Title: Sites compromised Last modified: August 19, 2016 --- # Sites compromised * [Lee Adler](https://wordpress.org/support/users/drstool/) * (@drstool) * [15 years, 9 months ago](https://wordpress.org/support/topic/sites-compromised/) * I run a handful of sites on WP 3.0 (now 3.1). Each morning over the past couple of days I awaken to broken sites. The primary busted file is usually wp-includes/ functions.php but there are others. Been able to find them quickly via the php errors reported. * I upload a clean file and that fixes the problem temporarily until the next incident. I’ve been unable to find the malicious code that’s causing the problem. Have changed db passwords, ftp passwords, toughened chmod on wp-config and other content folders, but I’m getting nowhere. I guess the problem is buried somewhere in my database. * They are also breaking my admin panel. I’ve had to reupload the entire wp-admin folder. These are temporary fixes because overnight, and sometimes during the day the sites break again. * Has anyone else had this problem and found where the vulnerability is? I’m tearing my hair out. Even upgrading to 3.1 did not fix the problem. * My “hosing” company is Rackspace. They tell me that this is a widespread problem affecting many of their WP users. Why is there no news or info on this anywhere? Viewing 6 replies - 1 through 6 (of 6 total) * [Darrell Schauss](https://wordpress.org/support/users/darrellonsite/) * (@darrellonsite) * [15 years, 9 months ago](https://wordpress.org/support/topic/sites-compromised/#post-1606736) * Your database can have bad code hidden in it too. I seen some sql commands for finding and cleaning but cant find the blog post now. * One thing you can do is in phpMyAdmin search the whole database for `base64` and `46esab` * Edit: here is a very detailed post. [http://smackdown.blogsblogsblogs.com/2010/06/14/rackspace-hacked-clients-check-your-databases-wordpress-wp_optimize-backdoor-in-wp_options-table/](http://smackdown.blogsblogsblogs.com/2010/06/14/rackspace-hacked-clients-check-your-databases-wordpress-wp_optimize-backdoor-in-wp_options-table/) * `SELECT * FROM wp_options WHERE (option_id LIKE '%base64_decode%' OR blog_id LIKE '%base64_decode%' OR option_name LIKE '%base64_decode%' OR option_value LIKE '%base64_decode%' OR autoload LIKE '%base64_decode%') order by option_id` * [http://wordpress.org/support/topic/have-i-been-hacked-username-amin?replies=42](http://wordpress.org/support/topic/have-i-been-hacked-username-amin?replies=42) * Thread Starter [Lee Adler](https://wordpress.org/support/users/drstool/) * (@drstool) * [15 years, 9 months ago](https://wordpress.org/support/topic/sites-compromised/#post-1606737) * thanks! will try that! * Thread Starter [Lee Adler](https://wordpress.org/support/users/drstool/) * (@drstool) * [15 years, 9 months ago](https://wordpress.org/support/topic/sites-compromised/#post-1606742) * Found this- * SELECT * FROM `xxxxx`.`blogname_options` WHERE ( `option_id` LIKE ‘%46esab%’ OR `blog_id` LIKE ‘%46esab%’ OR `option_name` LIKE ‘%46esab%’ OR `option_can_override` LIKE ‘%46esab%’ OR `option_type` LIKE ‘%46esab%’ OR `option_value` LIKE ‘%46esab%’ OR `option_width` LIKE ‘%46esab%’ OR `option_height` LIKE ‘%46esab%’ OR `option_description` LIKE ‘%46esab%’ OR `option_admin_level` LIKE ‘%46esab%’ OR `autoload` LIKE ‘% 46esab%’ ) LIMIT 0 , 30 * That’s the bad stuff? * [Darrell Schauss](https://wordpress.org/support/users/darrellonsite/) * (@darrellonsite) * [15 years, 9 months ago](https://wordpress.org/support/topic/sites-compromised/#post-1606746) * Running that command will give a result of records if there is anything. On very very rare instance do I find legitimate code using base64 (but in the PHP itself) but usually not 46esab when legit. * Thread Starter [Lee Adler](https://wordpress.org/support/users/drstool/) * (@drstool) * [15 years, 9 months ago](https://wordpress.org/support/topic/sites-compromised/#post-1606753) * thanks again. will delete. * Thread Starter [Lee Adler](https://wordpress.org/support/users/drstool/) * (@drstool) * [15 years, 9 months ago](https://wordpress.org/support/topic/sites-compromised/#post-1606771) * After reading that thread, and considering the poor response that I’ve gotten from Rackspace and the fact that it was THEIR NEGLIGENCE that was at the root of all this crap, I put in a call to my attorney who happens to specialize in class action suits. I think Rackspace owes me and everyone else who has spent countless hours dealing with this crap, something. * In general, my experience with them since moving over from managed hosting to the Rackspace Cloud has been atrocious. I’m wondering if others have the same experience. Something needs to be done. * Problem is that in 12 years of running websites I’ve yet to find a webhost that didn’t have tons of “issues” so I’m reluctant to move again. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘Sites compromised’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 6 replies * 2 participants * Last reply from: [Lee Adler](https://wordpress.org/support/users/drstool/) * Last activity: [15 years, 9 months ago](https://wordpress.org/support/topic/sites-compromised/#post-1606771) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics