I understand you replaced all of the WordPress files from your original site. So, I would guess the old wp-config.php is no longer available?
I am unsure about your current database. Is the database you are trying to connect to the same one you were using at the time of the hack?
How did you determine the database name, password and username you entered in wp-config.php?
The MySQL problem is fixed — I had too many characters in the username password. And the username is linked to the database.
Now, I’m getting the white screen of death so I’m reading https://ww.wp.xz.cn/support/topic/white-screen-of-death-7 a
FYI: Since manually reuploading WP, only WP default themes and plugins are in cPanel.
Edit: The white screen of death problem solved.
Knowing that I was going to reupload, I used WP Twenty Twelve theme as the default and it was not in the /themes/ folder — 2013, 2014, and 2015 were there. Added 2012 and Viola! I can login to WP admin.
@wslade
Knowing that I was going to delete WP files, I saved a copy of my wp-config.php and .htaccess (unnecessary). I had changed MySQL and WP admin passwords before deleting WP files and after reuploading WP I changed the passwords again. Hence, I have new passwords for both.
Some things I learned about fixing hack attacks:
1. Use a good anti-virus such as Avast — others like Kaspersky Pro, AVG free, ZoneAlarm free (which is crap) didn’t find that virus, which is at least a 3 years old, https://ww.wp.xz.cn/support/topic/virus-warning-jsiframe-actrj-on-my-site?replies=3.
2. Use only WP plugins that are REGULARLY updated. The best ones are but I use a couple that are not recently updated. Now I have to leave them alone.
Tip: Install plugins via WP admin one-by-one and check your site (front end) after each install to see if you get anti-virus message.
Even though I have Bruteprotect, Wordfence (checks themes and plugins against the Repository for changes), old plugins can be hacked due to vulnerabilities (that hackers exploit).
So, everything is working?
Yes, as mentioned above, I added WP 2012 calendar theme and I’m almost done adding plugins via WP admin.
Now, I just discovered that [moderated] theme contained the virus. I intentionally added plugins first because the ones I use are quite popular and regularly updated. The last thing I did was install the theme [moderated] which I was using and immediately, Avast anti-virus pinged me showing it had the trojan.
Can you believe that [moderated] theme contained the trojan? Always trust your instincts. The first thing I did when I learned about this virus was to activate Twenty Twelve theme and delete [moderated]. Themes are a major source of malware and knowing how that[moderated] developer coded the theme, I naturally felt it could be the source. I had [moderated] for over 2 months now but to be safe I deleted everything and reuploaded. It’s a damn shame that I spent so much time cleaning everything up only to get confirmation that the 1st suspect was the right one. [moderated] is a beautiful theme but a virus-carrier theme.
I had installed 2 other paid/premium plugins within the last 3 weeks so I avoided reinstalling them. However, I can reinstall them since I know that [moderated] theme was spreading the virus. I’ll be contacting the developer asap.
No, I do not believe that theme carried the virus. MANY people have installed that theme- including me, just yesterday. Just because that was the last thing you installed, does not mean that’s how your site got hacked.
And it’s irresponsible to post something like this on a public forum – before contacting the developer if you have such questions about it.
It was NOT the last thing I installed. As I stated, installed it 2 months ago. If you have Avast anti-virus, it will show that Customizr theme is triggering a malware message for a trojan named JS:IFrame-AC[Trj]
I spent a day and a half cleaning up my WordPress and it’s not done yet because I have to find a theme for the site. My first choice is Genesis Framework but they are premium themes. I purchased a premium 2012 child theme back in 2012 but there are good, free themes in WP Repository.
No, I do not have Avast, so I cannot verify that. I did just install the newest version (yesterday) on a site and it does not show any malware on any scanners.
But did you download a new copy from this site (ww.wp.xz.cn)?
Your site/server may not be totally cleaned up.
I’m warning people about nasty malware that’s been triggered whenever I visit my site with Customizr installed and you call me irresponsible? I agree that my site/server may not be cleaned up but Customizr theme is triggering it. It’s an iframe from another server that’s loading on my site.
Of course I downloaded it from the WP Repository via WP admin.
Checking the theme yourself is AS SIMPLE AS downloading Avast anti-virus free and checking it FOR YOURSELF.
My site isn’t the only one using Customizr theme that triggered the malware warning message on Avast anti-virus.
I see that you deleted my post in the Customizer theme support forum.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
*Raise hand and calls a timeout*
@befree22 Calmly please.
*Visits https://ww.wp.xz.cn/themes/customizr/ and downloads theme from https://downloads.wp.xz.cn/theme/customizr.3.3.20.zip just to make sure, extracts to PC and scans with Norton 360 AV*
The Customizr theme in the WordPress repository is fine, 100% virus free and totally intact.
It was updated 3 days ago.
https://themes.trac.ww.wp.xz.cn/changeset/45622/customizr
It’s a very popular theme and if it were compromised as you are indicating then the support volume for that theme would be off the charts.
Since that did not happen there are three scenarios.
- The theme was hacked and the other 100,000 or so users didn’t notice it (possible).
- Your system has been compromised and that popular theme was part of that compromise.
- Avast is just plain wrong.
I think it’s number 3.
I’m warning people about nasty malware and you call me irresponsible?
Security is a serious business. You’re not really warning people as much as you’re being alarming. There’s a big difference between the two and I am not saying you have bad intentions.
But an Avast alert on your system isn’t really authoritative.
*Re-reads the top part again*
My site was infected with a virus so on the advice of my web host, I manually deleted ALL WordPress files /public_html/ in cPanel and then manually reuploaded a new installation.
I take it back: it’s not number 3, it’s probably number 2. Your WordPress installation or your server or PC itself hasn’t been deloused. It’s not easy and if you’re still getting compromised then you haven’t succeeded in getting to a deloused state yet.
Well, since I’m the only Customizr user with this problem, then the moderator can delete this thread. I wasted my entire weekend.
I’m looking for it. I was thinking that it’s in the database but I really don’t know the source. A web developer would know how to find it with a fine tooth comb. It doesn’t appear to be an image file which can have malware encoded — it’s a php file. http://tinypic.com/r/2nu2lom/8
