homecoder

A good friend of mine was hit too. He found it odd that all of HIS sites were being affected, but nobody else and he blamed wordpress himself, he did a backup and removed it.

After figuring out that there was no scripts on his server (server side) php OR cgi or whatever, he finally realized that it was being done via FTP.

I was able to take a look at the code being executed, as I was under Linux (with JavaScript shut off), without any adobe PDF, and sure enough, the executed code was an iframe that lead to another page, with an iframe, which used a script to check if PDF was available, and load a PDF file, again, hidden with CSS.

From what I’ve read around, this is a vulnerability allowing for remote code execution, including but not limited to Key Loggers.

The issue went away when I had my friend download a linux live CD, Slax, https://www.slax.org and he was able to use the available Avast! Antivirus and it cleaned quite a few viruses / trojans, he then changed ALL ftp passwords, and his web hosts control panel password, all within Linux.

Another idea would be if you have a web host with a control panel, see if the attackers had created any additional FTP accounts (which are in many cases available).

As a note, however, Linux is not impervious to viruses but most virus programmers will attack the masses (Windows).

The strangest part however of the whole thing – is that the iframes that were injected into the wordpress files, didn’t come complete, missing key elements, thus they actually BROKE wordpress.

I am unsure how this happened, but this behavior actually HELPED me to figure out what the issue is.

Best of luck to everyone who has this issue, I will shortly be putting together a blog post to help those who are having this issue work through it.