Over the past few days, a couple of my sites running WP have been hacked. There is an iframe script inserted into the bottom of a few files, the main index.php, the admin index.php and the theme index.php which loads up: microsotf.cn or updatedate.cn
Don't go to these sites, it automatically downloads a trojan that AVG does not catch. Avast will catch it, but I still don't suggest going to those sites, unless you want to spend the afternoon removing spyware & trojans from your computer.
After doing some research, this seems to be a fairly new, very nasty virus/spyware/malware/whateverware... that is self replicating and spreading fast.
"Seems to be originating from the Academy of Sciences, Federation of Russia Their equivalent to our ITT Tech) using their campus servers in Kazakstan and Latvia before running through the European Union then jumping the Atlantic to here. The student is Nevdomskiy Alexey Alexeevich and can be reached at +79024883214"
Apparently, it is not a WordPress exploit, since I have found others running forum software who have also been compromised.
It seems this is an FTP exploit, possibly from spyware on your computer or from compromised files on your server that captures your FTP user/pass somehow.
One tip is that you should not have the same password for your MySQL database, because that is typically stored in plain text in most config files. If a hacker can read your config files somehow, and you use the same sql pass as your FTP password, well, then they know your FTP pass. Not good.
I have not found the exact solution, have tried everything suggested, one of my sites that was infected was fairly new, so I deleted EVERYTHING, changed my FTP & MySQL passwords, installed a fresh version of WordPress, and the next day, the iframe hack came back.
I just blocked the ip address: 188.8.131.52
deny from 91.212.0
allow from all
I'll report back if the iframes are back tomorrow after blocking that ip range.
Here are some links to some good discussions about this iframe hack:
Web site hack loading microsotf.cn | Geeked Info
Website hack – microsotf.cn – Wordpress | Web Design, Raleigh NC - Matt Swanner
Here is an older article/blog post, it does not mention these new .cn domains, but still good info:
Malicious ?Income? IFrames from .CN Domains | Unmask Parasites. Blog.
Does anyone have any additional information about this hack and how to eliminate this threat 100%?