Nihad Nagi

No problem

Check out all your directories for names like:

.akismet.db
.akistment.cache

any files or folders starting with a period “.” in the plugins and wp-includes and wp-admin.

Before, deciding whether it’s a service provider or WordPress issue. Remember that all the plugins we install can be from experienced or inexperienced, aren’t they a possible backdoor?. Isn’t plugins the reason, wordpress.com was never breached? Right?. So, before we jump to any conclusions, there is a new suspect: not WORDPRESS but WORDPRESS PLUGINS. So, please be patiient, because a proper diagnosis is needed prior to any action that might be costly.

Yeah, I can
What I am asking about is a hack that stores itself in your database and not your installation files, no wonder, re-installing for million times won’t work.
However, if looking for these files inside your plugins folder, is a big issue, then forget it and forgive me.
Thanks.
Regards

I will check this one for you, but, its too late in the process, for the visitor to check a link, discover its broken, then report it back to you, if he did in the first place. Additionally, broken links ruins your page rank by Search Engines. There is an automatic broken link checker that automatically scans all your posts, and report them back to you instantly in your dashboard or to your email, so you can decide what to do. Instead of making your visitors do it manually. Just a thought. You need this first and additionally adding the feature you want as a second line of defense.

Thanks but don’t even mention it.
Ok, check all your word-press plugins directories for the following files:

wp-ajax-gadget.php
zipper-class.php

Please tell me, if you have any of these.

The error you are getting is one thing, and the databases connectivity is another.
For the error, we need to:
Try to reproduce the error from your end.
Tell me the steps that you perform to produce it.
Is it a front-end error for visitors? then send me the link that’s broken or
a back-end error for you as an admin?

Before I can give you an guidance, we have to configure what is wrong.
Its easy to give you a wrong prescription.

For the database connectivity error:
There is no database connectivity error because if the wp-config file parameters are wrong, neither the backend or the front end would be available.
if you have created a new wordpress installation from your cpanel using fantastico or other deployers, and then tried to import the old database, so in this case, I think you are referring to broken posts attachments like images, thumbs , music , .etc.

So, which of these is your problem, and if both, then they are two, that should be solved independently.

WOW, what a hack, no wonder your hosting providers got problems, see the function name below (line 73 in wp-ajax-gadget.php), I really liked it, even-though, am on the good side.

$evil=create_function(‘$a’,”\x72\x65tu\x72\x6e\x20\x65\x76\x61l(\x24a);”

No wonder, hosting providers are confused, this is not a hack, this is an invasion.

No wonder, re-installation never worked.If I am right,they used and enhanced the F-ARMA hack technique.This hack is very smart, creating the hack dynamically from the database.The last place, we or our defenders would check,isn’t the data that we stored!!!!!. No wonder, it made all those people puzzled.I really hope, I am wrong.

But don’t worry, we will do it, I am all in.

The following is a step by step solution checklist (some items might be true and applicable to you and other might not be, but you should complete it all, to prevent this problem from recurrence) to remove and harden your WordPress:

1. Check and Clear your WP-Database from rogue entries

Now, you need to check your phpmyadmin, in the following order:

Check all used wordpress databases for priviliged users,both in: wp_users table and the cpanel/mysql users for that table, make sure they match.

Check the wp-options table for each used database by doing the following:
click on the wp_options table, and this will allow you to browse the table contents.
Use the phpMyAdmin search function, which you can access by clicking the Search tab at the top of the page
search the option_name field for the following rogue database entries, and delete when found:

widget_generic_support

ftp_credentials

fwp

wp_check_hash

class_generic_support

rss_% — In this case, delete all matches EXCEPT rss_language, rss_use_excerpt, and rss_excerpt_length (these are ok). Use the LIKE operator = rss.

2. Remove Malicious Code and Files:

Search your plugins folder for these two files, and delete permanently: wp-ajax-gadget.php & zipper-class.php Please note that you might find multiple instances of them, DELETE THEM ALL

Check all your php files for code lines at the header and the footer (even if there are too many lines, make sure you reach the last line), check out for functions like eval(basedecode64, decode*). Remove them all.Refer to what timeuser found, as an example.Start with the wp-includes folder.It maybe a lengthy process, but because its truly a smart hack.

Check out for directories names starting with a period, for example, Erko Risthein, had wp-admin/includes/.svn/class-wp-theme-edit.php. This .svn is not a standard directory to includes, and additionally, directory names don’t start, this includes a file that needs to be checked, in case you find codes as specified in the previous clause.DELETE FILES & FOLDERS.

3. Hardening & Protecting your WP:

Folders permissions should be 755, while FILES should be 644, as for timeuser and rsconsult, both their folders and files permissions are 755.
Open the .htacess, and ensure that the rewrite rules below are somewhere in your file. The purpose of these rewrite rules are to block any access to wp-includes files, the main back door discovered
If this helped you should give:

Thanks to Erko Risthein & rsconsult for their contribution.

Special Thanks for timeuser, whom without, this would haven’t been done.

Regards.

Thank you timeuser, I will be providing a step by step solution for everyone here within 15 minutes, hope it helps. This message is just to let you know, that the issue was not overlooked.
Regards.

Patience my friend, we just got those who got in, we need to know who opened the door for them, and whether he is outside now, or still in, because if he does still, we will kick these two out, and very soon he will open the door, cause he is in.
Let’s interrogate them by copying and pasting the code inside of this two files, so they would tell us. So, please do, copy and paste the code here.

What about the first, am I right about it too?

If you are using the Audio Player with this attributes:
Audio Player
Version: 2.0.4.1
Author: doryphores
then the second intruder is “wp-ajax-gadget.php”, examine the standard package. If different, please confirm. If yes then there is one last step, to do and we are all clean.

That’s our first intruder, zipper-class.php is not one of the files in the All-in-one SEO pack. How did I know, I downloaded the pack to my local machine, and extracted and examined it, but there is no file with that name in the standard package. Try it yourself.Download the package to your LOCAL machine, and examine it. We got the first guy in, lets go for the others.

Ok, timeuser, you have a file called zipper-class inside the All-in-one SEO pack, am I right?

Ok, can you tell me, what other forms plugins you have used before and currently deactivated, if any.

Not only hidden files, any files start with a . “period”

Well we know now how did the backdoor open. These Rewrite rules blocks the wp-includes files from being accessed by any malicious user. Adding those to your .htaccess will be the last step to do, because this kind of hack targets your traffic dense pages and they don’t reveal any shown symptoms on your website but they target your page ranking. Anyway, we will do it together and concrete the backdoor.But before we do that, we must catch those who got in first.

The first thing, we want to check for now is the plugins folder, please select “show hidden files” whether you are using ftp or cpanel, and start with the ‘Akismet’ folder, look for .akisment.cache.php, .akismet.db.php, and so on, note the period at the beginning of the file name. Repeat this will every plug-in folder.