Waoh so I had an RSS email from one of the blogs I read on a semi-regular basis and she had posted something interesting that lured me to click through and check out her site….
Lo and behold, her site was throwing an error and none of the content was displaying. The error went something like this:
Warning: Unexpected character in input: ''' (ASCII=39) state=1 in /home/public_html/xxx/index.php on line 17
I check her other sites..they are all throwing the same error, with the same exact information aside from the index.php path as they are all hosted in different directories. How can that be???
My logical mind says it must be a server change that caused the problem because all the sites use a different index.php file right?
I was right in a way, it was a server change that caused the problem. The index.php files were all different but they had all been changed in the exact same way. Some bogus code was added to the bottom of each of them, in the exact same format and style that removed part of the database declaration and left an open code block on line 17.
The origin of the bogus code is somewhat unknown but from the looks of what that code was, I have a guess. The hosted server most likely had a breach allowing someone to run a script that edited all found index.php files in the same way. The same code was added to every instance of index.php on the server, removing a few lines prior and leaving the same open block following the bogus code.
To fix the problem, I backed up the databases and reinstalled WordPress for each of the sites. I wasn’t quite sure to the extent of what files were edited so this would take the sites back to a clean slate as far as WordPress files went. The database was luckily untainted and so were most of the WordPress theme files (one has some bogus code in it but was easily fixed).
After about 2 and a half hours, the disaster was averted. The sites were back up and none were the wiser aside from me and the site owner.
Lesson learned? Backup early and often!