WordPress.org

Ready to get started?Download WordPress

Forums

HTML/IframeRef.X in WordPress Code (13 posts)

  1. silvercolston
    Member
    Posted 2 years ago #

    My website is http://postaljournal.com

    A reader is coming up with a message that there is a virus on my website, and it appears that I see it too when I use Firefox to create a post. I do not have the same problem with IE.

    This is the message that they get

    Exploit:HTML/IframeRef.X
    Category: Exploit
    Description: This program is dangerous and exploits the computer on which it is run.

    Recommended action: Remove this software immediately.

    Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

    I have checked my computer with four different anti-virus programs and found nothing (Microsoft Security Essentials, Adware, AVG, and Malwarebytes)

  2. duck__boy
    Member
    Posted 2 years ago #

    It'll be malicious code in your source I'd imagine - Try installing a fresh version of WP are reverting back to the default theme (don't worry, all your posts and everything will still be as they were). If the problem is gone, then you know that it is in your code.

  3. EnterSpace
    Member
    Posted 2 years ago #

    Having the same problem on our site (http://www.shadow-project.org/)all of a sudden. We've made NO changes recently, so I can't see as to how it would be a CHANGED "source". Maybe a recently discovered exploit, and it is in one of our plug-ins / theme?

    It was also MS Security Essentials that is reporting the same malware error, but the browser was IE.

    <edit> Submitted our website to VirusTotal, and 16 scans all showed it clean. Immediately resubmitted it and 1 of 16 scans wasn't clean, so it ran 43 different antivirus scans on the Index.htm and MANY of them are reporting apparently the same Frame exploit. So this seems like a real problem. </edit>

  4. ignitionmedia
    Member
    Posted 2 years ago #

    Having the same attack on my WP Site.. how Do we prevent this????

  5. duck__boy
    Member
    Posted 2 years ago #

    Not sure how to prevent, but it's possibly some JS exploit. WP usually issues an update if these issues crop up, so if it is affecting lots of you then I'd keep an eye on the forums for further details.

  6. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

  7. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

  8. silvercolston
    Member
    Posted 2 years ago #

    Now the question I have is why would I get the same malware message for other non-WordPress websites on the same server.

    Also if I have to switch themes, any ideas for http:/postaljournal.com

  9. silvercolston
    Member
    Posted 2 years ago #

    I should say an example of another site on the same server for this problem is http://postaljournal.org

  10. Daniel Cid
    Member
    Posted 2 years ago #

    Yes, the site is indeed hacked:

    http://sitecheck.sucuri.net/scanner/?scan=http://postaljournal.org/

    You have a malicious iframe (rqsyabp.co.tv) added in your index.php (via an eval call). You have to remove that bad from the index.php, and do a full sweep of your site for backdoors, rogue admin users, and things like that.

    thanks.

  11. duck__boy
    Member
    Posted 2 years ago #

    Then it may be that the server has been comprimised, and that the malicous code is in the core rather than the theme of WP.

    Also, if there is some sort of code on that site that is possibly malicious, it's really not a good idea to post it here as by clicking on it others may become comprimised!

  12. EnterSpace
    Member
    Posted 2 years ago #

    Simply re-installing 3.2.1 files (in the Updates section), resulted in no errors from MS sec essentials, and clean scans from http://sitecheck.sucuri.net/scanner/ and also from http://www.virustotal.com/. (I DID update my MS SecEss definitions at the same time, but VirusTotal was reporting site infected yesterday, and not today after 3.2.1 file reinstall, so pretty sure the re-install @duck-boy recommended was the fix for me.)

    For full disclosure, while I was at it, I also deleted 2 old plugins that weren't being used (hello dolly, and some wp-cache).

    I'll post back if the site is reinfected, and follow-up with those links from @esmi - that was helpful, thanks!

  13. duck__boy
    Member
    Posted 2 years ago #

    Glad you sorted it, hopefully it'll stay clean for you from now on.

Topic Closed

This topic has been closed to new replies.

About this Topic