Comments on: Another Type of IFrame Hack (PHP Exploit)

By: Dabbled » Blog Archive » iframe Hack – A Warning for readers and other bloggers

Fri, 02 Oct 2009 12:27:48 +0000

[...] http://blog.unmaskparasites.com/2009/04/29/another-type-of-iframe-hack-php-exploit/ http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/ [...]

By: Vinz

Vinz — Thu, 17 Sep 2009 10:51:16 +0000

Hello,
I suffered from the same. I’m copying my M.O. here, which worked.
I got
/homepages/4/d134610354/htdocs/moebius77/blog2/wp-includes/default-widgets.php on line 423 as an error on my blog. No way to login or other. So:
1) re-install all your Wordpress blog, FTP it onto the server again, EXCEPT the WP-Content folder if you want to keep your images and themes.
2) Now you should be able to login. Go to your dashboard and install plugin “Script Exploiter”.
3) Run the plugin and look for malicious script. In my case, I had this baby:

copied on most of my install.php files, on all the themes (default, etc.), on the plugins and others.
4) Download the files with the added script, open them with an editor and erase all the garbage.
5) FTP them back on the server, change your password, you should be all right.
Cheers, hope this helps,
Vinz

By: DNS_Serva

DNS_Serva — Mon, 14 Sep 2009 05:50:11 +0000

Technically that is incorrect,
ActiveX scripting is used to exploit (Blame Microsft, Why oh why do they assume every ActiveX scripting call is safe? :sigh:)

Simple answer to internet users. Ditch Internet Explorer (if you use it) and goto Firefox, Install the No/Script add-on. Now you have control over scripting and nothing can exploit you via your browser!

By: Mary

Mary — Thu, 03 Sep 2009 19:47:08 +0000

If your system is completely free of viruses and spyware (I use a firewall and used four different scanners including a rootkit scanner)…

If you change your FTP passwords often…

If you have deleted your website and uploaded a clean version of all your files…

But you are still being hit by iframe injections…

Chances are you are not using Secure FTP because you either didn’t know it existed or your host doesn’t provide it. This is exactly what happened to me. All of the helpful websites that provide information about iframe injections blame viruses, trojans or insecure passwords, and most do not point to another obvious solution. GO WITH A GOOD HOST that provides secure FTP and the option to use mod_security automatically on your domain panel. I switched to DreamHost, immediately switched ON Secure FTP, switched OFF regular FTP, and switched on extra security, and the attacks have finally stopped.

IXWebHosting was of no help and was the cause of my problem. Even after I blocked all other IP addresses than mine to FTP, I continued to get hacked. I suspect that the problem was due to insecure FTP (password easily sniffed during transmission) and insecure hosting (hacker able to access my site even though they were disallowed from FTPing to it).

When all else fails – do some really good research and change hosts.

By: oscarif

oscarif — Tue, 04 Aug 2009 21:02:29 +0000

I had the same problem and I write two scripts to fix my site automatically.

I posted the solution and the script I used, the solution is here:

http://oscarif.wordpress.com/2009/08/04/eliminacion-automatica-de-iframe-oculto/

Unfortunatelly that post is in Spanish because my English is not good, but if someone wants to help me or wants to translate it to English, I’ll try to explain for a good translation.

I hope my solution works fine and everyone can fix his site.

By: Denis

Denis — Fri, 24 Jul 2009 09:49:22 +0000

The scripts use browser vulnerabilities to silently infect visitors’ computers with all sorts of malicious programs that steal personal (and financial) information, send spam from infected computers, hack other legitimate web sites and do all other illegal staff. It’s a multimillion dollar “business”.

By: Musa

Musa — Fri, 24 Jul 2009 08:52:05 +0000

I came across the iframe scripts on two of my websites in the past month. What don’t understand “call me retarded” but why do they do this? or what is the script suppose to do?
The two that I came across were already blocked by google so I have not witnessed it in execution. Might I add, I am a freshmen to this invasion so this is a learning curve for me.

By: Mauren

Mauren — Tue, 07 Jul 2009 22:45:42 +0000

Hi web owners,

I had that cn. Aka Gumblar on a couple of websites 3 weeks ago.

This one looks like it’s about the same.. but im a security noob so maybe there are some big differences.

Solution for gumblar is:

Scan your pc with http://malwarebytes.org/

Then fix your FTP passwords, don’t save them in any program and delete all the malicious code in de /index.php / html.

Note: make sure your the only one who’s able to connect to the FTP.

By: Denis

Denis — Tue, 07 Jul 2009 18:39:29 +0000

It’s good that you care about your site visitors. However I would be also concerned about the fact the your local computer is infected and that criminals have access to your site and can modify it the way they want.

By: Shah Hussain

Shah Hussain — Tue, 07 Jul 2009 10:13:21 +0000

hello all,
i read all the comments on this page because my site has also one of the infected like your with iframe injections.
But I have got some other solution for my site to keep away from the viruses. I have embed some javascript code which remove the iframe from my index pages with onload or init() time of my page.
and it works fine
if some one else also have any good solution for removing this virus attack (IFrame Attack) then please also share with me…
thanks you all