WordPress MU

I've been hurt really bad by their "Customer Service" people. I had no problem with them for more than 2 years now. Other than having my entire site go down and open a ticket and they fix, there was no other major problem with permissions or setting. But now they lost all my data. Here is a letter I tried to send to anhosting and midPhase [midPhase is the partner company]. I even opened tickets but all tickets were closed.

I opened a ticket with the following letter #23519709. but that ticket also got closed.

====================

Dear Sir/ Madam:

I am writing this email in vein. I have been customer of your service for more than two years. My domain is adadaa.com/. My CPanel id is adadsat0. The Customer Service was good until now.

I opened an URGENT ticket on Tue, Dec 16, 2008 at 9:23 PM [Eastern Time] 23516617.
I do not know what happened, the ticket did not exist the next day. So I created another ticket 23517406.

Since then, I have been struggling to explain to customer service people that the server was hacked and the guy who hacked put an image or link to his page.
you can still see the problem if you visit any of my sub domains. [ex. http://1kavithai.adadaa.com/ ]

Whoever hacked, cleverly deleted/ modified the database.

I asked your Customer Service people to restore from the backup, and I get so many "your problem was solved" emails, where they did a childish fix. I had 80 blogs and 160 users and what they "fixed" was installing brand new WordPressMU software.

Now they telling me the latest backup they have is Dec 17, which is after the site was hacked.

I tried calling the support line 1-866-MIDPHASE and I told the guy to escalate this problem to a higher official. He said he is going ask an "admin" to check. Then I received an email its fixed. They restored and my site is not readable. Some setting in the Database must have been changed by the hacker or something.

I asked them to delete the entire database and restore from the back up before/ on Mon, Dec 15, 2008 at 8:37 AM [Eastern Time]

What do they asking? They asking whether I have a local backup or not!

Please somebody can help me? All my poems I wrote in my entire life was in one of the sub domains. I had 80 blogs. All users are bombarding with emails asking where is their content. What do I tell them? The server people did not care to look at my initial ticket and deleted, and because of that we lost all data?

I'm extremely unsatisfied and shocked the way Customer Support people are not taking this as a serious issue and sending "solved" emails, where every problem still exists.

====================

Another thing to note is I think the hacker actually managed to put some URL redirection into the DB or somewhere.

because all my sub domain blogs goes to his site. If you try to visit my sub domain blog with some fake page, it throws PHP error. In that error, you can actually see the server that tried to serve the non-existing page is NOT adadaa.com or anhosting or midphase. It is "Apache/1.3.41 Server at brianstyle.com Port 80"

try visiting this link
http://1kavithai.adadaa.com/notexistingpage.php

I don't think he touched any of the web pages. He only errased the Database.

Here is the current .htaccess file. I don't see anything redirecting to brainstyle.com, but still somehow my sub domains are going there.
============
RewriteEngine On
RewriteBase /

## http://codex.wordpress.org/Combating_Comment_Spam/Denying_Access
#RewriteCond %{REQUEST_METHOD} POST
#RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
#RewriteCond %{HTTP_REFERER} !.*adadaa.com.* [OR]
#RewriteCond %{HTTP_USER_AGENT} ^$
#RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

# Rewrite http://www.domain.com to domain.com
RewriteCond %{HTTP_HOST} ^www\.(.*)
RewriteRule ^(.*) http://%1/$1 [R,L]

#uploaded files
RewriteRule ^(.*)?/?files/(.*) wp-content/blogs.php?file=$2 [L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
=============

Some advice: Don't rely on host backups. Do your own backups of both files and databases.

But year, I'd grumble too.

So you didn't keep a local backup and you think it's *their* fault?

So far, I think they did plenty for you.

Did you look at the database?
Did you look at the file manager to see if there were any files that seemed suspicious or weren't supposed to be there?

And did you secure your site? (kinda redundant because obviously someone got in)

It's got nothing to do with WPMU or the hosting company if you leave the files and directories unsecured. *You* are hosting other people's content for them, as well as your own, so *you* are responsible for maintaining your own backups as well.

Preferably multiple ones.

Any host would tell you the same.

I guess if you have Customer Service people like that, then of course anything can go wrong right.

ok. its my fault. But they don't know how to fix for 3 days and sending me emails saying "solved" is a good hosting company you say?

The problem still exists even now..
try visiting any sub domains. It goes to hackers

http://1kavithai.adadaa.com/

mmm. just wondering Andrea, are you working for ANHosting?

Hacker didn't errase the web page files. He only deleted the WPMU database.

Pfft, no. I don't work for them. I only work for myself.

Subdomains go to a flash page. I have flash turned off, so I see a big white space saying I need flash. Address bar stays the same. Easy enough to do.

The main site is still up, correct? If the db was DELETED you would have *nothing* but a big ol' error page.

Do you have phpmyadmin? If so, go look at the db in there.

And just in the interest of the fullest of disclosures, why yes I have been hacked before and it was mostly my own damn fault. it sure looked like everyone's blogs were gone, but there was a replaced index file left on the server. Easy fix there, and boy howdy I learned from that.

YES.. when the hacker deleted the DB, I did get the DB not found big error. Then I told them to restore.

They installed a BRAND NEW WPMU. [nice customer service you say?] I told them what the hell you did? restore from back up. Then "admin" restored, and now the main site is up, but the data pulled from DB are NOT READABLE.

as I am posting, I am on waiting line with their "help desk" 1-866-MIDPHASE. after waiting for 1/2 an hour they hang up without even talking 2 times continuously. I'm calling them again.

ok I fixed the main site. its readable. removed utf8 from wp-config.php and its readable now.

but how do I fix the sub domain problem?

If you're uncertain about whether or not your host can recover your data and you really want your data back I would:

1. Create a script that saves every page of your site from google cache.
2. Create a script that parses that sets up the old blogs and the parses the saved html from google cache, then posts the posts via xml-rpc

If your site has been hacked google will soon remove your cached files if your site stays that way.

honewatson, thanks for your idea. But I'm not that technical to do all those.

May be, I didn't lose all data, as Andrea suggested. Since they restored, it was not readable. But now I made it readable. So I still see other blogs in DB. So it may just be subdomain URL re-write or somethings changed in the DB itself. I'm not sure.

is there script you can put inside the webserver, that will do this? how do I find this script? I mean what should I look for.

Just to let you know, after 3 continuous hangup on their "help-line" somebody answered 4th time. I told them the issue, and he said, he'll ask them to look into the sub domain problem.

Like Andrea said you should backup your site periodically to a local area. But I agree that the support of that company is not good. Any business should keep backups and although you shouldn't rely on them to do so the simple fact is that they say they will so they should. The backup you do for yourself is just to be extra safe and if that doesn't work you have no one to blame but yourself.

Why, why, did you not keep your own backups.

Did you have ssh access to your server? Does it have ruby on it? I know it's a bit late now, but I found the following invaluable when I started out.

http://paulstamatiou.com/2007/07/29/how-to-bulletproof-server-backups-with-amazon-s3

OK, I'll ask:

How often should you download a database backup? A file backup? What's the best way to do it with a CPanel account? I've heard that a cron job lets you automate the process. Any advice/documentation on how to do that?

P.S. I have last night's database backup on my desktop.

@billdennis: I'm no expert, but I would say that it depends on how often your data is updated.

I have a daily full server backup (image), a weekly full server backup (image), a major change backup (image) - which is a copy of a server just prior to me doing something that might break things.

Databases are now done daily and sent automatically to S3, on which I keep 1 months worth of backups at any one time.

User images go daily to S3 as well, but are a sync, so if they delete a image it gets removed from s3 as well.

At the moment I don't download any of the backups to my laptop as I don't have the bandwidth for it for one reason, but also because I trust the Amazonians (probably foolish I know).

Cron is the best way to go, then you don't have to worry about remembering to set a backup off.

That link above helped me to get the s3sync system up and running, though my script is a lot more complicated now as it has to deal with multiple databases. There is also an S3 bash library available (check Amazon S3 resources, but I'll try to find it) if you haven't got ruby installed on your server.

Thanks.

Its probably way too late now. But I got my site restored. My host did have daily backups. It just the communication with the Tech Support didn't go well. It took a while before understanding/resolving.

So I guess, the host is a good place for the money [cheap].