Coffee jelly ice cream without gelatin,Free Buffalo Slots download.REGISTER NOW GET FREE 888 PESOS REWARDS!

tinasilvee
(@tinasilvee)

13 years, 1 month ago

when I visit my website: https://www.licagentmumbai.com/

I get an alert : Mass Iframe Injection Attack 2 from Norton. I am unable to locate the source so that I can remove the infection.

I have this problem in almost all my wordpress websites.

Please help.

Regards
Tina

Viewing 5 replies - 16 through 20 (of 20 total)

← 1 2

Samuel B
(@samboll)

13 years ago

as of this moment the latest wordpress is secure so they are getting in through a plugin or shared server on your host

https://codex.www.ads-software.com/FAQ_My_site_was_hacked

https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

https://ottopress.com/2009/hacked-wordpress-backdoors/

https://codex.www.ads-software.com/Hardening_WordPress

afelotreyu
(@afelotreyu)

13 years ago

Scott, I did the same in all my installs of wordpress, but the one with the actual problem had the issue hidden in the wp-config.php file. As I mention on my last post that file was the one allowing the “attackers” to break all other installs of wordpress, and no matter how many times I updated and reinstall WordPress on it, the issue was still there. I have to manually fix the problem with wp-config.php.

To be safe, I would suggest you to check all your installs and make sure the wp-config.php file is not infected. If you have a wp-config file with more than 100 lines you may have a problem.

Again the infected file has about 4000 lines and somewhere in line 2090 is where I found the pingnow funtion.

One thing I noticed about the wp-config file was that the “salt keys” was the same as the wp-config-sample.php.

Just be really carefull modifying that file and good luck!

MickeyRoush
(@mickeyroush)

13 years ago

One thing I noticed about the wp-config file was that the “salt keys” was the same as the wp-config-sample.php.

the wp-config-sample.php file is not needed and can be removed.

From looking at your pastebin links it looks like you got hit with a timthumb vulnerability. Make sure that all of your themes and plugins are updated. Research them to make sure that if any of them use the timthumb script or any variant there of is updated to the newest secure code.

runway21studios
(@runway21studios)

13 years ago

Thank you so much afelotreyu. I’ve been dealing with a client that claims there is a problem with his site and no one is able to see it except him (he is an international client, so communication is tough).

I simply searched through the wp_settings.php and found that same code including the wp_inc. Before, it was showing up as having code in it on a malware scan site. Now its clean. Also checked other sites and saw that our agency website had it too.

Very strange because I haven’t experienced or seen any unusual activity on either site.

afelotreyu
(@afelotreyu)

13 years ago

Yes MickeyRoush, it seems in my case I was attacked back in august by the timthumb issue and the attacker left a back door on one of the WordPress installs. which allowed him to execute that new iframe attack last week.

Anyways, Everything else seems fine so far, I am still working on database password changes and stuff like that. Better be safe than sorry.

Good luck to everyone!