orchidred

I have looked all over their site, but I can’t find anything on formatting the appearance. I may email the author, but I thought I’d see if anyone where knew that answer first!

??

Oh no, I’m not hand coding this page. It’s being run with the Amazon Media Manager Plugin, that’s why I’m not sure how to make the text wrap around the images. If I weren’t doing this with AMM I wouldn’t be having this problem.

The books aren’t in a book category, and they don’t link to specific posts, its all being done with with AMM.

Hmm, well I added a bunch of “dummy text” underneath The Illuminator to see if having more content would push it up, but it didn’t.

What do you mean by using the same format?

My host just got back to me and said that the problems I’m having with WP don’t exist on the old server anymore, but followed me to the new one. They are going to install something called PHPSuexec to track activity on my site and see if someone is using my account to cause problems.

Thanks for all your advice Vkaryl (and everyone else!), hopefully this whole thing will be resolved soon. ??

Ok, I was just worried that it was that hacker file again since I still get those errors inside the admin panel. Thanks Moshu.

I haven’t made any changes to my blogs in the past 24 hours, but now I’m recieving this error message on and off:

“Error establishing a database connection

This either means that the username and password information in your wp-config.php file is incorrect or we can’t contact the database server at localhost. This could mean your host’s database server is down.”

I’ll get this error for about 5 minutes, then suddenly the site will load, then it won’t anymore. I’m not getting responses from my hosting company so I’m not sure what I should do. Help!

Ok I am totally confused because if I CHMOD my folders to 755 and my files to 644 as described on this site, then WP stops working altogether.

* bump *

So I’ve read on a few weblogs what were hit with this that setting permissions to 644 and 755 is not enough. Do you know what the WP files/folder permissions should be set to in order to prevent another attack? I’m talking about the files in:

the root directory
wp-images
wp-admin
wp-content
wp-includes

As well as the folders themselves.

Also, I’m assuming I’m getting this WP error under “Presentation” because my files aren’t 666 anymore?

Warning: file(/home/akakestr/public_html/muse/wp-content/themes/classic/style.css): failed to open stream: Permission denied in /home/akakestr/public_html/muse/wp-includes/functions.php on line 1434

Warning: implode(): Bad arguments. in /home/akakestr/public_html/muse/wp-includes/functions.php on line 1434

Warning: file(/home/akakestr/public_html/muse/wp-content/themes/default/style.css): failed to open stream: Permission denied in /home/akakestr/public_html/muse/wp-includes/functions.php on line 1434

Warning: implode(): Bad arguments. in /home/akakestr/public_html/muse/wp-includes/functions.php on line 1434

I don’t know where my friend is hosted, I emailed her about it. I’ll ask about her plugins also.

I’m hosted at EStarr.com, they have been very helpful in trying to resolve this and if it weren’t for them my sites wouldn’t be working right now. They haven’t been able to locate the hack file though.

Lets see, the plugins I have in my folder (though I dont use all of them) are:

Spam Karma 2: https://unknowngenius.com/blog/wordpress/spam-karma/

Adhesive: https://www.asymptomatic.net/wp-hacks

Kittens Friendly Comments: https://mookitty.co.uk/devblog/category/friendly-comments/

The default Hello Dolly and Markdown plugins

Kittens Spam Words: https://blog.mookitty.co.uk/devblog/kittens-spam-words/

Links Page: https://www.asymptomatic.net/wp-hacks

MiniPosts: https://doocy.net/mini-posts/

Project Plugin: https://scapermoon.net/

Spam Karma 1

Textile: https://www.huddledmasses.org/

WP-Amazon: https://manalang.com/wp-amazon

Contact Form: https://ryanduff.net/projects/wp-contactform/

Wp Grins: https://www.alexking.org/software/wordpress/

// Edit: The only plugins I have in common between my two hacked blogs are the project plugin and the default WP plugins. The project plugin is what controls those little progress bars on my sites //

Incidentally, one of a friend of mine just had her blog hacked in the same way and all her files were CHMOD 644 and 755. It didnt seem to make a difference.

Estjohn, I know you’re right but I have no idea how to find the file and so far my host can’t find it. ??

As for permissions, I’ve changed the root wp files and all the wp-content files (except Spam Karma 2 which says it has to be 666?) to 644 and 755 (folders). I’m not sure what to change wp-images, includes and admin to? I mean, don’t those need to be writable for WP to function?

Sorry if this is a dumb question. ??

Everything seems to be back to normal for now, my host restored the site backups and I changed all the passwords.

I did a search on google and it seems a lot of people are having this problem! Mean hackers.

Also, I just found a new DB user on my site, neither I nor my host added this user to the MySQL.

This is what my host tells me is happening, I don’t quite understand it all but I wanted to share this most recent info:

“Ita€?s not a particular host, ita€?s your site. No other servers have this issue, and the old server you were on doesna€?t either….whatever they found in your site theya€?re using. And it seems theya€?ve found it in other peoplea€?s sites as well.

The files were uploaded through an exploit, Ia€?m not sure where. Ia€?m going to check your logs to see if I can find it quickly. The processes were not running off files on the server, the command was called from another server, which allowed them to upload to the /tmp directory which all clienta€?s accounts can access (as it is needed for scripts to run). ”

Hi all, sorry for not responding sooner I was at work and didn’t have computer access.

My host thinks there is a file somewhere in the root folder of my server and that it has been systematically rewriting every WP file on the _entire_ server, so it’s not just my account. They think this is the case because they found a txt file that has been logging all the files that have been corrupted.

It seems like it only rewrites WP files because non-WP php files haven’t been affected. (We’re guessing that it exploits the fact that many of them were CHMOD to 666 like whooami said?) It completely messes up the admin panel and turns comments/permalinks into links to a wmv porno file.

That’s all I know. My host temporarily stopped the attack by freezing some folders, but they haven’t been able to find the file that is responsible for all this.