WordPress.org

Forums

HACKED by Iframe (13 posts)

  1. alphaseinfeld
    Member
    Posted 4 years ago #

    Hi , i have read several posts here about hacked websites and i have followed every stedp and i still get this problem. Let me explain.

    1.- I have all my websites redirected from http://xyz.com to http://www.xyz.com
    2.- One day i wrote in the navigation bar the http://xyz.com and got a message about the header output etc etc
    3.- I went to google webmaster tools and i found there a code that was marked as suspicious by google its an IFRAME
    4.- I first found it in my INDEX.PHP file and deleted it,
    5.- It appeared again in about an hour.
    6.- I deleted all my SQL databases and RAN Karspersky in my MAC and it found some trojans, which were deleted by the antivirus.
    7.- Then I Changed my CPANEL password to something super strong, downloaded a new version of WordPress its the latest its 3.1.2
    8.- Scaned with karspersky the donwloaded file and then uploaded it to my Cpanel.
    9.- Created super strong USER and PASSWORD and new SQL with STRONG password and applied SECRET KEYS generated with wordpress key generator.
    10.- And forgor to tell you that the CONFIG.PHP and CRON.PHP in this NEW wordpress version have NO php closing tags at the end of the file, so I ADDED THEM to the files.

    So, anybody could think its done? NO, in about 2 hours the IFRAME came again!

    My hosting is at HOSTICAN and they say, i need to ask for help in wordpress forums because they GIVE NO HELP with that.

    Any idea? I have everything new

  2. You weren't hacked BY an iframe, but that's a bit of semantics. You can check on http://sitecheck.sucuri.net/scanner/ to see what's going on, hopefully...

    I would start by getting a FRESH download from known-safe places (like wordpress.org) of
    1) The WordPress installer
    2) Your theme
    3) Your plugins

    If you cannot get a safe copy of your theme, go through EVERY single file in it carefully.

    Then delete EVERYTHING (make a back up anyway, but remove from your server) except:

    /wp-content/uploads
    wp-config.php
    .htaccess

    Change passwords again (yeah, again) for SQL and your server.

    Copy the freshly downloaded files up.

  3. alphaseinfeld
    Member
    Posted 4 years ago #

    Thanks for the superquick reply. I downloaded the newest version of WordPress from wordpress.org and its clean. I dont know what is happening here, why do this to me?

    I deleted ALL FILES in the DOMAIN, ALL OF THEM, and installed new ones which previously were Scanned with karspersky (i bought it only for this problem) and nothing was found , and uploaded them, and created a NEW SQL with Strong password, and created SECRET KEYS with wordpress key generator.

    Is it possible that this thing is inside my CPANEL? because i have 3 cpanel accounts with different domains in each one and only one of the CPANEL accounts has this problem. The 3 cpanels are from the same WHM.

  4. alphaseinfeld
    Member
    Posted 4 years ago #

    MMM i used http://sitecheck.sucuri.net/scanner with my website and it found 2 things in EVERY category, tag, page, post, etc.. in EVERYONE

    • Malaware entry: MW:IFRAME:HD202
    • Malaware entry: MW:JS:488

    I WENT TO the INDEX.PHP and found something BASE64 and deleted it, and its the same thing that APPEARS AGAIN AND AGAIN everytime i delete it.

    Help?

  5. esmi
    Forum Moderator
    Posted 4 years ago #

  6. alphaseinfeld
    Member
    Posted 4 years ago #

    I have followed this links since SUNDAY and i have done Everything, there, and it shows up again, and again, and again.

    And i have not found any post in any search engine of somebody that did something that worked...

  7. esmi
    Forum Moderator
    Posted 4 years ago #

    The back door may be elsewhere on your server & nothing to do with WordPress. Have you contacted your hosts?

  8. alphaseinfeld
    Member
    Posted 4 years ago #

    Thank you very much i have just sent this to the hosting its Hostican hope they can help with this.

    You as an expert , have an idea what i should tell hostican people in order to find this backdoor ?

    Regards and thank you for your time and patience

  9. alphaseinfeld
    Member
    Posted 4 years ago #

    I told this to Hostican people and they made a search in the directories and they found thousands of files with 777 permissions. Do you know anyway to change this not going to each one of the 4000 files they found?

    I think this might help, i will come back later and post whatever the results were in order to help other users who might have been like me.

    thank you

  10. esmi
    Forum Moderator
    Posted 4 years ago #

    Do you know anyway to change this not going to each one of the 4000 files they found?

    They're the hosts. This is their job. It's what you pay them for.

  11. alphaseinfeld
    Member
    Posted 4 years ago #

    oh, i wish i could get service in hostican, they tell you. this is a vps account and you must do everything yourself. Everytime i ask for something they tell its $50 usd !

    I dont know how to move my websites to other hosting, if i knew, i surely wouldnt be with them anymore.

  12. alphaseinfeld
    Member
    Posted 4 years ago #

    well i asked them and they agreed, i think because of the situation i am in. All my files are now 644 and all folders are 755.

    I went also to all index.php files and deleted the piece of code i found,

    But i still cant find the other malware.

    I have a classified ads with classipress and went to it and found at the footer a link to a website i dont know and i cant find where to delete it.

    I will wait hoping that the code in INDEX.php does not appear anymore and i will come back.

  13. Yeah, if you can't find the malware on your files, then the likely culprits are:

    1) Your PC

    2) Your server

    That's really it :/

Topic Closed

This topic has been closed to new replies.

About this Topic