Bad_Egg

Hi James,

I did as directed and now my WP site does not work: https://www.mademers.com/globalindieauthor. At first glance it appears normal, but if one clicks on a blog post to read it, they get a 404 error. All my header links to my pages return 404 errors.

I can log in and everything is still there: the posts, the comments, the pages, but the links have been broken somehow.

Now what?

I downloaded the archive (WordPress-4.1.zip) from the link you provided. When I compared the contents to what was in my WP folders on my website, the files I listed were on my website server but not in the zip file. I double-checked; if you unzip the archive and look in wp-includes/js/jquery/ui, for example, none of the jquery.ui files listed above are in there.

Hi James,

Went online this evening to execute said upload only to notice several files in my current WP directories that do not exist in the downloaded ZIP file. My suspicion is that these are related to the theme I am using. I suspect havoc will ensue if I delete these files. Then again, they could be malicious files; I wouldn’t know. Specifically, these are the files that are in my WP directory that do not exist in the ZIP file:

root directory (/home4/mademer1/public_html/globalindieauthor):
fantversion.php
wp-atom.php
wp-commentsrss2.php
wp-feed.php
wp-pass.php
wp-rdf.php
wp-register.php
wp-rss.php
wp-rss2.php
wp-xmlrpc.php

wp-admin:
ajax-upload.php

wp-admin/includes:
install.php
options-reading.php

wp-admin/js:
default_folder.php

wp-admin/network:
details_up.php

wp-includes:
class-wp-smtp-bar.php
class.wp-dependencies.php
class.wp-scripts.php
class.wp-styles.php

wp-includes/certificates:
patfactory.php
tdomf-upload-functions.php

wp-includes/css:
mod_search.php
themes.php

wp-includes/js/crop:
default_ftp.php

wp-includes/js/jquery/ui:
jquery.ui.accordion.min.js
jquery.ui.autocomplete.min.js
jquery.ui.button.min.js
jquery.ui.core.min.js
jquery.ui.datepicker.min.js
jquery.ui.dialog.min.js
jquery.ui.draggable.min.js
jquery.ui.droppable.min.js
jquery.ui.effect-blind.min.js
jquery.ui.effect-bounce.min.js
jquery.ui.effect-clip.min.js
jquery.ui.effect-drop.min.js
jquery.ui.effect-explode.min.js
jquery.ui.effect-fade.min.js
jquery.ui.effect-fold.min.js
jquery.ui.effect-highlight.min.js
jquery.ui.effect-pulsate.min.js
jquery.ui.effect-scale.min.js
jquery.ui.effect-shake.min.js
jquery.ui.effect-slide.min.js
jquery.ui.effect-transfer.min.js
jquery.ui.effect.min.js
jquery.ui.menu.min.js
jquery.ui.mouse.min.js
jquery.ui.position.min.js
jquery.ui.progressbar.min.js
jquery.ui.resizable.min.js
jquery.ui.selectable.min.js
jquery.ui.slider.min.js
jquery.ui.sortable.min.js
jquery.ui.spinner.min.js
jquery.ui.tabs.min.js
jquery.ui.tooltip.min.js
jquery.ui.widget.min.js

wp-includes/js/tinymce/langs:
wp-langs-en.phtml

wp-includes/js/tinymce/plugins/colorpicker:
strspn.php

wp-includes/js/tinymce/plugins/compat3x/css:
folder.php

wp-includes/js/tinymce/plugins/fullscreen:
pdf.php

wp-includes/js/tinymce/plugins/tabfocus:
zip.php

wp-includes/js/tinymce/plugins/wpeditimage:
defines.php

wp-includes/js/tinymce/plugins/fullscreen:
DB.php

wp-includes/js/tinymce/plugins/wpgallery:
BBCode.php

wp-includes/js/tinymce/plugins/wplink:
frontpage.php

wp-includes/js/tinymce/plugins/wpview:
move.php

wp-includes/js/tinymce/skins/lightgray/fonts:
tdomf-subscribe-to-comments-widget.php

wp-includes/js/tinymce/skins/wordpress:
directory.php

wp-includes/js/tinymce/skins/wordpress/images:
dashicon-no-alt.png

wp-includes/SimplePie:
index.php

wp-includes/SimplePie/Content/Type:
nav-menu.php

wp-includes/SimplePie/HTTP:
InputFilter.php

wp-includes/SimplePie/XML/Declaration:
details_img.php
ms-users.php

wp-includes/Text/Diff:
admin.languages.html.php

wp-includes/Text/Diff/Engine:
xml_domit_xpath.php

wp-includes/Text/Diff/Renderer:
freesansbi.php

wp-includes/theme-compat:
string.php

As you can see, there are dozens. Should I leave them in or remove them?

Thanks.

Thanks for your help, James. I appreciate it.

I see.

I’ve been told that WP is having problems with malware-infected plugins. Is this why my host would be watching WP sites more closely?

Thanks, James. Will do as directed.

The weird thing about the sucuri result is that I have never been notified of any infections on my main site (which gets only a fraction of the visits that my globalindieauthor site gets) from either my host or Google. And, as indicated, sucuri found nothing wrong with WP but Just Host did, while Just Host found malicious files on WP but nothing on my main site. How is one supposed to respond to that?

Hi James,

I’m not a programmer, so please bear with me. I installed WP originally via my site host, Just Host. I have three WP sites attached to my main website, which is not WP. The allegedly infected site is https://www.mademers.com/globalindieauthor.

In my file manager on Just Host, when I look in the folder globalindieauthor, I can see the wp-config.php in the root directory, and I can see the subfolder wp-content. Are you saying I should delete the wp-includes and wp-admin folders, as well as all files in the root except for the wp-config.php?

If so, when I download WP again through Just Host, will it not simply create yet another WP site? Do I have to do this through FTP instead?

Thanks.

P.S. It gets weirder. Just Host told me to check my site at sucuri.net. When I did, nothing in WP came up as infected. But two others did:

https://mademers.com/404testpage4525d2fdc

https://mademers.com/404javascript.js

malware-entry-mwhjck3123?se1

Malware entry: MW:HJCK:3123

A hidden and suspicious javascript (or iframe) was found on the site. It is loaded from a blacklisted (and malicious domain) and used to steal information from site visitors and/or infect them. Loads malware from multiple locations:

https://dsnextgen.com/?a_id=10636..
https://perfumefrosty.org/nnc0xazxwahh5ifg/
https://www.paid-to-promote.net/
https://www.777seo.com/pop.php?username=..
(and many other domains).</p>

This malware is generally hidden on .js or .php files without heavy encoding.

And of course to clean the site costs $99.00 I’m beginning to think I’m being had.

Thanks! Will give it a try.

Thanks. (Sorry for the late reply; was away for awhile.)

Michelle

Hi:

I have learned how to get into the database but do not know the proper syntax for the query. The default query is this:

SELECT * FROM wp_users WHERE 1

In the columns I have “user_email” as an option. I want to delete all users with “@outlook.com” in their user email address. What would the query read as?

Thanks,
Michelle

Oh, and I’m using WP 3.6 and Pagelines.

Thanks for seeing me through the panic. Much appreciated.

Thank you! I found the functions.php and fixed it. I think I will leave this alone for awhile. Will experiment with an older site that I don’t care so much about.

Now I need a drink. It’s only 2:30. Not good.

Scrap that. I found it. Let me check and get back.

I have looked through the entire file directory in my WP site via my server: cannot find the wp-config.php. Does the file name differ in various WP sites? I am using PageLines.