy files and we cleared all of those out. Wordfence is currently clean.

    We’re all over this like a rash and if we come up with anything, we’ll post immediately.

    Anyone tested “downgrading” WordPress form 4.2.2. to 4.1.5 or 4.1.1.?
    Would that work or are there known “database Problems”?


    On our Server we have 4 infacted Blogs
    3 Blogs use “WPZoom Morning Theme” and 1 Blog a Self created Theme


    i installed a complete new “FRESH NEWS WP 4.2.2” with megb passwords for user and database 😉 i disable ALL PLUGINS!

    Now i can check if is wordpress or something other ; Keep you up i there is something new…

    i got the problem since 3 days!!!
    but the autoupdate of WP 4.2.2. was done on 07.05.2015 (1 month ago!)
    so i was wondering why it happened to me and some othes (check poste here) in the last 2-3 days. a “sleeper virus” ?? ;))

    I’ve come up with a quick and dirty fix for the problem until a permanent solution is found. It involves a small script executed via cron (every five minutes).

    Script-

    #!/bin/bash
    cd /home/username/public_html
    find /home/username/public_html -type f -name '*.suspected' | while read f; do mv "$f" "${f%.suspected}"; done

    Cron-

    */5 * * * * /root/wpfix.sh >/dev/null

    Make sure to change “username” in the script code to the username of your cPanel user. If you don’t use cPanel, you’ll need to adjust the paths accordingly.

    This will cause the system to search for files named something.php.suspected, and rename them to something.php.

    Tracking issue on my blog- https://blog.jasontrier.com/2015/06/08/wordpress-4-2-2-hack-files-being-renamed-to-suspected/

    Hey guys, seems it may be related to Clam AV. Which is an antivirus installed on the server.

    https://wpml.org/forums/topic/files-marked-as-suspected-installer-class-phpcache-plugins-integration-php/

    Joe

    (@joewa1980)

    Clam AV isn’t actually active in our WHM, that’s even weirder.

    I have the same problem described above. The plugin list was helpful:

    Here is my list in an attempt to find some common ground:

    CF7 DatePicker
    Contact Form 7
    Cunjo
    Disable Comments
    Display Posts Shortcode
    Ditty New Ticker
    Ditty RSS Ticker
    Fusion Core
    Google Maps Widget
    iQ Block Country
    iThemes Security
    jCountdown Mega Package for WordPress
    MapPress Easy Google Maps
    Metro Style Social Widget
    Really Simple Captcha
    Responsive Mobile-Friendly Tooltip
    Revolution Slider
    Safe Redirect Manager
    Wordfence Security
    Wordpress SEO by Yoast

    I’ve got two of the same Plugins:

    Contact Form 7
    Revolution Slider

    Perhaps it’s one of those that has a security breach.

    ~M

Viewing 15 replies - 16 through 30 (of 59 total)
  • The topic ‘link-template.php.suspected?’ is closed to new replies.