Dreamhost took down my site, HELP


#1

My site has been upgraded to the newest version of wordpress, but then was taken down due to a “phishing exploit.” I was given instructions to fix it which involves the site being UP so I can get into wordpress and remove unneeded plugins and update old ones and install recommended phishing detection plugins.

How can I fix it if I can’t get access to the site?

I have been with dreamhost for several years, faithfully and loyally, even with all the downtime and slowness issues that happen off and on, didn’t matter. They’ve always treated me good, responded immediately and professionally, and have been forward thinking, progressive, and customer-service friendly. I have several sites hosted here, never had a problem. Recommended them to my friends and they all jumped on the bandwagon with me, and we’ve been very happy with our service.

For the first time in history I’ve got this feeling of being ignored. I’m helpless. Can’t do anything they suggest I do without the site being enabled. We can’t call them but must “schedule” a phone call to be made within a 3 hour block of time, which means they call you when they can get to it. This is frustrating because I believe this whole situation could be resolved with a simple phone call. Instead , I email support , get a NEW person handling the call who has to learn the whole situation from scratch, offers suggestions, I write back, and ANOTHER new person responds without the knowledge base of the previous support person.

This isn’t the dreamhost I know and love.

Here is the last email I got over 24 hours ago, with suggestions from JasonC from dreamhost… and I’d happily follow these if I could (but I can’t since the site is down … don’t they realize that?)

If I don’t get this resolved within the week, I’ll have no choice but to leave dreamhost. No sense paying for website that I can’t use.

What else can I do? Any suggestions? I feel completely helpless, and this has been going on for a week.


On Wed, Apr 8, 2009 at 6:52 PM, JasonC of DreamHost jasonc@dreamhost.com wrote: Reply from DreamHost (Apr 7th, 2009 - 20:34:30 / #25140589) Hi Jay,

So let me see if I can try to straighten you out. My name is Jason and I’m the resident WordPress nerd around these parts. I want to try to help you fix the issues you’re seeing with your WordPress install. From the sound of things, the hacker has left a backdoor in your current install and continues to use it to get in.

To start, get rid of any plugins and themes that you don’t use. Well, except for the “default” theme. That needs to be there. Then you need to install fresh copies of the theme and plugins which you do use (i.e. have active) and use the following plugins:

http://wordpress.org/extend/plugins/exploit-scanner/ http://wordpress.org/extend/plugins/wp-security-scan/

These should help you tighten up and hopefully clean out your current install.

There’s also an article on the WordPress Codex that is full of hints on hardening up your install after you’ve run those plugins:

http://codex.wordpress.org/Hardening_WordPress

Alternately, if you find that you’re still seeing issues, there’s always the tried and true export and reinstall. If it comes to that, feel free to mail me directly at "jasonc@dreamhost.com" and I’ll do what I can to help walk you thru that. After all, I’m always happy to lend a hand whenever it might be needed.

Thanks! Jason


#2

Email him back (or contact Support) and give him your home IP address so they can block all traffic except you.

-Scott


#3

You can remove alot of stuff via phpMyAdmin or commandline.

http://perishablepress.com/press/2008/02/18/quickly-disable-or-enable-all-wordpress-plugins-via-the-database/

Use FTP to edit/remove any exploited files/directories/themes.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#4

I would remove things if I knew what to remove. I have asked several times which files were being exploited and hadn’t gotten a response. I was told only what you saw above. If I was in phpmyadmin or at the command line, I would need to know what to specifically look for, and what is safe to remove. At the command line, I would need to know what commands to type (I’m not a unix administrator, just a guy maintaining a wordpress driven site, with a basic understanding of FTP.)

I deleted any suspicious looking folders via FTP, and was about to upgrade my plugins but they won’t let me use the site through which I would normally do that.

I’m willing to work with them but they need to give me access, or fix it themselves and re-enable the site.

Hell, I reinstall the whole flipping thing from scratch if that’s what it takes. Just need access.


#5

Just to be clear, I have emailed them yesterday and today since I got that email posted above. Hadn’t had a response in over 24 hours.


#6

All of the plugins are in wp-content/plugins. Themes are in wp-content/themes

You could theoretically just rename or delete that directory so you’re plugin-free. Then see if you can download those two plugins and put them in a new plugins directory. You’d still need to log into wp-admin to activate the plugins, though.

And get rid of all themes except the one you’re using, and Default.

-Scott


#7

That was an AWESOME suggestion, btw!

I just went in there and tried to remove all my unused themes … guess what? They changed the file permissions so that I don’t have any access to delete, rename, or move anything.

Are my hands tied or what?

I scheduled a phone call for the 3 - 6 pm Pacific block of time today, so far no callback.


#8

Out of curiosity, do you have any other domains here that are working?

-Scott


#9

Yes, I’ve got roughly 10 domain names hosted through dreamhost, they all work fine but this one.


#10

They just granted me access to my IP address only. Trying what they suggested earlier now. Will let you know what the outcome of this is.


#11

Issue is “resolved” I hope.

There was a folder in wp-contents called “1” filled with nasty looking php files. Also there were dozens of fake registered users from russia and china with very suspicious names. Removed all those, unchecked the box that says “anyone can register.”

Upgraded ALL the plugins, even the inactive ones.

Dreamhost re-enabled the site.

The only thing left to do (should this happen again) is to reload wordpress from scratch using the one-click-install method.


#12

Backup your database and reinstall WP completely ASAP.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost