<iframe> virus – .cn

Not sure if this will help or not, but company next door to us got hit with a mass brute force attack on several websites. It was an iframe inf.cn The simple fix was to re-upload last working file and overwrite the infected file AND change all passwords for ftp and admin login.
This seemed to work for them so far. Hope it helps.

Friends,

I have recently been exposed to this attack.. and all of my sites were “hacked” or “exploited”. After reading and testing, I just want to share my experience in order to avoid these kind of things..

1) First of all, it is not a wordpress problem… it is your problem.
2) The attack is caused by a trojan that resides in your computer, 99% that you have windows.
3) This trojan stoles all your FTP credentials (and who knows what else), and are used to access your site accounts and modify your code, inserting an <iframe> in some cases. In other cases, these kind of virus insert a compressed javascript code.

Solution.

0) CHANGE YOUR FTP CREDENTIALS!! AS SOON AS POSSIBLE.
1) Backup everything & donwload hopefully to a clean computer.
2) Remove the trojan from your computer using a antivirus.. nevertheless, I finally decided to change my OS as I do not trust in antivirus and windows anymore.
3) Clean your code removing all iframes and jscript code that have been inserted by the trojan.
4) Check you databases and remove suspicious code from there too.
5) Upload your site again and pray.

I spent 2 weeks on this task, and I really feel that I have share this experience with everyone, as it is not well documented.

@elandgren –

Thank you very much for the detailed information.

At least one of our sites is in the middle of this attack. If you have a moment, I’d like to ask your advice on a few things as we figure out our course of action.

Our programmer said that he discovered it in our FTP, and he’s on a Windows machine. I’m afraid I’ve downloaded some infected files inadvertently, but I’m on a Mac.

1) Does your 99% of windows users comment mean that it’s Windows-only, or since we’re working on a site in a mixed PC/Mac environment, does that mean that I can be a carrier, or infected, or am I “clean”?

2) I have about 15 FTP credentials for several sites within my Dreamweaver and Interarchy programs – could this infect them even without me logging in? IOW, should I immediately change ALL site FTP credentials?

Trying to triage the issue and figure out what to do.

Thanks again – just knowing that you survived this (albeit in two weeks’ time) is a big relief,

The article below helped me clean my websites.
https://www.qualitycodes.com/tutorial.php?articleid=29

In recent times, the same iframe virus comes masqueraded as javascript. You can read about how newer iframe variants can be detected and about some automated cleaning solution as well:

https://paramprojects.com/website/

hello every body i am new to this site i was attacked by iframe virus in my site/sites before and now also so i thought to c for what is causing it so i downloaded all the site contents from my virus attacked site and also downloaded the new WP instalion files also so i found max files same but two files were not there in new instalation and these two files were awailable in virus attacked files those are

wordpress.css
mclayer.js

is it true that these files contain iframe virus as i told that i am new pls sombody tell me

there have been changes regularly in index.php files

sorry if i am wrong

hey! do you can help me ? I found this eror on my website: https://yfrog.com/2perorrj