Support » Fixing WordPress » link-template.php.suspected?

  • Resolved Mary_cap

    (@mary_cap)


    Hello,

    Yesterday I noticed that my websites hosted in GoDaddy were down and all I got where some blank pages with the follow error:

    Warning: require(/home/content/89/9175889/html/blog/wp-includes/link-template.php) [function.require]: failed to open stream: No such file or directory in /home/content/89/9175889/html/blog/wp-settings.php on line 125
    
    Fatal error: require() [function.require]: Failed opening required '/home/content/89/9175889/html/blog/wp-includes/link-template.php' (include_path='.:/usr/local/php5_3/lib/php') in /home/content/89/9175889/html/blog/wp-settings.php on line 125

    I called the team support and they told me that someone changed some strings in some file. They didn’t wanted to tell me which strings or wich file where changed, they just mentioned quickly that was something called more o less “template-link-suspected”, then they proceed to change the theme of one of the websites and they suggested to do same through FTP.

    The point is, they didn’t solve anything at all, because when I tried to log into the admin panel all I got is the left menu with another error:

    Fatal error: Call to undefined function get_avatar_url() in /home/content/89/9175889/html/cappuccinofactory/wp-includes/pluggable.php on line 2221

    I am really desperate, I don’t know who to contact or how to solve this. I don’t know any webmaster who can help me out with this and I am about to start crying since I think I’ve lost all of my content.

    Please, if anybody knows how to do solve this, anything, a tip, a email of some webmaster…anything.

    Thank you so much for reading, looking forward to any answer.

Viewing 14 replies - 46 through 59 (of 59 total)
  • Cheers for the help guys, we also had the same problem.

    I also found the following command showed up a few nastys (find all php files using the eval command).

    find . -name “*.php” -exec grep -H “eval(” {} \;

    It easy to spot the hacker scripts as they all look like this:
    eval($p38d[$GLOBALS[‘y110d20’][21]]);

    Ah yes, sorry imdevin567, your method looks better 🙂

    Sure enough Devin, that is finding stuff that my grep, and clamav, and maldet missed. Thanks 🙂

    If anyone finds malware like this that maldet is not finding, please report it with maldet -c $filename, this will send it to them so it can be added to future definitions.

    You should be able to do a combined egrep (yay regex):

    egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset' /home/username/public_html

    Or if you’re bored and need to scan every .php file on a cPanel box,

    find /home/*/public_html/ -type f -name "*php" -exec egrep -l '\$GLOBALS.*\\x|function.*for.*strlen.*isset' "{}" \;

    I have noticed a few false positives from the GLOBALS check, but I’d rather review some clean files than miss some nasty ones.

    And 5th time i get four wp-blogs on my sever “out of order” with the renaming of the “Link-templated.php.suspected” It is happening every Day at 0:30 – 0:40 Midnight

    With this command

    egrep -Rl ‘\$GLOBALS.*\\x’ .

    i found several .php files which are not uploaded by me on FTP!
    With names like:

    lip.php
    file.php
    inc77.php
    help14.php
    dir81.php
    themes45.php

    i deleted them all! Maybe its now OK 😉

    Hey Alex, Thanks for sharing.
    I found several nasty files and deleted them all.

    Our site is currently suffering through this as well. In reading the comments here, the only plugin I have in common with everyone else is Revolution Slider.

    I do know that the site was indeed compromised a few weeks back, and at that point, we felt we had identified all the malicious files and deleted them. Apparently, there is still something malicious lacking somewhere. So the hunt continues. We will be throwing all our resources over the next 24 hours to resolve this, and will share any useful insights. Meanwhile, will also be keeping an eye on this forum.

    Looks like the hackers are still going at it. I found more malware with this command:

    egrep -Rl 'isset.*eval' /home/username/public_html

    You’re likely to get a few false positives in there. The malware I found with that command wasn’t that obfuscated.

    We are also having this issue with one of our sites, but we do not have Revolution Slider installed, so I do not think the issue is coming from here.

    I found a file called wp-ajax.php.suspected in our theme folder that seems to have been changed as well as link-template.php:suspected.

    Joe

    (@joewa1980)

    These commands have been invaluable, thanks guys. There are some false positives as predicted, but the malicious code examples on our server ALL had the same date and time. In our case: 06/04/2015 13:53

    With that said, here’s a command to identify all files created on that date for further investigation (in case the previous commands missed something):

    find /path/to/dir -newermt "yyyy-mm-dd"

    Joe – I noticed the same thing in my case. That being said, more files appeared yesterday after I deleted the existing ones. Searching by created date helped to find the initial ones, but don’t expect it to end there.

    FWIW – everyone should check their mail services to make sure they aren’t being spammed. In my case, Postfix had over 60,000 spam messages in queue that couldn’t be sent due to overloading. Turns out THAT is why the hackers wanted my server. If you have root access to the server, check your syslog to see if emails are being sent that aren’t meant to be. If you’re on a shared server, I would contact your host immediately to verify you aren’t spamming their mail services–that’s a quick way to lose your account.

    I’m posting updates as I find them here: [link moderated – keep support on this site Forum Rules.

    I have also noticed that every day are created new files with malicious code that are sending spam emails.
    I ran Exploit Scanner and found some files that are probably creating these files and deleted them.
    Will update soon if the problem consists.

    Very useful thread, thanks guys for all the grep commands. Caught a load of hacked files that have been hounding me for months.

    imdevin567 is correct when he says they are appearing to target mail. I ran the top command and noticed that the sendmail service was bumping to the top almost continuously. I shut down the sendmail service in order to see what happens by issuing the service sendmail stop

    Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    By the way, after I fixed my website gave me an error when clicking on any link (pages, posts, categories, etc.), this was somehow fixed by setting my permalinks to custom and saving. Now is back to normal again.

    Just in case somebody else find the same problem.

    How-To and Troubleshooting

Viewing 14 replies - 46 through 59 (of 59 total)
  • The topic ‘link-template.php.suspected?’ is closed to new replies.