HACKED by Iframe

You weren’t hacked BY an iframe, but that’s a bit of semantics. You can check on https://sitecheck.sucuri.net/scanner/ to see what’s going on, hopefully…

I would start by getting a FRESH download from known-safe places (like www.ads-software.com) of
1) The WordPress installer
2) Your theme
3) Your plugins

If you cannot get a safe copy of your theme, go through EVERY single file in it carefully.

Then delete EVERYTHING (make a back up anyway, but remove from your server) except:

/wp-content/uploads
wp-config.php
.htaccess

Change passwords again (yeah, again) for SQL and your server.

Copy the freshly downloaded files up.

Thanks for the superquick reply. I downloaded the newest version of WordPress from www.ads-software.com and its clean. I dont know what is happening here, why do this to me?

I deleted ALL FILES in the DOMAIN, ALL OF THEM, and installed new ones which previously were Scanned with karspersky (i bought it only for this problem) and nothing was found , and uploaded them, and created a NEW SQL with Strong password, and created SECRET KEYS with wordpress key generator.

Is it possible that this thing is inside my CPANEL? because i have 3 cpanel accounts with different domains in each one and only one of the CPANEL accounts has this problem. The 3 cpanels are from the same WHM.

MMM i used https://sitecheck.sucuri.net/scanner with my website and it found 2 things in EVERY category, tag, page, post, etc.. in EVERYONE

• Malaware entry: MW:IFRAME:HD202
• Malaware entry: MW:JS:488

I WENT TO the INDEX.PHP and found something BASE64 and deleted it, and its the same thing that APPEARS AGAIN AND AGAIN everytime i delete it.

Help?

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

I have followed this links since SUNDAY and i have done Everything, there, and it shows up again, and again, and again.

And i have not found any post in any search engine of somebody that did something that worked…

The back door may be elsewhere on your server & nothing to do with WordPress. Have you contacted your hosts?

Thank you very much i have just sent this to the hosting its Hostican hope they can help with this.

You as an expert , have an idea what i should tell hostican people in order to find this backdoor ?

Regards and thank you for your time and patience

I told this to Hostican people and they made a search in the directories and they found thousands of files with 777 permissions. Do you know anyway to change this not going to each one of the 4000 files they found?

I think this might help, i will come back later and post whatever the results were in order to help other users who might have been like me.

thank you

Do you know anyway to change this not going to each one of the 4000 files they found?

They’re the hosts. This is their job. It’s what you pay them for.

oh, i wish i could get service in hostican, they tell you. this is a vps account and you must do everything yourself. Everytime i ask for something they tell its $50 usd !

I dont know how to move my websites to other hosting, if i knew, i surely wouldnt be with them anymore.

well i asked them and they agreed, i think because of the situation i am in. All my files are now 644 and all folders are 755.

I went also to all index.php files and deleted the piece of code i found,

But i still cant find the other malware.

I have a classified ads with classipress and went to it and found at the footer a link to a website i dont know and i cant find where to delete it.

I will wait hoping that the code in INDEX.php does not appear anymore and i will come back.

Yeah, if you can’t find the malware on your files, then the likely culprits are:

1) Your PC

2) Your server

That’s really it :/