Malware Problem (5 posts)

  1. miocene22
    Posted 4 years ago #

    Today I visited my site and was presented with a Google/Firefox page warning me that my site was dangerously infected with malware.

    I read the report and logged into my admin panel and went to the theme editor. Lo and behold, my footer.php file contained a nasty iframe with a malicious link in it. I promptly deleted the nasty code and changed my wordpress password.

    Still not satisfied my site was safe I went to my site's cPanel to check the datebase. My cPanel password failed to work as did my ftp access using filezilla. (My password was bookmarked in filezilla so it wasn't a case of forgetting). I also did a deep scan for my PC for malware to find nothing.

    Anyway, so I called my host and got them to reset my cPanel/ftp password which they did. Did a quick check of the db - all clean.
    Then I checked the theme folder for anything strange and noticed that all my theme files had been duplicated and had a ".iframe" file extension.
    So I deleted all of these duplicated files.

    Why were these files here and what does the ".iframe" extension mean?
    I'm a little worried about the security of my site/of my host.

    I also found this page: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:33970&client=googlechrome&hl=en-GB which seems to indicate my host's network has had 825 sites out of 6661 being reported as having malware in the last 90 days.
    Should I be worried.

    Sorry for the long post, thanks if you read it all!

  2. Samuel B
    Posted 4 years ago #

  3. miocene22
    Posted 4 years ago #

    Thanks for your reply. The blog post by Otto was very useful although I'm now even more worried.
    It seems google have removed the malware warning from my site which is good news.

    I'm still perplexed by these .iframe files; it seems every file in the wordpress directory is affected. Please see screenshot http://i54.tinypic.com/15yduaa.jpg

    Is there a quick and easy way to search the contents of a load of text-based files (php, html etc) in one go for keywords?

    edit: the content of every .php.iframe file I've opened seems to be identical to its .php counterpart. I'm just worried about how they got there...

  4. wptorgue
    Posted 4 years ago #

    It sounds like it was your entire hosting fascility that was attacked - and not your specific site. My clues for this statement are;

    1. There are seldom any way for the database passwords in wordpress, to be able to change the FTP password on the server
    2. Writeaccess to your files are often not changeable, unless through FTP (that is - not by php atleast).
    3. The specific targeting of footer.php sounds like a general attack on wordpress installations, when the main server was hacked.

    You are most probably on a shared hosting (or just having ALOT of sites) - and the fact that several hundred sites has been hacked really means to me that this is not a general WP problem - but a serverside problem.

  5. miocene22
    Posted 4 years ago #

    That's what I told my host when I called them to get my password reset.
    I am on shared hosting so there is a possibility that one of their servers got hacked.

    The most likely other explanation was that they managed to hack into the WordPress admin account and use the theme editor to add their code.

    My .htaccess file looks like this:

    # -FrontPage-
    IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    AuthName nearfrog.com
    AuthUserFile /usr/home/nearfrog/public_html/_vti_pvt/service.pwd
    AuthGroupFile /usr/home/nearfrog/public_html/_vti_pvt/service.grp
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

    Anything dodgy here?

Topic Closed

This topic has been closed to new replies.

About this Topic