Template reset for no reason?


#1

Ok so long story short I am using a Virtual shared server on Dreamhost and I bouht a template from templatetunning.com (and they installed it) I have been building my site for the last week (well more playing but going in the right direction)

Today I changed a few small things… had lunch and came back to work on it again and it is now back to the original unmodified theme?

Also a fiend was looking at my progress yesterday and was attacked by a virus (not sure it is related or not)

I tried the restore (with no luck) im not worried about what I have lost so far becasue I was really just learning not building.

How do I keep this from happening in the future? Also is there a way to do live backups on dreamhost / wordpress?

Thanks


#2

that sends up red flags to me right there!! they shouldn’t need access, and i would be leary giving access to my account to anyone.

also just navigating to templatetuning.com triggers my norton internet secuity with a phishing warning. Norton’s report is here: http://safeweb.norton.com/report/show?url=templatetuning.com

Open a ticket with dreamhost support and ask them to scan your domain.


#3

Ok thanks for the input… I googled them and could not find any negative things about them and thought I was safe :frowning:

I hate people that have nothing better to do than try and ruin others hard work :frowning:

Thank you for your help.
[hr]
Ok so I tried to open a ticket and it asked me what database I was having issues with… when I looked in my panel I have multiple now??

Domains hosted: ecsrepnw.com
Domains registered: ecsrepnw.com
Database: ecsrepnw_com_4 0.01 MB
ecsrepnw_com_5 0.01MB
ecsrepnw_com_6 1.26 MB

I have been doing all of my work from my wordpress site directly at my domain so I did not notice this before. Any idea why I have 3? I know they where having problems installing so Im not sure if they created more for a specific reason? Or if when I deleted wordpress a few weeks back dreamhost automaticlly created these new databases?

I want to make sure I ask dreamhost to look at the correct database (I assume its the _6 one) should I delet the others?


#4

these two:

ecsrepnw_com_4 0.01 MB
ecsrepnw_com_5 0.01MB

look pretty empty by the size, i’m guessing you told the one click installer to create new databases with each install, and they are sequentially numbered. The database ending in _6 I’m sure is what you are using but you could confirm by opening your wp-config.php file and checking what database is specified there.


#5

When I open a ticket I was told:

I am sorry to hear of this trouble! Unfortunately, performing a forensic
analysis of how this happened in your case, or conducting a full security
audit or repair of your sites/code is beyond the scope of the support
that I can provide. That said, I am happy to point you in the right
direction.

Embedded codes/malwares are becoming a more and more common method that
spammers use to try to promote their sites or distribute their malware.
The fact you’ve noticed this on your pages is likely a sign that your
site has been compromised in one or more ways.

Note that simply replacing the damaged code with old code from before the
attack is rarely effective, as this alone will not address the attack
vector that was used to damage your site. Unless you find, and fix, the
vulnerability that allowed this to happen in the first place, you will
remain susceptible to continued defacement of your site.

Here’s some information you can use to help to identify what may have
happened and how to rectify it and possibly prevent it from happening
again.

The two most common entry points for a compromised website are
(1)vulnerable, typically out-of-date web scripts (blogs, forums, CMS,
etc.)or (2) a compromised FTP/SSH user password.

  1. All web scripts you have installed under your domain should always be
    kept up-to-date with the most recent version available from the vendors’
    website, as these often contain security patches for known issues. Older
    versions of well-known and popular web software (including Wordpress,
    phpBB, PHPNuke, PostNuke, etc.) are known to have vulnerabilities that
    can allow injection and execution of arbitrary code. Also make sure not
    to store ‘archive’ versions of old software in an open web directory –
    if you intend to keep these they should be stored under your FTP user’s
    home directory, not under a domain directory. Finally, some plugins for
    popular software (such as Expose for Joomla) have been found to introduce
    similar vulnerabilities. It’s a good idea to search the internet for
    information about a plugin and ensure it doesn’t have any known issues
    before installing.

After updating your software, it is imperative that you go through all
files under all directories for the user which has been compromised and
ensure that any files which have been written to / modified have been
removed. It is common for ‘hackers’ that exploit web scripts to upload
innocuously-named scripts which they can use to further compromise the
site more easily, even after the initial vulnerability is closed –
including scripts to send spam mail or execute arbitrary shell commands
under your account via a simple web page interface.

A helpful tip for finding files of this nature is to look for files or
directories that have timestamps that occurred since you last modified
your site, or that occurred around the time that the ‘hack’ took place;
still it is best to examine all files as even a single missed file can
allow the site to be re-compromised.

  1. A bit less frequently, FTPs password can be compromised and used to
    modify files. The most important part of securing your account in this
    case is to change your FTP user’s password via the (USERS > MANAGE
    USERS) -> “Edit” area of the control panel. Passwords should not contain
    dictionary words and should be a string of at least 8 mixed-case alpha
    characters, numbers, and symbols. The best option for selecting a new
    password is to use our “Pick a password for me” feature. Check that box
    near the bottom of the page then click on the “Save Changes” button. The
    system will generate a very strong random password for this account. It
    will be displayed on the next page.

It is recommended to always use Secure FTP (SFTP) or SSH rather than
regular FTP, which sends passwords over the internet in plaintext. You
should not use any passwords that you’ve used with other services, and
ideally you should never use the same password for email, control panel,
and FTP/SSH. Finally, you should always ensure that you’ve got up-to-date
virus/malware screening on your computer to ensure that it is not
compromised itself.

Follow these links for more information on Strong Passwords…

(http://www.microsoft.com/protect/yourself/password/create.mspx)

(http://en.wikipedia.org/wiki/Password_strength)

Though this alone will not fix the problem, you may be able to recover
your old files using the “Restore” option under the “Actions” column for
your domains on the “Manage Domains” section of the panel (but if you do
this, realize that the backups may contain bad code as well, so this is
not a fix in and of itself).

For database restores, go to (GOODIES > MANAGE MYSQL) in the control
panel and click on the “Restore DB” button across from a specific
database.

You might also want to check out this article in our Wiki for more
information about how to deal with a hacked site…

(http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites)

I have submitted your account for a scan for known vulnerabilities, and
malicious code, that may provide more account-specific information. It
could take several hours for the scan to complete, depending upon the
number of accounts awaiting the scan, but the scanner will write you with
a report of what it finds. If you do not receive such a report within 24
hours, please let us know so we can make sure the scan properly completes
and you receive the results.

Regards,

RLP


#6

Let’s see what that produces…


#7

So here is the reply they sent. To be honest reading this I struggle to understand if they actually found any issues? I did alrerady change all of my passwords to more complex ones.

[color=#FF0000]Thank you for writing. Let us assure you that you’re not on your own! We’re here to guide you through this process as much as we possibly can. By the time you’re reading this email we have attempted to clean some basic rudimentary hacks out of your account and fix any open permissions; any actions taken will be noted below.

Going forward, we need you to take care of some basic site maintenance steps to ensure that your account has been secured. To get started, please read and act on all of the information in the email below. Since it involves editing and potentially deleting data under your users we are not able to complete all tasks for you. If you have questions about the noted items please provide as much information and detail as possible about where you are getting stuck and we will do our best to assist you.

Here’s another area where we’re able to help – if you would like us to scan your account again for vulnerabilities after you have completed some or all of the steps below, please reply to this email and request a rescan and we can then verify your progress or if there are any lingering issues.
Scanning your account we did not find any issues known to our custom scanner. This doesn’t mean that problems do not exist, just that we could not find them automatically. Please review the below for general information on how to deal with hacked websites. Most commonly hacking exploits occur through known vulnerabilities in outdated copies of web software (blogs, galleries, carts, wikis, forums, CMS scripts, etc.) running under your domains. To secure your sites you should:

  1. Update all pre-packaged web software to the most recent versions available from the vendor. The following site can help you determine if you’re running a vulnerable version:
    http://secunia.com/advisories/search/

You should check ALL domains for vulnerable software, as one domain being exploited could result in all domains under that user being exploited due to the shared permissions and home directory.

  1. Remove ALL third-party plugins/themes/templates/components after upgrading your software installations, and from those that are already upgraded under an infected user. After everything is removed, reinstall only the ones you need from fresh/clean downloads via a trusted source. These files typically persist through a version upgrade and can carry hacked code with them. Also, many software packages come with loads of extra content you don’t actually use and make searching for malicious content even harder.

  2. Review other suspicious files under affected users/domains for potential malicious injections or hacker shells. Eyeballing your directories for strangely named files, and reviewing recently-modified files can help. The following shell command will search for files modified within the last 3 days, except for files within your Maildir and logs directories. You can change the number to change the number of days, and add additional grep exception pipes as well to fine-tune your search (for example if you’re getting a lot of CMS cache results that are cluttering the output).
    find . -type f -mtime -3 | grep -v “/Maildir/” | grep -v “/logs/”

If completing the noted recommendations does not solve the problems you are experiencing please provide us with as much information as possible about your account including:

-A full list of all PHP web software running under your account, including current running version numbers.
-Whether you’ve recently updated your PHP web software to the current secure release by the vendor.
-Whether you’ve removed all themes/plugins/components/templates/etc. from your software installations after updating, and reinstalled the ones you need from fresh/clean downloads via a trusted source.
-What files you’ve seen modified, or what suspicious behavior you’re seeing on your website. Please include as much specific detail as possible so that we can review exactly what you’re seeing.

For information specific to WordPress hacks please see:

Also now trying to use fileZilla I get “Error critical error could not connect to server” ??


#8

Hi r33pwrd,
I have read through many of your posts here and feel bad that you are having such troubles getting your WordPress site going.

I am not sure how you found templatetuning or what research you did before deciding to hire them to set up your site, but a cursory Google search for “templatetuning.com reviews” produced enough red flags within the first few links that should have given you serious pause. Essentially, at best they charge a premium for minimal services that are found for free at wordpress.org - and even at some of the other premium WordPress developer’s sites - or for easy customizations you could have figured out on your own by simply spending a bit of time learning the basics of your chosen CMS. They change money for templates that are open-source (freely available at wordpress.org, for example). At worst, they are credit card scammers, phishers and thieves.

If they are a decent company, you should be able to simply contact them again to let them know that the template they installed is breaking your site and perhaps contains malware, essentially, tell them what you posted in your original post here, and they should quickly fix it for you. What did they say when you contacted them?

Are you infected or not? Hard to say without your URL to check out, but it’s definitely not working anymore and it’s quite possible that if you could see your server files you’d see quarantined files from the DH scan. Even if your site is completely hosed, you should be able to get to your server files…

Frankly, since you are just starting out and say you have no important content at your site, I’d suggest deleting everything at the root of your domain (or wherever you installed your WordPress site) and starting over again.

If you cannot get to your server via FTP at all, get a new ticket going at DH, let them know your whole site is hosed and that filezilla is throwing up errors since DH ran their security scan and see if they will remove all the files for you.

Then, once everything is back to a virgin state, try installing a vanilla WordPress again using DH’s panel. Or, also look at Concrete5, you may find it a more appropriate CMS solution for your needs.

Before you buy another template, spend a little time at WordPress.org and see if there is something that might suit you, its super easy to install templates through WordPress’s dashboard. Even the default TwentyEleven template can be customized with your own header and a few other features.

Best of luck getting back up again. If it’s any consolation, most of us also learned about web security “the hard way”… :slight_smile:


#9

I did a google search before using them and I did see complaints but nothing more than people complaing about price and slow service, nothing about malware or I would have NEVER used them. When I first bought the templete my intenet was I would upload myself thinking it would be a simple zip drive I would download to my machine and than upload to wordpress (I was wrong and the way they wanted me to install it was very complex and better for me to just spend the 50 bucks vs spending hours learning something I hope to never do again)

OK so Filezilla was not working correct… I deleted it and re downloaded it and now Im able to get in.

I do not see any folders that are labeled “quarantined” (or anything like that.

I have used concrete 5 before and I do not like it. I actaully liked the theme I bought at first but in all honestly probably more than I really needed. for the layout I am going after wordpress does not apear to have any themes like this.

I have a hard time contacting template tunning without any real proof of a virus or anything wrong and Im sure they will simply tell me to talk to my hosting company. I did do a google search on “dreamhost wordpress templete reset” and I see a lot of people that have had this issue besides me. So im not sure if they have similar virus or It is just something that happens on dreampress?

my site is www.ecsrepnw.com

let me know your thoughts?


#10

Hi again,

Can’t say 100% without seeing the files but your site checks out clean at:
http://sitecheck.sucuri.net/results/www.ecsrepnw.com

I didn’t see anything in firebug that jumped out as an issue, either, so your site is probably clean of the current round of WP hacks/malware.

The template looks fine to me.

Make a backup of your WordPress files so if you need to install the template again, you’ll have copies of the files you need offline. I caution, though, letting a third party have access to your admin panel. Unless you are hiring development help that you have truly vetted, it’s a bad idea and shouldn’t be needed, certainly not for a template installation. And, because they installed it instead of you, it seems to have left you unsure about what they added to your WordPress site or how to recreate or troubleshoot it. (They probably installed some plug-ins, also, to make the template work.)

Best of luck learning you way around WordPress and building out your site with your content!


#11

Thank you for all your help guys! I will work on learning how to properly back up the site today :slight_smile: