Google flagged my site as malicious (6 posts)

  1. Surge
    Posted 5 years ago #

    Hi all,

    A few days ago Google and my hosting provider sent me a message that my site may contain malicious code. I found out that in each post there is a script that opens an iframe and loads a page on some domain in India but the page won't even load. My question is how do I remove this script from all the posts? I know it can be done with SQL commands but I'm too unfamiliar with them to do it. Also, will removing this script fix the issue? Or is there a bigger issue... since I don't have a clue how it got in there. I run the latest version, have no plugins, and only made a basic theme. I found the script in the wp_posts table in the post_content field. Here is the script, and thanks a lot for your help!!

    Google says this is the suspected injected code:

    [Code moderated]

  2. Surge
    Posted 5 years ago #

    Oh... in case you're curious the encoded part translates to:

    ("<iframe src
    gi?4" width="0" heig
    ht="0" style="visibi
  3. jimmyt1988
    Posted 5 years ago #

    You may already know this. Perhaps it's too much effort to go through the amount of posts you have. But say you have only 20 posts.. It might just be worth removing this code from within phpmyadmin within the databse.

    If it is something like 100 posts, It may be worth looking through sql batch commands. I'm really not sure of the specific syntax for it. Surely there is something that when run, deletes a string from each entry within a table.

    Best bet for the latter is to go onto a SQL forum. Ah, sorry it's a weak response, really hope I helped in some way.

    Other than that, if the iframe is only iframe on page. You could style it with css and say display:none; ?

  4. Surge
    Posted 5 years ago #

    Thanks anyway jimmy. I'm mostly concerned about how it got in there. If I don't patch the hole I might clean it up but it could come right back. Hopefully someone else has some insight on that. Thanks.

  5. nlaferle
    Posted 5 years ago #

    I encountered the same issue with a blog I administer. Running 2.9.2. Almost seems as though the injection occured at the DB level, as previously noted, as every record in wp_posts included the same block of code, even 'inherit' records.

  6. WP Voyager
    Posted 5 years ago #

    @sur6e: Whoever hacked your site to insert the iframe has probably left a backdoor open for himself. In other words, once he hacked it the first time, it is always easier for him to get in the next time. If you take the necessary steps to clean your installation, this should patch the hole, though.

    Check out this FAQ:

    And then have a look at the following resources:

    Once you are done, have a look at this Codex article to help prevent against future attacks:

    And if you still have questions, the following search query should help:

    I hope this is enough info :-)

    Good luck beating that hacker,
    MindBlender 3D

Topic Closed

This topic has been closed to new replies.

About this Topic