Title: Argentina attack
Last modified: August 18, 2016

---

# Argentina attack

 *  Resolved [Bithead](https://wordpress.org/support/users/bithead/)
 * (@bithead)
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/)
 * I run Bitsblog.florack.us.
    I recently came under attack by person or persons
   unknown. Apparently there’s a security hole either at my site are within word
   press, and I can’t figure which.
 * the first sign I had that there had been an attack, was that I could not get 
   into my editor. On looking at the HTML output, I found four lines all the same
   at the header of the HTML.
 * (IFRAME src=”[http://usuarios.arnet.com.ar/alvarezluque/morgan.html&#8221](http://usuarios.arnet.com.ar/alvarezluque/morgan.html&#8221);
   width=”0″ height=”0″ frameborder=”0″></iframe)
 * Obviously, I have edited the lines so it doesn’t cause any problems here. The
   Url being called out executes some sort of JavaScript which I believe to call
   some activex program, but I have not been able to confirm this.
 * I was unable to find any reference to this address in any of my PHP files. I 
   must assume that the hacker has somehow gotten into my database.
 * This first happened at the middle of last week. After a night of fooling around
   trying to locate the problem I threw up my hands and asked the ISP to wipe and
   restore from tape, from a week previous. Once they did that, I’ve been ran all
   the latest WordPress upgrades.
 * Whatever this attack is, it apparently is not solved by the wordpress upgrade.
   I say this, because I was attacked again last evening. My site is currently down.
 * In doing a cross reference via Google, I find that there are a few people who
   are running into the same problem, mostly in Germany and Portugal. However, they
   seem as mystified as I am, passed coming up with the idea that there is some 
   kind of vulnerability within the web servers implementation of PHP.
 * I am told, that the web server I’m on is Windows IIS, though the version I don’t
   know.
 * my website is currently down, and I’m in need of some help, not only to get it
   running again, but to close the security hole.
 * Any ideas, anyone?

Viewing 11 replies - 1 through 11 (of 11 total)

 *  [jonimueller](https://wordpress.org/support/users/jonimueller/)
 * (@jonimueller)
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619377)
 * I hate to say this but since this is definitely not a WordPress issue don’t expect
   a lot of help. Not because people don’t care or are unsympathetic to your problem,
   but because this forum should be as much about WordPress issues — and nothing
   else — as possible.
 * I suggest you talk to your ISP; believe me, if there is a vulnerability, it could
   affect other clients of theirs, especially if you are on a shared server. It 
   is in their best interests to solve your problem.
 * Other than that, try googling some more for an answer.
 * Best of luck to you.
 *  Thread Starter [Bithead](https://wordpress.org/support/users/bithead/)
 * (@bithead)
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619554)
 * OK,gang, here’s the lowdown.
 * Last week, we had an attack on the core SQL database that runs BitsBlog. The 
   most obvious result of that attack was four instances of an HTML FRAME callout
   showing up showing up on the header of every page on the site.
 * ( [http://usuarios.arnet.com.ar/alvarezluque/morgan.html&#8221](http://usuarios.arnet.com.ar/alvarezluque/morgan.html&#8221);
   width=”0″ height=”0″ frameborder=”0″></iframe)
 * (Take my advice, don’t go there… in investigating the site and doing soem cross
   checking, I find there’s a bunch of real weirdos, there.)
 * Once I went through all my PHP coding by hand, I realized that the callouts were
   in none of them, and that the code must have been injected into the database.
   A database restore from my end was out of the question for several technical 
   reasons. The backup design assumed that the site would be available. Dumb, yeah,
   but there it is.
 * So, I got on with the ISP, and had them do an full wipe and restore.
 * Once that was done, and assuming that because my site was a little behind the
   WordPress current release, I then changed all my heavy passwords, and upgraded
   to the most recent version.
 * Two days later, we’re back in the soup. Logically, whatever the security hole
   was, was not directly a part of WordPress, but WHAT WAS IT? Simply having the
   ISP go to tape again, still left the Blog vulnerable.
 *  At this point, I started asking around. I went to the WordPress support forums.
   Let’s just say they’re Linux snobs, and leave it at that, shall we? I mean, I
   like Linux, too, but telling me my biggest problem is the thing is an ISS server
   isn’t helping. I was dealing with applications issues when we went the Windows
   Server route anyway.
 * Still, they had a point that the Windows environment isn’t nearly as secure, 
   so some rather pointed questions were fired at the ISP.
 *  UNlike the folks at WordPress who couldn’t get past the word “Windows”, the 
   IX folks actually investigated, and found that there was indeed a problem with
   the WordPress installation:
 * > We’ve restored your site from our backup. Also after investigation of our system
   > administration team, we’ve found that your WordPress installation is vulnerable
   > to remote file inclusion attacks. Please refer to following link for more information
   > regarding that security hole:
   >  [http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2007-05/msg00010.html](http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2007-05/msg00010.html)
   >  Please upgrade/fix your software ( wordTube plugin ) as soon as possible, 
   > and update this ticket once it’s done.
   >  Should you have any further questions, please do not hesitate to contact us
   > 24×7.
 *  Well, what do you know. An ISP actually willing to help, when the pressure is
   on. I’ve done a rebuild to the most recent versons, changed out my passwords 
   again, and blown away the YouTube plughin… it wasn’t working well anyway.
 * Kudos to IX Web hosting, for a job well done.
 * And a raspberry or three to the WordPress Support forums, and to the denizens
   of their IRC room, who were even worse. …
 * (Well, OK, the guy in the forum was apparently trying to warn me of the bias,
   but the fact remains the help forum was anything but… even there, he decided 
   it wasn’t a wordpress issue.)
 *  Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/)
 * (@otto42)
 * WordPress.org Admin
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619556)
 * That link you posted isn’t pointing out a WordPress vulnerability, it’s pointing
   out a vulnerability in some plugin you’re using. Upgrade that plugin or don’t
   use it.
 * Also, these *are* the WordPress support forums, and I don’t see anybody here 
   complaining about use of a Windows server. What forums are you talking about?
 *  Thread Starter [Bithead](https://wordpress.org/support/users/bithead/)
 * (@bithead)
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619560)
 * Seems to me that area of responsibility is a little on the gray side, given that
   I downloaded the plug in by linking through the the word press website.
 * But more… It seems also to me, that it would be wise to be a one stop for all
   things WordPress. Your success rate could only improve with that kind of PR effort.
 * I came in here looking for WordPress expertise. Where the beep ELSE would I go
   to get such questions asked? The idea that it might have been the plugin never
   occurred to me… I admit after a few hours of my site down, I was a bit frazzled.
   But what I got while in that condition, instead of expertise from people who 
   know the package, (and presumably what people tend to add to it for the most 
   part ) what I got was Linux snobbery, and ‘it’s not our problem.” Nobody even**
   bothered** asking what wordpress plugins I was running, except the ISP. Once 
   the idea that an IIS server was involved that’s all they wanted to know. Nose
   in the air, fade to black. Didn’t even BOTHER to ask any other questions, and
   weren’t interested in the symptoms. Not exactly good PR
 * And no, my anger isn’t being directed at jonimueller, but rather at the IRC channel.
 * Enough.
    Wordpress is a fine product. Just wish the support was a little less
   tone deaf.
 *  I’m not exactly a babe in the woods on this stuff; I’ve been in end user support
   for many years. The ones who tend to do well, are the ones who don’t draw arbitrary
   support lines.
 *  [Chris_K](https://wordpress.org/support/users/handysolo/)
 * (@handysolo)
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619561)
 * … Can I echo Otto42’s question?
 * > Also, these *are* the WordPress support forums, and I don’t see anybody here
   > complaining about use of a Windows server. What forums are you talking about?
 * Which topic in these forums was side-tracked by the IIS server factor? I can’t
   find it — and I’d like to see it.
 *  [Root](https://wordpress.org/support/users/root/)
 * (@root)
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619564)
 * And AFAIK there is not and has never been any linux snobbery in these forums.
   Recognising, acknowledging, and using a program that was built for the purpose
   is not snobbery. Historically IIS has caused endless grief to WP users.
 *  Thread Starter [Bithead](https://wordpress.org/support/users/bithead/)
 * (@bithead)
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619569)
 * Handy and Root: Look again:
 * > And no, my anger isn’t being directed at jonimueller, but rather at the IRC
   > channel.
 * Questions?
 *  [Chris_K](https://wordpress.org/support/users/handysolo/)
 * (@handysolo)
 * [18 years, 8 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619570)
 * Nah, but it clarifies this:
 * > And a raspberry or three to the WordPress Support forums, and to the denizens
   > of their IRC room, who were even worse. …
 * As volunteers, raspberries are a real drag.
 *  [jonimueller](https://wordpress.org/support/users/jonimueller/)
 * (@jonimueller)
 * [18 years, 7 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619600)
 * And [@the](https://wordpress.org/support/users/the/) OP, I’m not a GUY {{looks
   down}} .. nope. Still a GIRL.
 * And .. I reiterate, it is the problem of a WP PLUGIN. And to answer the question
   where to go for help? First, to the plugin author. Some plugin devs are better
   about support than others. Some of them (David Chait of ChaitGear comes immediately
   to mind) go above and beyond any reasonable call of duty; others throw the plugin
   out there and leave it for its users to sort things out.
 * I commend you for returning to this forum to report the solution. Sounds to me
   like that post was a cut and paste job, meant for more than just this forum. 
   In any event, I wish more people would post solutions to problems like you did.
 * Joni
 *  Thread Starter [Bithead](https://wordpress.org/support/users/bithead/)
 * (@bithead)
 * [18 years, 7 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619603)
 * > And [@the](https://wordpress.org/support/users/the/) OP, I’m not a GUY {{looks
   > down}} .. nope. Still a GIRL.
 * Well, you know how it is when you get married….
 * > And .. I reiterate, it is the problem of a WP PLUGIN. And to answer the question
   > where to go for help? First, to the plugin author. Some plugin devs are better
   > about support than others.
 * Maybe, but look again:
    I had no idea the problem was a plugin.
 * > I commend you for returning to this forum to report the solution.
 * Of course!
    If I complain about others not passing along what information they
   have, what kind of credibility with the complaint have if I didn’t do better 
   than what I was complaining about?
 * > Sounds to me like that post was a cut and paste job, meant for more than just
   > this forum.
 * Correct; I put the info on my blog, as well.
 *  [jingan-eugen](https://wordpress.org/support/users/jingan-eugen/)
 * (@jingan-eugen)
 * [17 years, 10 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619682)
 * Check this: [http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/](http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/)

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘Argentina attack’ is closed to new replies.

 * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
 * 11 replies
 * 6 participants
 * Last reply from: [jingan-eugen](https://wordpress.org/support/users/jingan-eugen/)
 * Last activity: [17 years, 10 months ago](https://wordpress.org/support/topic/argentina-attack/#post-619682)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics