Sites infected with malware, now seeing connectivity issues after cleaning
-
About a month and a half ago, all 5 of my wordpress websites being hosted on Bluehost were infected with malware. A week ago, I was made aware of this when my websites started redirecting users to malicious phishing sites. Contacted BlueHost, got a report of all infected files, cleaned them manually, no more malware.
However, around the time my websites were apparently infected, I’ve been having connectivity issues on all of my websites. I get a random variety of errors on random pages at random times. These errors range from
“err_connection_closed”
to
“err_http2_protocol_error”
to
“500 Proxy error”
to
“502 Bad gateway”I’ve tested these sites across different networks and devices and the errors still occur.
Looking in the console area of inspect element, on any given page, there are “net::ERR_CONNECTION_CLOSED” errors when attempting to “GET” a variety of resources ranging from minified js to plugin files to simple images.
I’ve already tried disabling all plugins, changing themes, etc to no avail.
I’ve contacted Bluehost several times about this, but they’ve been totally useless. They seem to not want to settle on the fact that it’s very likely a server issue.
Anybody know what I can possibly do about this? I’m at a loss. I’ll gladly provide more information if necessary.
-
Hello, zach12ary, & welcome. I think the most helpful thing you could do right now is provide a link to your site so we can see what sort of errors you’re receiving.
As a hosting provider myself & someone who also specializes in fixing compromised sites, my intuition is that this is not actually a server issue but has something to do w/the compromise. Did you perchance change your dashboard, control panel, & database passwords? That is something you should consider doing approximately yesterday :). The reason is that most hackers leave a backdoor into your site. These passwords might be 1 way they get in.
At any rate, please let’s see a link, & then we can go from there.
Hey Jackie! I did change those passwords, so I should be okay in that respect. I’ve been monitoring my sites and I don’t see any more traces of the malware.
As for one of my websites (the one I care most about in this situation), it’s beyondthetreat.com.
Zach, I’m seeing a lot of errors in my browser’s developer console suggesting that your Elementor plugins & perhaps your theme as well may need to be reinstalled. I would also suggest that if you have SSL–& I think you do & you should if not–then please go into ‘Settings > General’ & change your url’s to https:// as opposed to https://, as it appears you’ve got mixed content issues occurring.
Let’s try these solutions & see what we get.
Also, have you joined Google’s Search Console & had a look there to ensure there are no manual actions against your sites? I’m not seeing any indications of that regarding beyondthetreat.com, but you should definitively make sure that everything’s ok w/Mr. G.
Please let me know where we’re at following these suggestions.
Hey Zach, I just went to your site again & got a 502 bad gateway error. Does Bluehost allow you to view error logs in its control panel, or can you secure them from Bluehost support?
I was thinking that, too, but the errors persist even when all plugins are disabled and using a different theme.
I’m talking with Bluehost support right now regarding my SSL, which I feel is definitely an issue somewhere.
No manual actions were taken on my properties in GSC.
Bluehost does allow me to view error logs, but there’s absolutely nothing in them. That’s the strange thing to me. I’ve even entered debug mode and still got nothing.
Well, things are actually looking a little better once the site came up again. I got concerned that my advice might’ve caused you more trouble than you already had–but you’re getting a lot of script failures from remote services such as ezoic.net, Google Analytics, Scorecard Research, etc.
But I’m also seeing some 500 internal server errors.
Zach, what I’d do if I were you is reinstall all files & see where that leaves us. Also, please let us see your .htaccess file. Let us know if you don’t know how to get that.
Yeah, I see those too. However, since the website loading issues still occur when all plugins are disabled and scripts are removed from the header, it makes me think that the failures are triggered from something else.
When you say to reinstall all files, are you saying that I should do a clean WordPress install?
And here’s my .htaccess file. I just made a fresh one earlier today. Obviously I have a caching plugin installed (which I’ve disabled for testing and problems still occur).
# BEGIN W3TC Browser Cache
<IfModule mod_mime.c>
AddType text/css .css
AddType text/x-component .htc
AddType application/x-javascript .js
AddType application/javascript .js2
AddType text/javascript .js3
AddType text/x-js .js4
AddType text/html .html .htm
AddType text/richtext .rtf .rtx
AddType text/plain .txt
AddType text/xsd .xsd
AddType text/xsl .xsl
AddType text/xml .xml
AddType video/asf .asf .asx .wax .wmv .wmx
AddType video/avi .avi
AddType image/bmp .bmp
AddType application/java .class
AddType video/divx .divx
AddType application/msword .doc .docx
AddType application/vnd.ms-fontobject .eot
AddType application/x-msdownload .exe
AddType image/gif .gif
AddType application/x-gzip .gz .gzip
AddType image/x-icon .ico
AddType image/jpeg .jpg .jpeg .jpe
AddType image/webp .webp
AddType application/json .json
AddType application/vnd.ms-access .mdb
AddType audio/midi .mid .midi
AddType video/quicktime .mov .qt
AddType audio/mpeg .mp3 .m4a
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg .mpe
AddType video/webm .webm
AddType application/vnd.ms-project .mpp
AddType application/x-font-otf .otf
AddType application/vnd.ms-opentype ._otf
AddType application/vnd.oasis.opendocument.database .odb
AddType application/vnd.oasis.opendocument.chart .odc
AddType application/vnd.oasis.opendocument.formula .odf
AddType application/vnd.oasis.opendocument.graphics .odg
AddType application/vnd.oasis.opendocument.presentation .odp
AddType application/vnd.oasis.opendocument.spreadsheet .ods
AddType application/vnd.oasis.opendocument.text .odt
AddType audio/ogg .ogg
AddType application/pdf .pdf
AddType image/png .png
AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
AddType audio/x-realaudio .ra .ram
AddType image/svg+xml .svg .svgz
AddType application/x-shockwave-flash .swf
AddType application/x-tar .tar
AddType image/tiff .tif .tiff
AddType application/x-font-ttf .ttf .ttc
AddType application/vnd.ms-opentype ._ttf
AddType audio/wav .wav
AddType audio/wma .wma
AddType application/vnd.ms-write .wri
AddType application/font-woff .woff
AddType application/font-woff2 .woff2
AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
AddType application/zip .zip
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css A31536000
ExpiresByType text/x-component A31536000
ExpiresByType application/x-javascript A31536000
ExpiresByType application/javascript A31536000
ExpiresByType text/javascript A31536000
ExpiresByType text/x-js A31536000
ExpiresByType text/html A3600
ExpiresByType text/richtext A3600
ExpiresByType text/plain A3600
ExpiresByType text/xsd A3600
ExpiresByType text/xsl A3600
ExpiresByType text/xml A3600
ExpiresByType video/asf A31536000
ExpiresByType video/avi A31536000
ExpiresByType image/bmp A31536000
ExpiresByType application/java A31536000
ExpiresByType video/divx A31536000
ExpiresByType application/msword A31536000
ExpiresByType application/vnd.ms-fontobject A31536000
ExpiresByType application/x-msdownload A31536000
ExpiresByType image/gif A31536000
ExpiresByType application/x-gzip A31536000
ExpiresByType image/x-icon A31536000
ExpiresByType image/jpeg A31536000
ExpiresByType image/webp A31536000
ExpiresByType application/json A31536000
ExpiresByType application/vnd.ms-access A31536000
ExpiresByType audio/midi A31536000
ExpiresByType video/quicktime A31536000
ExpiresByType audio/mpeg A31536000
ExpiresByType video/mp4 A31536000
ExpiresByType video/mpeg A31536000
ExpiresByType video/webm A31536000
ExpiresByType application/vnd.ms-project A31536000
ExpiresByType application/x-font-otf A31536000
ExpiresByType application/vnd.ms-opentype A31536000
ExpiresByType application/vnd.oasis.opendocument.database A31536000
ExpiresByType application/vnd.oasis.opendocument.chart A31536000
ExpiresByType application/vnd.oasis.opendocument.formula A31536000
ExpiresByType application/vnd.oasis.opendocument.graphics A31536000
ExpiresByType application/vnd.oasis.opendocument.presentation A31536000
ExpiresByType application/vnd.oasis.opendocument.spreadsheet A31536000
ExpiresByType application/vnd.oasis.opendocument.text A31536000
ExpiresByType audio/ogg A31536000
ExpiresByType application/pdf A31536000
ExpiresByType image/png A31536000
ExpiresByType application/vnd.ms-powerpoint A31536000
ExpiresByType audio/x-realaudio A31536000
ExpiresByType image/svg+xml A31536000
ExpiresByType application/x-shockwave-flash A31536000
ExpiresByType application/x-tar A31536000
ExpiresByType image/tiff A31536000
ExpiresByType application/x-font-ttf A31536000
ExpiresByType application/vnd.ms-opentype A31536000
ExpiresByType audio/wav A31536000
ExpiresByType audio/wma A31536000
ExpiresByType application/vnd.ms-write A31536000
ExpiresByType application/font-woff A31536000
ExpiresByType application/font-woff2 A31536000
ExpiresByType application/vnd.ms-excel A31536000
ExpiresByType application/zip A31536000
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext text/plain text/xsd text/xsl text/xml image/bmp application/java application/msword application/vnd.ms-fontobject application/x-msdownload image/x-icon application/json application/vnd.ms-access video/webm application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.presentation application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text audio/ogg application/pdf application/vnd.ms-powerpoint image/svg+xml application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-opentype audio/wav application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel
<IfModule mod_mime.c>
# DEFLATE by extension
AddOutputFilter DEFLATE js css htm html xml
</IfModule>
</IfModule>
<FilesMatch “\.(css|htc|less|js|js2|js3|js4|CSS|HTC|LESS|JS|JS2|JS3|JS4)$”>
FileETag MTime Size
<IfModule mod_headers.c>
Header set Pragma “public”
Header append Cache-Control “public”
Header unset Set-Cookie
Header set X-Powered-By “W3 Total Cache/0.13.1”
</IfModule>
</FilesMatch>
<FilesMatch “\.(html|htm|rtf|rtx|txt|xsd|xsl|xml|HTML|HTM|RTF|RTX|TXT|XSD|XSL|XML)$”>
FileETag MTime Size
<IfModule mod_headers.c>
Header set Pragma “public”
Header append Cache-Control “public”
Header set X-Powered-By “W3 Total Cache/0.13.1”
</IfModule>
</FilesMatch>
<FilesMatch “\.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|webp|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|webm|mpp|otf|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|_ttf|wav|wma|wri|woff|woff2|xla|xls|xlsx|xlt|xlw|zip|ASF|ASX|WAX|WMV|WMX|AVI|BMP|CLASS|DIVX|DOC|DOCX|EOT|EXE|GIF|GZ|GZIP|ICO|JPG|JPEG|JPE|WEBP|JSON|MDB|MID|MIDI|MOV|QT|MP3|M4A|MP4|M4V|MPEG|MPG|MPE|WEBM|MPP|OTF|_OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|PNG|POT|PPS|PPT|PPTX|RA|RAM|SVG|SVGZ|SWF|TAR|TIF|TIFF|TTF|TTC|_TTF|WAV|WMA|WRI|WOFF|WOFF2|XLA|XLS|XLSX|XLT|XLW|ZIP)$”>
FileETag MTime Size
<IfModule mod_headers.c>
Header set Pragma “public”
Header append Cache-Control “public”
Header unset Set-Cookie
Header set X-Powered-By “W3 Total Cache/0.13.1”
</IfModule>
</FilesMatch>
<FilesMatch “\.(bmp|class|doc|docx|eot|exe|ico|json|mdb|webm|mpp|otf|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|pot|pps|ppt|pptx|svg|svgz|swf|tif|tiff|ttf|ttc|_ttf|wav|wri|woff|woff2|xla|xls|xlsx|xlt|xlw|BMP|CLASS|DOC|DOCX|EOT|EXE|ICO|JSON|MDB|WEBM|MPP|OTF|_OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|POT|PPS|PPT|PPTX|SVG|SVGZ|SWF|TIF|TIFF|TTF|TTC|_TTF|WAV|WRI|WOFF|WOFF2|XLA|XLS|XLSX|XLT|XLW)$”>
<IfModule mod_headers.c>
Header unset Last-Modified
</IfModule>
</FilesMatch>
<IfModule mod_headers.c>
Header set Referrer-Policy “no-referrer-when-downgrade”
</IfModule>
# END W3TC Browser Cache
# BEGIN W3TC Page Cache core
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} =on
RewriteRule .* – [E=W3TC_SSL:_ssl]
RewriteCond %{SERVER_PORT} =443
RewriteRule .* – [E=W3TC_SSL:_ssl]
RewriteCond %{HTTP:X-Forwarded-Proto} =https [NC]
RewriteRule .* – [E=W3TC_SSL:_ssl]
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteRule .* – [E=W3TC_ENC:_gzip]
RewriteCond %{HTTP_COOKIE} w3tc_preview [NC]
RewriteRule .* – [E=W3TC_PREVIEW:_preview]
RewriteCond %{REQUEST_METHOD} !=POST
RewriteCond %{QUERY_STRING} =””
RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle) [NC]
RewriteCond %{REQUEST_URI} \/$
RewriteCond “%{DOCUMENT_ROOT}/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.html%{ENV:W3TC_ENC}” -f
RewriteRule .* “/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.html%{ENV:W3TC_ENC}” [L]
RewriteCond %{REQUEST_METHOD} !=POST
RewriteCond %{QUERY_STRING} =””
RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle) [NC]
RewriteCond “%{DOCUMENT_ROOT}/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.xml%{ENV:W3TC_ENC}” -f
RewriteRule .* “/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index%{ENV:W3TC_SSL}%{ENV:W3TC_PREVIEW}.xml%{ENV:W3TC_ENC}” [L]
</IfModule>
# END W3TC Page Cache core
# BEGIN WordPress
# The directives (lines) betweenBEGIN WordPressandEND WordPressare
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
AddHandler application/x-httpd-ea-php70 .php
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule># END WordPress
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]Yes. I always recommend that be done following a site compromise. I realize it’s a frickin hassle, but this way it ensures that all the files are both accounted for & that they’re all clean.
You say you have other sites. So is this a multisite or do you just have single installs of each?
Also, you know what, Zach? Please let’s do this for the halibut in order to simplify the diagnostic process.
Please rename your .htaccess to htaccess, ie, simply remove the prepended .
Then, please create a new .htaccess w/just the following lines:
# BEGIN WordPress
# The directives (lines) between BEGIN WordPress and END WordPress are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
AddHandler application/x-httpd-ea-php70 .php
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
& let’s see how we go. We can always reenable your caching once these issues are resolved.Okay, I can definitely get that done by the end of the day. Hopefully you’ll still be around once I do that ??
Each website is a separate entity, so I’ll do the fresh install in one of my less-important websites to test things out.
I’ll update when I do that stuff! Thank you!
Do you have a good tutorial for getting a clean install all set up? If not, I’m sure I can find one myself.
Coming back to update:
Found out that the malware downgraded the PHP on all of my websites to 7.0.3 (or something similar). Went to my host, upgraded PHP back to current, and now I’m not getting any more errors.
Knock on wood, I think that simple fix was it. I hope.
Thanks for your help, Jackie!
No prob, Zach! I’ll keep my subscription to this topic open for a bit so if you run into any more problems, I’ll be notified by email that you posted.
I’m still seeing site warnings referencing failure to load scripts pertaining to Google Analytics, Ads by Google, & Scorecard Research.
Nice site! I own 2 special needs kitties & a female Western Ornate box turtle.
- The topic ‘Sites infected with malware, now seeing connectivity issues after cleaning’ is closed to new replies.