Have Your Websites Been iframe Hacked Also?

9 replies
Heads up people...

Over the past few days, a couple of my sites running WP have been hacked. There is an iframe script inserted into the bottom of a few files, the main index.php, the admin index.php and the theme index.php which loads up: microsotf.cn or updatedate.cn

Don't go to these sites, it automatically downloads a trojan that AVG does not catch. Avast will catch it, but I still don't suggest going to those sites, unless you want to spend the afternoon removing spyware & trojans from your computer.

After doing some research, this seems to be a fairly new, very nasty virus/spyware/malware/whateverware... that is self replicating and spreading fast.

"Seems to be originating from the Academy of Sciences, Federation of Russia Their equivalent to our ITT Tech) using their campus servers in Kazakstan and Latvia before running through the European Union then jumping the Atlantic to here. The student is Nevdomskiy Alexey Alexeevich and can be reached at +79024883214"

Apparently, it is not a WordPress exploit, since I have found others running forum software who have also been compromised.

It seems this is an FTP exploit, possibly from spyware on your computer or from compromised files on your server that captures your FTP user/pass somehow.

One tip is that you should not have the same password for your MySQL database, because that is typically stored in plain text in most config files. If a hacker can read your config files somehow, and you use the same sql pass as your FTP password, well, then they know your FTP pass. Not good.

I have not found the exact solution, have tried everything suggested, one of my sites that was infected was fairly new, so I deleted EVERYTHING, changed my FTP & MySQL passwords, installed a fresh version of WordPress, and the next day, the iframe hack came back.

I just blocked the ip address:


order allow,deny
deny from 91.212.0
allow from all

I'll report back if the iframes are back tomorrow after blocking that ip range.

Here are some links to some good discussions about this iframe hack:

Web site hack loading microsotf.cn | Geeked Info

Website hack – microsotf.cn – Wordpress | Web Design, Raleigh NC - Matt Swanner

Here is an older article/blog post, it does not mention these new .cn domains, but still good info:

Malicious ?Income? IFrames from .CN Domains | Unmask Parasites. Blog.

Does anyone have any additional information about this hack and how to eliminate this threat 100%?

#hacked #iframe #websites
  • Profile picture of the author Abledragon
    Jared, hi,

    I'm really sorry to hear you got hacked like that. That's a real bummer.

    I don't have any extra info on these iframe attacks, but it does emphasise the need to use SFTP, rather than FTP.

    I recently changed my hosting provider because the one I was using before did not support SFTP and, despite several requests from me, couldn't give a deadline by when they would support it.

    SFTP support should be a primary consideration in anyone's selection of a hosting provider, especially as most FTP clients support it.

    Having said that, if a hacker is determined to access your site they will. But taking the precautions I've set out in this article will help to prevent the mass bot attacks:



    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[997130].message }}
    • Profile picture of the author skydivedad
      Hi Jared
      Sorry to hear about all this it's just awful! I use the I-Frame Buster WordPress Plugin to great effect. It will help protect your wordpress blog from future iframe hijackers i.e. DiggBar users and other such cretins.
      Hope this Helps

      Making Lemonaide... Skydivedad's Blog

      {{ DiscussionBoard.errors[999316].message }}
  • Profile picture of the author John Romaine
    If this is the virus that I had, its a nightmare. The virus lays dormant on your local machine, "listening" for any FTP activity. As soon as you FTP up to ANY site from the infected workstation, it detects the username and password, then goes about over writing ANY index files.

    I never found a fix, a patch, or even any anti virus that would get rid of it. I had to blow my machine away and reinstall the OS. Changing passwords etc is useless, because as soon as you FTP again, the cycle repeats.

    BS free SEO services, training and advice - SEO Point

    {{ DiscussionBoard.errors[999335].message }}
  • Profile picture of the author John Romaine
    Actually from memory this has to do with an Adobe vulnerability. Be sure to update your readers to the latest version.

    BS free SEO services, training and advice - SEO Point

    {{ DiscussionBoard.errors[999371].message }}
  • Profile picture of the author Superior
    My sites was also hacked same like this. I am agree with ramone johnny that this situation cab be happen when you computer is effected with virus.
    I have clean my PC and installed a fresh copy of windows so now it not happen again.
    {{ DiscussionBoard.errors[999492].message }}
    • Profile picture of the author kindsvater
      That iframe attack is a real bear to track down and it commonly avoids detection by antivirus software. Fortunately, your web host should be able to automatically and quickly clean-up the files.

      Here are suggestions from Hostgator:

      "From our experience with malware of this nature, the user account passwords are compromised though viruses/malware located on your local computer. This malware sniffs out passwords used and stored by FTP programs located on the computer. In order to protect against future attack, you will need to run full virus and malware scans on your computers to ensure that they are clean. I recommend using multiple scanners as we have found that some scanners do not detect the malware.

      MalwareBytes ( Malwarebytes.org ) and ComboFix ( A guide and tutorial on using ComboFix ) have been reported to be able to clean this malware. Once this is done, please change all account passwords."

      My suggestion - run both. It's always fascinating, and a little disturbing, to see new viruses / malware detected by different anti-virus programs.
      {{ DiscussionBoard.errors[999854].message }}
  • Profile picture of the author naphets66
    I went through this a year ago and documented it pretty well here: Sites and Cpanel Hacked with prevedvsem123.cn Virus | Stephan Miller

    It turned out with this one, the iframes were even in Cpanel and infected the whole bank of dedicated servers. I ended up moving to a new host. Hopefully that is not the case here.
    {{ DiscussionBoard.errors[999886].message }}
  • Profile picture of the author ecdavis
    You have my sympathies. I have also relatively recently dealt with my sites being being taken hacked. Either the hacker is getting to your sites via a vulnerability in your hosting or a vulnerability in your local machine. You'll have to determine which it is. If you eliminate hosting, than it may be necessary to reformat your hard drive and reinstall your software. That's the only way you'll be 100% sure that the malware is off your machine. Following that, be sure to run a firewall and antivirus software running at all times.

    {{ DiscussionBoard.errors[1001051].message }}
  • Profile picture of the author Gary McCaffrey
    Yes this happened to a lot of my sites recently.

    I got infected shortly after doing some work on a friends computer, I didn't use FTP but I did log into cpanel. After changing my password and amending the infected files from my own computer it hasn't came back.
    {{ DiscussionBoard.errors[1001154].message }}

Trending Topics