WordPress.org

Support

Support » How-To and Troubleshooting » HACKED by Iframe

HACKED by Iframe

  • Hi , i have read several posts here about hacked websites and i have followed every stedp and i still get this problem. Let me explain.

    1.- I have all my websites redirected from http://xyz.com to http://www.xyz.com
    2.- One day i wrote in the navigation bar the http://xyz.com and got a message about the header output etc etc
    3.- I went to google webmaster tools and i found there a code that was marked as suspicious by google its an IFRAME
    4.- I first found it in my INDEX.PHP file and deleted it,
    5.- It appeared again in about an hour.
    6.- I deleted all my SQL databases and RAN Karspersky in my MAC and it found some trojans, which were deleted by the antivirus.
    7.- Then I Changed my CPANEL password to something super strong, downloaded a new version of WordPress its the latest its 3.1.2
    8.- Scaned with karspersky the donwloaded file and then uploaded it to my Cpanel.
    9.- Created super strong USER and PASSWORD and new SQL with STRONG password and applied SECRET KEYS generated with wordpress key generator.
    10.- And forgor to tell you that the CONFIG.PHP and CRON.PHP in this NEW wordpress version have NO php closing tags at the end of the file, so I ADDED THEM to the files.

    So, anybody could think its done? NO, in about 2 hours the IFRAME came again!

    My hosting is at HOSTICAN and they say, i need to ask for help in wordpress forums because they GIVE NO HELP with that.

    Any idea? I have everything new

Viewing 12 replies - 1 through 12 (of 12 total)
  • You weren’t hacked BY an iframe, but that’s a bit of semantics. You can check on http://sitecheck.sucuri.net/scanner/ to see what’s going on, hopefully…

    I would start by getting a FRESH download from known-safe places (like wordpress.org) of
    1) The WordPress installer
    2) Your theme
    3) Your plugins

    If you cannot get a safe copy of your theme, go through EVERY single file in it carefully.

    Then delete EVERYTHING (make a back up anyway, but remove from your server) except:

    /wp-content/uploads
    wp-config.php
    .htaccess

    Change passwords again (yeah, again) for SQL and your server.

    Copy the freshly downloaded files up.

    Thanks for the superquick reply. I downloaded the newest version of WordPress from wordpress.org and its clean. I dont know what is happening here, why do this to me?

    I deleted ALL FILES in the DOMAIN, ALL OF THEM, and installed new ones which previously were Scanned with karspersky (i bought it only for this problem) and nothing was found , and uploaded them, and created a NEW SQL with Strong password, and created SECRET KEYS with wordpress key generator.

    Is it possible that this thing is inside my CPANEL? because i have 3 cpanel accounts with different domains in each one and only one of the CPANEL accounts has this problem. The 3 cpanels are from the same WHM.

    MMM i used http://sitecheck.sucuri.net/scanner with my website and it found 2 things in EVERY category, tag, page, post, etc.. in EVERYONE

    • Malaware entry: MW:IFRAME:HD202
    • Malaware entry: MW:JS:488

    I WENT TO the INDEX.PHP and found something BASE64 and deleted it, and its the same thing that APPEARS AGAIN AND AGAIN everytime i delete it.

    Help?

    esmi

    @esmi

    Forum Moderator

    I have followed this links since SUNDAY and i have done Everything, there, and it shows up again, and again, and again.

    And i have not found any post in any search engine of somebody that did something that worked…

    esmi

    @esmi

    Forum Moderator

    The back door may be elsewhere on your server & nothing to do with WordPress. Have you contacted your hosts?

    Thank you very much i have just sent this to the hosting its Hostican hope they can help with this.

    You as an expert , have an idea what i should tell hostican people in order to find this backdoor ?

    Regards and thank you for your time and patience

    I told this to Hostican people and they made a search in the directories and they found thousands of files with 777 permissions. Do you know anyway to change this not going to each one of the 4000 files they found?

    I think this might help, i will come back later and post whatever the results were in order to help other users who might have been like me.

    thank you

    esmi

    @esmi

    Forum Moderator

    Do you know anyway to change this not going to each one of the 4000 files they found?

    They’re the hosts. This is their job. It’s what you pay them for.

    oh, i wish i could get service in hostican, they tell you. this is a vps account and you must do everything yourself. Everytime i ask for something they tell its $50 usd !

    I dont know how to move my websites to other hosting, if i knew, i surely wouldnt be with them anymore.

    well i asked them and they agreed, i think because of the situation i am in. All my files are now 644 and all folders are 755.

    I went also to all index.php files and deleted the piece of code i found,

    But i still cant find the other malware.

    I have a classified ads with classipress and went to it and found at the footer a link to a website i dont know and i cant find where to delete it.

    I will wait hoping that the code in INDEX.php does not appear anymore and i will come back.

    Yeah, if you can’t find the malware on your files, then the likely culprits are:

    1) Your PC

    2) Your server

    That’s really it :/

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘HACKED by Iframe’ is closed to new replies.