Trouble restoring SQL backup

ijfabblog
(@ijfabblog)

11 years, 4 months ago

I manage a website with a WP blog located in a subdirectory. The hosting company is Dot5. We recently discovered that the blog had been infected with the WP trojan that ClamXav calls PHP.Shell-38. (Here is the best info I could find on it: http://security.stackexchange.com/questions/37111/wordpress-hacked-found-a-suspicious-class-wp-style-table-php.)

Our hosting service detected 180 some infected files. I read up on the WP folder hierarchy, backed up, then deleted all the infected files. Well, they scanned again and found more. Based on my understanding of the maliciousness of this trojan, I decided the thing to do was delete everything in the directory, restore the website from a clean local copy, do a fresh WP install, and then selectively upload files containing our settings and content to restore the blog.

Needless to say, this did not work. I had no idea what SQL beyond the fact that it was some kind of database language. My assumption was that it must be in the files that I had backed up. When I learned it was not, I assumed all was lost. Checking in with the Dot5 people, however, I now understand that they store SQL databases in a different location, and that all of our content is preserved intact. (Whether is has been corrupted by the trojan is, of course, a separate issue…)

I found instructions for how to use use phpMyAdmin to export and import SQL databases. The export seemed to work. I have one document named wrd_e7aohid1d5.sql (25.2 MB) and another named custsql-d505.eigbox.net.sql (26.5 MB) from two separate attempts. Initiating the import from different places, I think. (I am entirely ignorant of SQL and do not understand all the options.)

Yet, when I attempt to import either of these files into the SQL database for the current, clean WP install, phpMyAdmin errors when I attempt to import it. I am able to successfully select the file I wish to import, but then it displays this error: “You didn’t enter any data to import!”

Although the text of the error message did not suggest this, it occurred to me that the problem might be the size of my files, which both exceed the stated 10,240 KB max, could very well be the problem. Zipping the larger one down to 6.1 MB, I instead get the error message, “Error in ZIP archive: Compressed size is not equal with the value in header information.” Same with the other. (I just used the Mac OS compression utility, if that is relevant: right click, Compress “filename.”)

Does this mean my original database is corrupt? Or did I do something wrong exporting it? Or…?

These are the instructions I have been trying to follow: http://codex.ww.wp.xz.cn/Restoring_Your_Database_From_Backup.

Any suggestions tremendously appreciated. This is the blog of an academic journal, and we have a lot of high-quality content we do not want to lose. I can see that it is there in the original database, but am at a loss for how to extract it in a form that I can then get back online for our readers.

Just one other idea, is there any way to simply redirect the current, blank WP install to the old database? They are on the same server. If I can fix this just editing a line or two in a handful of .php files, that would be fantastic and probably much easier than all this mucking about in phpMyAdmin.

Many thanks,
Patrick

Viewing 15 replies - 1 through 15 (of 20 total)

1 2 →

wslade
(@wslade)

11 years, 4 months ago

Patrick.

I’m sorry to hear your site was damaged. Unless I missed something in your explanation, exporting or importing the database should be un-necessary.

Your database “connection” information is contained in wp-config.php and this file is located in the subdirectory with the other lowest level WordPress files. If you only find a file there named wp-config-sample.php, rename it wp-config.php.

Hopefully, you still have copy of the original wp-config.php file at the time of the hack. The database information begins on about line 18. Enter just the database information from the old file into the new file (the DB information stops on about line 29).

Adding this information to the file should connect the old database to your new install. If you get a not able to establish a database connection error or if you don’t have the original DB information to enter in the new file, you may want to contact your host for help.
Thread Starter ijfabblog
(@ijfabblog)

11 years, 4 months ago
Hi wslade,

Thank you for this information! I deleted all the WP files and made a fresh install to the same directory and edited the wp-config.php file per your instructions. Weirdly, however, this does not seem to change anything. Both the blog page and the admin console look the same. I am wondering if I need to make some other changes to the file, as it differs from the earlier one in couple of other ways.

This if from the current wp-config.php:

[ Moderator note: code fixed. Please wrap code in the backtick character or use the code button. ]
```
/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_zpfi_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

/**
 * Include tweaks requested by hosting providers.  You can safely
 * remove either the file or comment out the lines below to get
 * to a vanilla state.
 */
if (file_exists(ABSPATH . 'hosting_provider_filters.php')) {
include('hosting_provider_filters.php');
}

This is from the old one:

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * WordPress Localized Language, defaults to English.
 *
 * Change this to localize WordPress. A corresponding MO file for the chosen
 * language must be installed to wp-content/languages. For example, install
 * de_DE.mo to wp-content/languages and set WPLANG to 'de_DE' to enable German
 * language support.
 */
define('WPLANG', '');

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php’);
```
Do you have any ideas? Or is there any other information I can provide that would be of help debugging?

Many thanks,
Patrick
wslade
(@wslade)

11 years, 4 months ago

Patrick, are you willing to post the URL for your site? I thought your site as not functioning.

If you prefer to not give out the URL tell me what isn’t working as you think it should?

I assume you added the old info from lines 18 – 29 to the new wp-config.php? You were right to not post this section it would cause you security issues.

Thread Starter ijfabblog
(@ijfabblog)

11 years, 4 months ago

Thanks for the quick response! The URL is http://www.ijfab.org/blog/.

It now functions as a fresh install. (I just put up our banner and tweaked the color scheme a little.)

The weird thing is that I did change the info in wp-config.php so that it points to the old database with the appropriate pw, but, as far as I can tell, nothing changed. Nothing. I was expecting to get either a really messy version of my old page (missing graphics and visually distorted in who knows what other ways) or else an error saying that the whole thing was inaccessible, contact system admin, etc.

Oh, and I did just check phpMyAdmin, and the old database, to which my current wp-config.php points, does indeed look to still contain all my old content. The only other SQL database is the new one that was installed with the clean install this morning.

wslade
(@wslade)

11 years, 4 months ago

Since your site is now working, you have a database connection. Otherwise, you would get a connection error.

You mentioned earlier that you could see your data in the database. Is it still there? If yes, is it in the same database where you are currently connected? You listed two sql files in your original post.
Thread Starter ijfabblog
(@ijfabblog)

11 years, 4 months ago
The blog/wp-config.php is pointing to the SQL database with years worth of content stored in it. I changed all of these fields to match those from the wp-config.php of an old version of the file from when the site was still working (even if, for several months, we were infected and being used as some kind of a mirror server for an pharma site based in Russia).

[ Moderator note: code fixed. Please wrap code in the backtick character or use the code button. ]
```
define('DB_NAME', ------------');

/** MySQL database username */
define('DB_USER', '------------');

/** MySQL database password */
define('DB_PASSWORD', '------------');

/** MySQL hostname */
define('DB_HOST', '------------');
```
I notice, as you will see above, that these value was also changed for “$table_prefix =” and also that this:

is appended to the end of my current file, but is not in the original.
wslade
(@wslade)

11 years, 4 months ago

Well, that’s the good news! If the data is there, something is just not right with your structure yet.

Since you have a connection to the right DB there shouldn’t be anything else to change in wp-config.php. Also, pharma hacks generally do not tinker with the DB structure.

As I see your situation right now. You have a stable site. It may still contain some malware but at least the site appears to be ok.

You have your data but it’s not appearing on the front end. If it were me, I would go back to a known good copy of the database and use it. Have you tried asking your host to restore a backup for you?

If your host can’t or won’t help, then you need expert database help or more study on your part. You seem to have the backend and frontend it’s the middle that isn’t passing your data.

Thread Starter ijfabblog
(@ijfabblog)

11 years, 4 months ago

I figured out part of the problem. The database contains a bunch of different table prefixes, which seem to correspond to at least some of the multiple installs I’ve done trying to correct this. When I changed the $table_prefix value from ‘wp_zpfi_’ to ‘wp_’, the site went blank–but I can see all my content when I log in as admin!

If you or anyone else knows how what I need to do to make it appear properly, please do share; otherwise I will tinker around a bit and see if I can figure it out myself before posting further inquires.

Once again, thank you so much for all of your help! We had come to believe that all of this was lost!

Best regards,
Patrick

wslade
(@wslade)

11 years, 4 months ago

Table prefixes should be the same throughout the database. The standard wp_ is sometimes changed after install for added security. The prefix is often changed by one click installation scripts.

Going back to my restore suggestion, at some point in history there should be a database copy that works.

Can you explain what you mean by “I can see all my content when I log in as admin”? Do you see your all your pages, posts and media when logged into WordPress admin? Or are you talking about phpMyAdmin? Or what?

Patrick, I’m happy to help and I’m very hopeful that there is no data loss.

Thread Starter ijfabblog
(@ijfabblog)

11 years, 4 months ago

I mean that the content is all there when I log in as through /wp-login.php. In fact, I updated my theme, and now the site looks great–expect that you cannot click through to view full posts. Something amiss with the permalinks? Or else…?

Also, Jetpack goes haywire every time I try to connect to WP.com, plug-ins are gone, etc. But still, this is progress. I’m feeling increasingly optimistic.

wslade
(@wslade)

11 years, 4 months ago

Hey Patrick! That is great news and it’s all you. If you hadn’t stuck with it, the site data may have truly been lost.

In your excitement, don’t forget that you may still be dealing with a virus. Please install and use Wordfence and WP Antivirus Site Protection (by SiteGuarding.com). If you get a message from either or have a set up question for these scanners, let me know.

Thread Starter ijfabblog
(@ijfabblog)

11 years, 4 months ago

Thanks, I will definitely install those programs/add-ons/whatever. You don’t have any idea about why you “read more” takes you to a dead page do you?

I exported the data from that version of the blog and made another one here: http://www.ijfab.org/testblog/. Here, you can click through to view the full posts (even if they are all attributed to me–I think I can fix that if I decided to do yet another clean install on the /blog directory), but the permalink URLs have all changed and other widget preferences, etc. are gone.

My preference would be to do a little more work to fix the first one that has all the user info, etc. saved, but access to the full content is much more important–even if this means that I need to manually redo the other stuff.

wslade
(@wslade)

11 years, 4 months ago

Patrick, your issues may be caused by the hack. At least load and run WP Antivirus Site Protection. It won’t take long to load and you can continue do your troubleshooting while it is scanning. I will not be surprised if it finds a lot of questionable files.

Thread Starter ijfabblog
(@ijfabblog)

11 years, 4 months ago

It found no malicious files, just the “potentially” malicious files listed below, which they would like me to pay them to analyze. I really did delete all of the files and start from scratch, uploading only images from the original site (and the html and css files that comprise the website, http://www.ijfab.org). Unless the trojan made its way into the SQL database, I’m inclined to think the site is infection-free. The more likely problem, I suspect, is that the database is trying to refer to files that do not exist on my clean install…

Total Scanned Files: 1790
Total Unsafe Files: 5

File with malicious codes
/wp-content/plugins/w3-total-cache/pub/files.php
/wp-content/plugins/mojo-marketplace-wp-plugin/inc/spam-prevention.php
/wp-content/plugins/w3-total-cache/lib/CSSTidy/data.inc.php
* * * * * FREE REPORT LIMITS * * * * */data-wp.inc.php
* * * * * FREE REPORT LIMITS * * * * */data.inc.php

wslade
(@wslade)

11 years, 4 months ago

I feel better but please don’t stop working on the site without finishing up with the scans. I think I have seen this hack before and it took me several tries to get it cleaned up. I had to clean the files because of theme issues.

I know two of the three files shown are probably false positive. When you get to that point let me know. Unless they have changed things in the past few days, I can show you how to see all five files and use Wordfence to verify if they are malware or not. Without you having to pay to have anything analized.

The free version of Wordfence is an excellent tool and it will do a good job in preventing future problems.

Congratulations on bringing a blog back from the dead.

Viewing 15 replies - 1 through 15 (of 20 total)

1 2 →

The topic ‘Trouble restoring SQL backup’ is closed to new replies.

Trouble restoring SQL backup

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics