iframe insertion – infected by “r52host.org”

  • Resolved donjla

    (@donjla)


    17 years, 1 month ago

    I’ve clearly been hacked. It is an iframe insertion in the code on my site. I’ve checked all the theme, wp admin files, and include files, yada yada, without success. FireBug’s output is below. I need help finding which file is infected.(Note: This started about 2 to 3 days ago. I upgraded to 2.3.2 at that time, from 2.3.1. Guitly of not immediately upgrading!) The infection is at the bottom of the code below:

    [Moderated: I’m sorry, but that was too much code. Please consider placing the code in a text file on your site with a link here -or- use a pastebin service such as https://wordpress.pastebin.ca -or- just post the important part. Thanks!]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter donjla

    (@donjla)

    Well, it’s found! The hack was in the header of my theme as the last line. FYI, for those using the Tiga be sure to make your Tiga Theme files “read only”. The hack was an iframe insertion with the reference pointing to “r52host.org”. Oh, and the too long code? I can’t point to it as Norton AV deleted the .txt file in which I was storing it. jajajaja

    For anyone else looking for this problem, I was also attacked by this, the Iframe it tries to decrypt and load is this:
    <iframe style='display: none;' src='https://r52host.org/stat/1.png'></iframe>

    Also, there isn’t much in the way of Google results for this problem so I’ll add a couple of pointers for the search engines:

    The malicious code begins with <!-- start counter :rkgi58s1 --> (The last bit is probably randomly generated).

    And the javascript function is function dc(x)

    Here’s a full paste of the malicious code:
    https://wordpress.pastebin.ca/968800

    Hope this helps others looking for a solution!

    Regards,
    James.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘iframe insertion – infected by “r52host.org”’ is closed to new replies.