[TimThumb Vulnerability] iframe hack

Good news, it’s gone.

Strange though. After the fresh upload, I saw said iframe in the wp-admin area. I left the office to visit my designer and we checked it out on his Chrome browser, no iframe.

I use PC, he uses Mac – I don’t hold it against him.

I returned to my office computer and cleared the cache on my Chrome browser and the iframe is gone. Since the beginning, the iframe would pop up in different areas within the theme and the wp-admin area, but after a good run through, it appears the site has been sanitized from the infection.

I’m going to change the PW just for good measure.

Hi, I’m also hacked by the counter wordpress. I scanned my site via https://sitecheck.sucuri.net/scanner/, here is what I have found:
In my themes folder the header.php is added some code, but deleting the code helps nothing, because the iframe is actually added by javascript.

Two files are modified.
1. wp-includes/js/l10n.js
2. wp-includes/js/jquery/jquery.js

Replace the two files the problem is gone. And I have reset all my passwords. Not quite sure how all my wordpress websites were hacked.

This thing is setting cookies.

That’s why you can still see it in your own browser, but not someone else’s.

—
I can’t see any difference between the l10n.js that is there, and a good copy.

I think that sucuri.net spotted it because of the f.innerHTML function.
However, the l10n files are translation files, and they are supposed to be replacing text with the correct translation.

If so, flushing your browser cookies will remove it. So add that to the list of how to clean this out :/

my l10n.js is different with a good copy, some code is added to that file.
maybe my problem is different, as when I disabled javascript, the code is gone even though I didn’t edit anything.

my l10n.js is different with a good copy, some code is added to that file.

Then delete the file and upload a clean copy.

Remember, guys, this time the hackers got wise and aren’t hitting the same files on everyone.

Make a good backup and then DELETE EVERYTHING in WP core files, themes and plugins. Heck, delete your wp-config.php and .htaccess – You can easily rebuild them. But if you’re just removing one or two files AND you’re not changing passwords, you are STILL open for a repeat attack.

But if you’re just removing one or two files AND you’re not changing passwords, you are STILL open for a repeat attack

I have changed all the passwords I can change, not sure if this will help to make my sites a little safer.

not sure if this will help to make my sites a little safer

So long as you do as Ipstenu says, you’ll have a reasonably secure WP install. In my instance, it was a vulnerability because of TimThumb.php and even after everything was flushed, the cache in my browser was to blame. After a quick purge, it hasn’t returned.

This is after I deleted ALL WordPress files, used a new database, etc. In short, this was a virus and I had to reformat my Website. At the present, I’m rebuilding the site from the ground up because that’s the length I’m willing to go to insure a reasonably secure Website.

Changing your passwords is a simple, bare-bones method from being attacked using old information on the hackers’ database which MIGHT have been harvested using those evil iframes.

Best Wishes

I’ve had a recent iframe injection attack on my web server. So far I’ve created a backup of my wordpress theme files and database, removed and installed the wordpress cms platform, and I still had the iframe showing up on my site. Eventually I went through my config.php and many other php files that are frequently targeted. Deleted the config-sample.php (as usual) and eventually figured it is a javascript file. The only javascript that is on my website was a typekit script, so when I disabled that the iframe went away. I am still testing the site to see if the malicious code is still present. Does anyone know of typekit having some kind of xss vulnerabilities?

Interesting enough after scanning my web site without the malicious code with https://sitecheck.sucuri.net/scanner/ ( thanks solagirl thats a great web tool ) it passed. Then when I scanned another one of my infected web sites it failed the test. Note that typekit is also on the website that failed. So if this helps anyone in squashing this problem, typekit might have some type of xss problem.

Correction on my last couple posts, I have found it also to be the l10n.js file located at https://sitename.com/wp-includes/js/l10n.js?ver20101110

Here is the malware report https://sucuri.net/malware/malware-entry-mwjs2368

You can see it gets attached to the end of the js file

Sucuri now says my site is clean, but I’m still getting the error message on Chrome.

Any thoughts?

if you use webhostingbuzz you’re probably screwed like me

none of those codes or files exist on any of my domains, however I see the counter-wordpress crap on the frontend of some of my sites… sucks that all the sites are getting blocked by chrome because of this -.- I don’t even use tim-thumb

Sucuri now says my site is clean, but I’m still getting the error message on Chrome.

Any thoughts?

clear your cache, or bug your host because technically my sites have always been clean according to sucuri, but the server has been compromised elsewhere and it’s effecting all the sites -.-

Hello!
I went through all the steps of changing passwords FTP and MySQL, uploading new version of WordPress, but and when I run https://example.com/wp-admin/install.php I get a message that says “You appear to have already installed WordPress. To reinstall please clear your old database tables first.” Do I have to clear the actual DB, install, and then execute a copy of the DB? I don’t want to loose all I have on my site!!
Thanks for helping…