Title: HTML/IframeRef.X in WordPress Code
Last modified: August 20, 2016

---

# HTML/IframeRef.X in WordPress Code

 *  [silvercolston](https://wordpress.org/support/users/silvercolston/)
 * (@silvercolston)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/)
 * My website is [http://postaljournal.com](http://postaljournal.com)
 * A reader is coming up with a message that there is a virus on my website, and
   it appears that I see it too when I use Firefox to create a post. I do not have
   the same problem with IE.
 * This is the message that they get
 * Exploit:HTML/IframeRef.X
    Category: Exploit Description: This program is dangerous
   and exploits the computer on which it is run.
 * Recommended action: Remove this software immediately.
 * Security Essentials detected programs that may compromise your privacy or damage
   your computer. You can still access the files that these programs use without
   removing them (not recommended). To access these files, select the Allow action
   and click Apply actions. If this option is not available, log on as administrator
   or ask the security administrator for help.
 * I have checked my computer with four different anti-virus programs and found 
   nothing (Microsoft Security Essentials, Adware, AVG, and Malwarebytes)

Viewing 12 replies - 1 through 12 (of 12 total)

 *  [David Gard](https://wordpress.org/support/users/duck_boy/)
 * (@duck_boy)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2231868)
 * It’ll be malicious code in your source I’d imagine – Try installing a fresh version
   of WP are reverting back to the default theme (don’t worry, all your posts and
   everything will still be as they were). If the problem is gone, then you know
   that it is in your code.
 *  [EnterSpace](https://wordpress.org/support/users/enterspace/)
 * (@enterspace)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232034)
 * Having the same problem on our site ([http://www.shadow-project.org/](http://www.shadow-project.org/))
   all of a sudden. We’ve made NO changes recently, so I can’t see as to how it 
   would be a CHANGED “source”. Maybe a recently discovered exploit, and it is in
   one of our plug-ins / theme?
 * It was also MS Security Essentials that is reporting the same malware error, 
   but the browser was IE.
 * <edit> Submitted our website to VirusTotal, and 16 scans all showed it clean.
   Immediately resubmitted it and 1 of 16 scans [wasn’t clean](http://www.virustotal.com/url-scan/report.html?id=36e53c0c7fba0372c4077de640fd2454-1312846710),
   so it ran 43 different antivirus scans on the Index.htm and [MANY ](http://www.virustotal.com/file-scan/report.html?id=d1c347f1ba9825e16d600a2dd59d39cf7627b6434cdd45d0e2c21141ea0e2fc6-1312854508)
   of them are reporting apparently the same Frame exploit. So this seems like a
   real problem. </edit>
 *  [ignitionmedia](https://wordpress.org/support/users/ignitionmedia/)
 * (@ignitionmedia)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232037)
 * Having the same attack on my WP Site.. how Do we prevent this????
 *  [David Gard](https://wordpress.org/support/users/duck_boy/)
 * (@duck_boy)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232055)
 * Not sure how to prevent, but it’s possibly some JS exploit. WP usually issues
   an update if these issues crop up, so if it is affecting lots of you then I’d
   keep an eye on the forums for further details.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232057)
 * What to do if you think you’ve been hacked:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232059)
 * **[@enterspace](https://wordpress.org/support/users/enterspace/)**: Switch themes
   or update timthumb.
    [http://weblogtoolscollection.com/archives/2011/08/04/timthumb-security-vulnerability/](http://weblogtoolscollection.com/archives/2011/08/04/timthumb-security-vulnerability/)
 *  Thread Starter [silvercolston](https://wordpress.org/support/users/silvercolston/)
 * (@silvercolston)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232078)
 * Now the question I have is why would I get the same malware message for other
   non-WordPress websites on the same server.
 * Also if I have to switch themes, any ideas for http:/postaljournal.com
 *  Thread Starter [silvercolston](https://wordpress.org/support/users/silvercolston/)
 * (@silvercolston)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232079)
 * I should say an example of another site on the same server for this problem is
   [http://postaljournal.org](http://postaljournal.org)
 *  [Daniel Cid](https://wordpress.org/support/users/ddsucurinet/)
 * (@ddsucurinet)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232085)
 * Yes, the site is indeed hacked:
 * [http://sitecheck.sucuri.net/scanner/?scan=http://postaljournal.org/](http://sitecheck.sucuri.net/scanner/?scan=http://postaljournal.org/)
 * You have a malicious iframe (rqsyabp.co.tv) added in your index.php (via an eval
   call). You have to remove that bad from the index.php, and do a full sweep of
   your site for backdoors, rogue admin users, and things like that.
 * thanks.
 *  [David Gard](https://wordpress.org/support/users/duck_boy/)
 * (@duck_boy)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232086)
 * Then it may be that the server has been comprimised, and that the malicous code
   is in the core rather than the theme of WP.
 * Also, if there is some sort of code on that site that is possibly malicious, 
   it’s really not a good idea to post it here as by clicking on it others may become
   comprimised!
 *  [EnterSpace](https://wordpress.org/support/users/enterspace/)
 * (@enterspace)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232113)
 * Simply re-installing 3.2.1 files (in the Updates section), resulted in no errors
   from MS sec essentials, and clean scans from [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
   and also from [http://www.virustotal.com/](http://sitecheck.sucuri.net/scanner/).(
   I DID update my MS SecEss definitions at the same time, but VirusTotal was reporting
   site infected yesterday, and not today after 3.2.1 file reinstall, so pretty 
   sure the re-install @duck-boy recommended was the fix for me.)
 * For full disclosure, while I was at it, I also deleted 2 old plugins that weren’t
   being used (hello dolly, and some wp-cache).
 * I’ll post back if the site is reinfected, and follow-up with those links from
   [@esmi](https://wordpress.org/support/users/esmi/) – that was helpful, thanks!
 *  [David Gard](https://wordpress.org/support/users/duck_boy/)
 * (@duck_boy)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232119)
 * Glad you sorted it, hopefully it’ll stay clean for you from now on.

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘HTML/IframeRef.X in WordPress Code’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 12 replies
 * 6 participants
 * Last reply from: [David Gard](https://wordpress.org/support/users/duck_boy/)
 * Last activity: [14 years, 9 months ago](https://wordpress.org/support/topic/htmliframerefx-in-wordpress-code/#post-2232119)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics