Jeff Tangen’s Wordpress

Once you feel comfortable that your wordpress site is back, it is time to locate where the malicious code came from.
If you provider gives you access to the logs you may be able to determine which file(s) have the malicious code in it. How will you do that? You will see web access to a specific file(s) deep in your wordpress (or former wordpess site).
In my situation, the file http://www.jefftangen.com/wordpress/wp-content/themes/{theme_name}/functions.php was infected. I checked one of my backups and did see the added code to the top of the file. The added code had “eval (base64_decode” and the code of the hack after.
While you are looking at your site, you should do a visual inspection of all the files and make sure that all the files out there are yours. Why do I say that? Well, your site had malicious code on it. Correct? What would stop the bad guy from adding their own code to your site and have it run there? Nothing is really stopping them from that. My suggestion is to take the time and verify all the folders/files on your site. If those files/folders are not associated with your site, delete them.
In retrospect, to mitigate this from happening in the future, make sure that you do not use simple, easy passwords and that your passwords are unique from site to site.

So, your wordpress site has been hacked…

Hidden php file that contains the malicious code.

1. Make a backup of your site including the database.
In your control panel there should be a backup application to make a backup of your entire site. Once the backup is complete, download the created file.
Use ftp to copy your entire site to your local computer.
Use phpmyadmin to make a dump (copy) of the database.

It is better to have to many backups then not enough and lose your data.

2. Make a screen shot of your plugins and themes (optional as you do have the names and files in the backups)

3. Remove all plugins and themes and see if that gets rid of the malicious code.

If that does not remove the malicious code then the site needs to be deleted and re-created.

4. Remove wordpress from your installed applications in your control panel. This will delete permanently the wordpress site.

5. Re-install wordpress in your control panel and make sure that wordpress is up to date.

6. Edit the mysql database dump file and change the name of the database to be the newly created database name.

7. Inside of phpmyadmin, remove all the tables that wordpress created.

8. Import the database dump file. When it is imported, it will create all of the tables that were just deleted.

9. Verify that the site comes up with the correct data and that the malicious code has been removed.

10. Re-install any plug-ins and themes.

11. Copy the uploaded files that was in the original site. Typically these files are under /wordpress/wp-content/uploads

Consider the following scenario in a Plesk control panel.

You need to restore a ftp account password, or a Frontpage account password, or an email password, or a specific domain admin password.
But you can not reset the password.

Perform a backup of the effected domain and only backup the configuration. There is no need for the data. Once you have the backup, extract the corresponding XML file and open it up in your favorite text editor. The passwords contained are the passwords that Plesk is aware of.

If the password(s) were changed using an alternate method then the Plesk control panel, then the password(s) are not recoverable with this process and the only option is to reset the password(s).

Plastic Limey: Facebook breaks their RSS feeds.

If you just changed your domain administrator password, this would cause the error message.   Close your browser session and re-open.

Consider the following scenario:

When sending an email via Smartermail, the sender receives a 550 No such user here error.

If SMTP authentication is enabled on the Smartermail server, the sender’s email client needs to be configured to send the login/password information to the server so that the server can validate and authenticate the sender.

Consider the following scenario:

Plesk control panel installed on top of a hosted mail server.
Inside of Plesk, an email object is created and then enabled for a mail group. Email addresses (recipients) are added to the mail group.
An email is sent to the mail group and is never received by the recipients.
The email log file shows that the email was received successfully however it was never delivered on to the intended recipients (in the mail group).

Resolution:
The mail object in Plesk has the mail group and mailbox enabled. Because both are enabled the email is sent to the mailbox and the mail transaction is complete.
Once the mailbox was turned off in Plesk the email is properly sent to the intended recipients (in the mail group).

rsp: 451 Requested action aborted: error in processing
06:59:56 [127.0.0.1][20062140] Exception: Index was outside the bounds of the array.
at TcpServerLib.SMTPSession.#EDc(String )
at TcpServerLib.SMTPSession.ProcessAsyncCommand(String smtpCommandText)

Make sure that the third party application is using a fully qualified SMTP address when attempting to send/relay through Smartermail.

7:30am I get a phone call from TW.   I looked at the caller ID and thought, WTF?   I talked to the TW person and said that I had my phone number.   Well… I had to test it for myself and lo and behold, I had my old phone number.

Granted, now, I no longer have a $15 phone bill…. and Vonage has lost a customer for life….

I was thinking about pursuing Vonage some more, but why?   My perception is that Vonage messed up.   Period.   No sense in opening up a can of worms.

Give TW a call to find out what is going on.   The first thing that I hear is that I have an appointment for tomorrow where a technician will be over between 8am and 7pm.   Nice… thanks…

So.. I finally get to talk to an actual humanoid.   I find out the reason why I didn’t get my phone number the night before was that “there was an error in the system.”   Hmm….  wonder if I can use that catch phrase in my line of business….

Anyway, the humanoid tells me that they will make the phone number transfer tomorrow.